Description
A weakness has been identified in CodeAstro Human Resource Management System 1.0. This vulnerability affects the function Invoice of the file \application\controllers\Payroll.php of the component Payroll Invoice Module. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CodeAstro Human Resource Management System version 1.0 contains a weakness in the Invoice function located in Payroll.php. The ID argument can be manipulated to cause arbitrary SQL injection. Remote exploitation is possible, and the exploit code has been released publicly. This flaw could allow an attacker to send crafted SQL statements that the application will execute against the database.

Affected Systems

Affected installations are those running CodeAstro Human Resource Management System 1.0, specifically the Payroll Invoice Module and its Invoice function in the Payroll.php controller. No patched version is indicated in the CNA data, so all current 1.0 deployments remain vulnerable.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity. The EPSS score is not available, so no data is available on the likelihood of exploitation. The vulnerability is not catalogued in CISA KEV. A remote attacker can supply a malicious ID parameter via HTTP requests or forms, potentially invoking the SQL injection vulnerability. Publicly available exploit code facilitates such attacks.

Generated by OpenCVE AI on June 12, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CodeAstro Human Resource Management System 1.0 to a version that addresses the SQL injection vulnerability.
  • If an update is not available, restrict or eliminate the ability to supply the ID argument via HTTP requests, for example by implementing input validation or disabling the Invoice functionality on exposed interfaces.
  • Deploy a web application firewall or application security monitoring to detect and block malicious SQL injection traffic targeting the Payroll module.

Generated by OpenCVE AI on June 12, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in CodeAstro Human Resource Management System 1.0. This vulnerability affects the function Invoice of the file \application\controllers\Payroll.php of the component Payroll Invoice Module. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Title CodeAstro Human Resource Management System Payroll Invoice Payroll.php sql injection
First Time appeared Codeastro
Codeastro human Resource Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:human_resource_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro human Resource Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Codeastro Human Resource Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T13:00:46.543Z

Reserved: 2026-06-12T15:21:07.851Z

Link: CVE-2026-12131

cve-icon Vulnrichment

Updated: 2026-06-15T13:00:41.810Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T22:16:49.727

Modified: 2026-06-15T20:42:32.707

Link: CVE-2026-12131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T00:30:09Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')