Description
A security flaw has been discovered in CodeAstro Leave Management System 1.0. This affects an unknown part of the file /admin/add_leave.php. Performing a manipulation of the argument type_of_leave results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-06-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthorized user can send crafted data to the type_of_leave parameter of the /admin/add_leave.php script, causing the application to inject arbitrary SQL code into a database query. This flaw aligns with CWE-74 and CWE-89 and permits attackers to read, alter, or delete database records, potentially revealing confidential information or disrupting business operations.

Affected Systems

CodeAstro Leave Management System, version 1.0, is affected. No other versions or forked releases were reported in the available data.

Risk and Exploitability

The vulnerability scores a moderate 5.3 on the CVSS scale and is not listed in the CISA KEV catalog. The EPSS score is not available, but public exploit code has been released, indicating a heightened risk for systems exposed to remote access. The likely attack vector is remote, leveraging unauthenticated or weakly authenticated access to the admin module.

Generated by OpenCVE AI on June 8, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check with the vendor for an official fix or upgrade to a fixed release of CodeAstro Leave Management System 1.0.
  • Restrict console access to /admin/add_leave.php by enforcing authentication and IP‑based access control or network segmentation.
  • Implement input validation or replace string‑based queries with parameterized statements in the add_leave.php handler to prevent SQL injection.

Generated by OpenCVE AI on June 8, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in CodeAstro Leave Management System 1.0. This affects an unknown part of the file /admin/add_leave.php. Performing a manipulation of the argument type_of_leave results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
Title CodeAstro Leave Management System add_leave.php sql injection
First Time appeared Codeastro
Codeastro leave Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:leave_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro leave Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codeastro Leave Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T12:54:17.684Z

Reserved: 2026-06-07T14:08:42.498Z

Link: CVE-2026-11510

cve-icon Vulnrichment

Updated: 2026-06-08T12:54:13.468Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T12:16:31.570

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T13:00:15Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')