Description
A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php.
Published: 2026-04-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: remote authentication bypass
Action: Patch now
AI Analysis

Impact

A SQL injection flaw exists in the username input of the index.php page of the CodeAstro Simple Attendance Management System. The attacker can supply crafted input that modifies the underlying SQL query, allowing them to bypass the login check and authenticate as any user or gain full application access. This leads to a complete loss of confidentiality, integrity, and availability for the system and the data it manages.

Affected Systems

The vulnerability affects the CodeAstro Simple Attendance Management System, specifically version 1.0. No other product versions or vendors are listed in the available data.

Risk and Exploitability

The CVSS score of 9.8 indicates a very high severity, and the lack of an EPSS score prevents precise quantitative assessment of exploitation probability. The remote, unauthenticated nature of the exploit and its ability to grant unrestricted access indicate that the attacker can gain full application control. Because the attack vector requires only a standard HTTP request to the vulnerable script, it can be performed from any external network without requiring local privileges. As the vulnerability is already publicly documented, exploitation could be readily automated by attackers if a patch is not applied promptly.

Generated by OpenCVE AI on April 18, 2026 at 09:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied update that removes the insecure handling of the username field.
  • Replace the raw SQL construction in index.php with parameterized queries or prepared statements to eliminate injection risk.
  • Enforce additional controls such as IP whitelisting or two‑factor authentication for the login endpoint to reduce the likelihood of successful exploitation.

Generated by OpenCVE AI on April 18, 2026 at 09:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Codeastro
Codeastro simple Attendance Management System
Vendors & Products Codeastro
Codeastro simple Attendance Management System

Fri, 17 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php.
References

Subscriptions

Codeastro Simple Attendance Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-17T15:23:39.696Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37749

cve-icon Vulnrichment

Updated: 2026-04-17T15:19:03.375Z

cve-icon NVD

Status : Deferred

Published: 2026-04-17T15:16:51.763

Modified: 2026-04-17T16:17:07.250

Link: CVE-2026-37749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses