Description
A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Impacted is an unknown function of the file /notice/All_notice of the component Notice Board Management. Such manipulation of the argument Notice Title with the input <svg onload="alert('Stored XSS Triggered by Ashik Mohamed')"> as part of POST leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Published: 2026-06-08
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the Notice Board Management module of CodeAstro Human Resource Management System version 1.0. The flaw allows an attacker to submit a crafted Notice Title containing an HTML payload, such as a <svg> element with an onload event, to the /notice/All_notice endpoint via a POST request. When the resulting notice is viewed, the injected code is executed within the victim’s browser session, enabling the attacker to run arbitrary JavaScript. The CVE notes that the attack can be launched remotely and that publicly available exploits exist, but the description does not detail other downstream consequences such as session hijacking or data theft.

Affected Systems

The affected system is CodeAstro Human Resource Management System version 1.0, as reported by the vendor. No other versions have been documented as vulnerable.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, while no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote and requires only the ability to send a crafted POST request to the /notice/All_notice endpoint; publicly available exploits suggest that an attacker could quickly test for the flaw.

Generated by OpenCVE AI on June 8, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied update or patch for CodeAstro Human Resource Management System as soon as it is released.
  • Implement server‑side validation and output‑encoding for the Notice Title field, such as rejecting disallowed HTML tags and escaping characters before storage.
  • Deploy a Content Security Policy that disallows inline script execution and restricts SVG elements, reducing the risk of arbitrary JavaScript runs.
  • Configure a web application firewall or similar protection to detect and block suspicious POST payloads containing potential XSS vectors.

Generated by OpenCVE AI on June 8, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester human Resource Management System
Vendors & Products Sourcecodester
Sourcecodester human Resource Management System

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Impacted is an unknown function of the file /notice/All_notice of the component Notice Board Management. Such manipulation of the argument Notice Title with the input <svg onload="alert('Stored XSS Triggered by Ashik Mohamed')"> as part of POST leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Title CodeAstro Human Resource Management System Notice Board Management All_notice cross site scripting
First Time appeared Codeastro
Codeastro human Resource Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:codeastro:human_resource_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro human Resource Management System
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codeastro Human Resource Management System
Sourcecodester Human Resource Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T16:32:27.215Z

Reserved: 2026-06-07T10:13:37.591Z

Link: CVE-2026-11491

cve-icon Vulnrichment

Updated: 2026-06-08T12:59:54.635Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T07:16:26.663

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:57:34Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')