Description
A security flaw has been discovered in CodeAstro Human Resource Management System 1.0. This affects an unknown part of the file /Projects/Add_Projects of the component Projects Management Page. The manipulation of the argument protitle results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-06-12
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in CodeAstro Human Resource Management System 1.0 through the protitle argument of the Projects Management /Projects/Add_Projects page. By inserting malicious script code into the project title, an attacker can cause arbitrary JavaScript to execute in the browsers of users who view the stored project title, potentially leading to cookie theft, session hijack, defacement, or other browser‑side attacks. The vulnerability is classified as CWE‑79 and may involve mis‑parsed code execution (CWE‑94).

Affected Systems

CodeAstro:Human Resource Management System, version 1.0, accessed via the /Projects/Add_Projects endpoint.

Risk and Exploitability

The CVSS base score of 5.1 indicates a moderate security impact. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be initiated remotely from any user with access to the project creation form, and the exploit code is publicly available.

Generated by OpenCVE AI on June 12, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact CodeAstro to obtain an official patch or update for version 1.0 that removes the unsanitized handling of the protitle parameter.
  • Modify the application to perform strict input validation and encoding of the project title before it is stored, ensuring that any embedded script code is neutralized. Use output encoding such as HTML entity encoding when rendering the title.
  • Deploy a Web Application Firewall (WAF) or other input filtering solution to detect and block scripts in the protitle field, and restrict the ability to add projects to authenticated users only.

Generated by OpenCVE AI on June 12, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in CodeAstro Human Resource Management System 1.0. This affects an unknown part of the file /Projects/Add_Projects of the component Projects Management Page. The manipulation of the argument protitle results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Title CodeAstro Human Resource Management System Projects Management Add_Projects cross site scripting
First Time appeared Codeastro
Codeastro human Resource Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:codeastro:human_resource_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro human Resource Management System
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codeastro Human Resource Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-12T20:45:08.820Z

Reserved: 2026-06-12T15:21:05.200Z

Link: CVE-2026-12130

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:20.997

Modified: 2026-06-12T21:16:20.997

Link: CVE-2026-12130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:30:08Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')