Description
A vulnerability was detected in CodeAstro Student Attendance Management System 1.0. Impacted is an unknown function of the file /attendance-php/Admin/createStudents.php. Performing a manipulation of the argument admissionNumber results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
Published: 2026-06-13
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in CodeAstro Student Attendance Management System allows an attacker to inject arbitrary SQL via the admissionNumber parameter of the createStudents.php script. The injection can modify or expose the underlying database, jeopardizing the integrity and confidentiality of attendance records. The CVSS score of 5.1 indicates a moderate overall severity due to the ability to alter data but limited to the application context.

Affected Systems

The vulnerability affects the CodeAstro Student Attendance Management System, specifically version 1.0, where the createStudents.php endpoint is exposed. No other versions are listed as affected.

Risk and Exploitability

Because the flaw is reachable over the network and no authentication requirements are detailed in the description, it can be exploited remotely by anyone who can reach the web application. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Analysts should also consider that public exploit code exists, increasing the risk of automated attacks.

Generated by OpenCVE AI on June 14, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify the admissionNumber handling in createStudents.php and replace any inline SQL construction with prepared statements or proper sanitization.
  • Restrict access to the /attendance-php/Admin/createStudents.php endpoint by requiring authenticated administrative sessions and applying least‑privilege controls.
  • Deploy a web application firewall or similar monitoring to detect and block anomalous SQL query patterns targeting the application.

Generated by OpenCVE AI on June 14, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in CodeAstro Student Attendance Management System 1.0. Impacted is an unknown function of the file /attendance-php/Admin/createStudents.php. Performing a manipulation of the argument admissionNumber results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
Title CodeAstro Student Attendance Management System createStudents.php sql injection
First Time appeared Codeastro
Codeastro student Attendance Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:h:codeastro:student_attendance_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro student Attendance Management System
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codeastro Student Attendance Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-13T22:45:06.442Z

Reserved: 2026-06-13T05:38:23.514Z

Link: CVE-2026-12175

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-13T23:16:37.263

Modified: 2026-06-13T23:16:37.263

Link: CVE-2026-12175

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-14T00:30:05Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')