Description
A vulnerability was found in CodeAstro Human Resource Management System 1.0. Impacted is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely. The exploit has been made public and could be used.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker to forge a state‑changing request that is accepted by CodeAstro Human Resource Management System, enabling the execution of privileged operations on behalf of an authenticated user. In the publicly‑available proof‑of‑concept, the exploit targets a department‑deletion endpoint, resulting in loss of data integrity and potential disruption of business processes. The weakness is identified as CWE‑352 and further compounded by an insufficient authentication check (CWE‑862).

Affected Systems

CodeAstro Human Resource Management System version 1.0 is the affected product. Although the specific function is undocumented, external evidence points to an endpoint used for department deletion that does not enforce adequate CSRF protection.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS value is available, so the exact likelihood of exploitation is unclear, but the fact that the exploit code has been released publicly makes the risk non‑negligible. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to launch the flaw by luring an authenticated user to a malicious site or link that submits a GET or POST request to the vulnerable endpoint; successful exploitation would allow deletion of organizational data without the user’s intent.

Generated by OpenCVE AI on June 29, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement anti‑CSRF tokens on all state‑changing endpoints, validating them on the server side
  • Configure SameSite cookie attributes for session cookies or require a Referer header that matches the origin for sensitive requests
  • Enforce role‑based access control to ensure that only authorized users can delete departments, and require an additional confirmation step before permanent deletion

Generated by OpenCVE AI on June 29, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in CodeAstro Human Resource Management System 1.0. Impacted is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely. The exploit has been made public and could be used.
Title CodeAstro Human Resource Management System cross-site request forgery
First Time appeared Codeastro
Codeastro human Resource Management System
Weaknesses CWE-352
CWE-862
CPEs cpe:2.3:a:codeastro:human_resource_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro human Resource Management System
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Codeastro Human Resource Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T10:59:53.853Z

Reserved: 2026-06-28T09:34:18.924Z

Link: CVE-2026-13537

cve-icon Vulnrichment

Updated: 2026-06-29T10:59:50.061Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T08:45:03Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)

  • CWE-862

    Missing Authorization