Description
A vulnerability was identified in CodeAstro Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/search_staff_for_updation.php. Such manipulation of the argument Name leads to sql injection. The attack may be performed from remote.
Published: 2026-06-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows a remote attacker to manipulate the Name parameter in the /admin/search_staff_for_updation.php script, resulting in an SQL injection flaw. The weakness is classified as CWE-89 (SQL Injection).

Affected Systems

The affected product is CodeAstro Leave Management System version 1.0. No other versions or variants are listed as impacted.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. The EPSS score is not available and the vulnerability is not included in the CISA KEV catalog. Attackers can exploit the flaw remotely by crafting special requests to the vulnerable script. No publicly available exploits have been reported, and the impact depends on the database permissions and application logic.

Generated by OpenCVE AI on June 8, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Use prepared statements or parameterized queries to handle the Name parameter and prevent injection.
  • Validate and sanitize all user-supplied input before use in SQL statements.
  • Restrict database permissions so the application has only the minimum required privileges.
  • Apply any vendor‑provided patches or updates as soon as they become available.
  • Consider deploying a Web Application Firewall to detect and block injection attempts.

Generated by OpenCVE AI on June 8, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in CodeAstro Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/search_staff_for_updation.php. Such manipulation of the argument Name leads to sql injection. The attack may be performed from remote.
Title CodeAstro Leave Management System search_staff_for_updation.php sql injection
First Time appeared Codeastro
Codeastro leave Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:leave_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro leave Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:ND'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Codeastro Leave Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T16:22:16.305Z

Reserved: 2026-06-07T14:08:39.813Z

Link: CVE-2026-11509

cve-icon Vulnrichment

Updated: 2026-06-08T12:46:08.400Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T12:16:31.407

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T14:00:18Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')