Description
A vulnerability was determined in CodeAstro Simple Online Leave Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /SimpleOnlineLeave/index.php. Executing a manipulation of the argument email can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Published: 2026-07-08
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The System contains a function in index.php that accepts an email parameter without proper input validation. This allows an attacker to inject arbitrary SQL statements through that parameter, resulting in a classic SQL injection vulnerability (CWE-74 and CWE-89). An unauthenticated attacker can supply a crafted email value to read, modify or delete data that the application stores in its database. The compromise can affect confidentiality, integrity and availability of employee leave records and other sensitive information.

Affected Systems

The affected product is CodeAstro Simple Online Leave Management System version 1.0. No other versions or variants are listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 signals a medium‑severity risk. The EPSS score is currently not available, so specific exploit probability is unknown. The vulnerability is publicly disclosed and can be triggered from the internet through the web interface, indicating that the attack vector is remote. An attacker does not need special credentials; knowledge of the URL and the ability to transmit a crafted email parameter is sufficient to exploit the flaw. The vulnerability is not in the CISA KEV catalog.

Generated by OpenCVE AI on July 9, 2026 at 08:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple Online Leave Management System to the latest version that contains a fix for the SQL injection vulnerability; if no patch is available, check the vendor's website for updates.
  • Sanitize all user input for the email parameter by enforcing a strict email format and use prepared statements or stored procedures to prevent injection.
  • Implement access controls to limit access to the vulnerable page for authenticated users only, and monitor application logs for abnormal query activity.

Generated by OpenCVE AI on July 9, 2026 at 08:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 23:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in CodeAstro Simple Online Leave Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /SimpleOnlineLeave/index.php. Executing a manipulation of the argument email can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Title CodeAstro Simple Online Leave Management System index.php sql injection
First Time appeared Codeastro
Codeastro simple Online Leave Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:simple_online_leave_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro simple Online Leave Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Codeastro Simple Online Leave Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-08T23:00:10.115Z

Reserved: 2026-07-08T17:09:47.148Z

Link: CVE-2026-15134

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T09:00:13Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')