Description
A vulnerability has been found in CodeAstro Leave Management System 1.0. This impacts an unknown function of the file /admin/search_staff_for_deletion.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Published: 2026-06-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper input handling in the Name argument within the search_staff_for_deletion.php file. An attacker can inject malicious SQL code, leading to unauthorized database queries. This flaw, classified under CWE-74 and CWE-89, permits the attacker to read, modify, or delete data as a result of the injection.

Affected Systems

The affected product is CodeAstro Leave Management System, currently at version 1.0. The vulnerability exists in the admin module, specifically the search_staff_for_deletion.php script.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, and the EPSS score is not available, implying no confirmed exploitation patterns. Remote exploitation is possible as documented. The flaw is not listed in the CISA KEV catalog, so no known active exploits are reported. The risk is moderate but the possibility of exploitation remains; administrators should act promptly.

Generated by OpenCVE AI on June 8, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict access to /admin/search_staff_for_deletion.php to authorized users only.
  • Validate or escape the Name parameter to prevent SQL injection, ideally using parameterized queries.
  • Apply any vendor-provided patch for CodeAstro Leave Management System once released.

Generated by OpenCVE AI on June 8, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in CodeAstro Leave Management System 1.0. This impacts an unknown function of the file /admin/search_staff_for_deletion.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Title CodeAstro Leave Management System search_staff_for_deletion.php sql injection
First Time appeared Codeastro
Codeastro leave Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:leave_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro leave Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codeastro Leave Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-09T15:40:58.426Z

Reserved: 2026-06-07T14:08:31.946Z

Link: CVE-2026-11506

cve-icon Vulnrichment

Updated: 2026-06-09T15:40:50.499Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T12:16:30.917

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T13:00:15Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')