Description
A vulnerability was found in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /admin/delete_leave_type.php. The manipulation of the argument leave_type results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
Published: 2026-06-08
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the delete_leave_type.php file of CodeAstro Leave Management System 1.0. The leave_type argument is not properly sanitized, enabling an attacker to inject malicious SQL statements. This allows the attacker to modify or delete database rows, potentially leading to data corruption or loss of critical leave records. It is classified as a SQL injection flaw affecting data integrity and availability.

Affected Systems

CodeAstro: Leave Management System version 1.0 is affected by this flaw. The issue is specific to the delete_leave_type.php module and the leave_type parameter within that file. No other versions or products are explicitly listed in the current advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, so the likelihood of exploitation in the wild is unclear, but the vulnerability can be triggered remotely via a web request to the affected endpoint. The vulnerability is not listed in the CISA KEV catalog, which reduces the confidence that a publicly supported exploit is in use today. Nevertheless, because the flaw is exploitable through the public web interface and the exploit has been disclosed, organizations should treat it as a real threat.

Generated by OpenCVE AI on June 8, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Acquire and apply the vendor‑supplied patch for delete_leave_type.php.
  • Validate and sanitize the leave_type input; use parameterized queries or prepared statements.
  • Limit the database account used by the application to the minimum privileges required for normal operation.

Generated by OpenCVE AI on June 8, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /admin/delete_leave_type.php. The manipulation of the argument leave_type results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
Title CodeAstro Leave Management System delete_leave_type.php sql injection
First Time appeared Codeastro
Codeastro leave Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:leave_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro leave Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codeastro Leave Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T10:45:09.207Z

Reserved: 2026-06-07T14:08:34.386Z

Link: CVE-2026-11507

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T12:16:31.080

Modified: 2026-06-08T12:16:31.080

Link: CVE-2026-11507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T12:30:23Z

Weaknesses