Description
A flaw has been found in CodeAstro Online Classroom 1.0. This affects an unknown part of the file /addnewfaculty. Executing a manipulation of the argument fname can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.
Published: 2026-04-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Patch
AI Analysis

Impact

The flaw exists in the /addnewfaculty endpoint of CodeAstro Online Classroom 1.0. By manipulating the fname argument, an attacker can inject arbitrary SQL statements, potentially altering, exposing, or deleting data stored in the database. The vulnerability is exploitable remotely and, based on the description, it is inferred that an external attacker can trigger the injection without any prior authentication.

Affected Systems

This issue impacts the CodeAstro Online Classroom application, version 1.0. Administrators should verify that their deployment is not running this vulnerable build and consider upgrading if a newer, patched release is available.

Risk and Exploitability

The CVSS score of 5.3 classifies the threat as moderate, but EPSS data is not provided and the vulnerability is not included in CISA KEV. Nevertheless, a published exploit and the remote nature of the attack indicate that attackers could aim at unsuspecting installations. The problem is tied to input handling weaknesses (CWE-74 and CWE-89), allowing unauthenticated attackers to execute arbitrary SQL code.

Generated by OpenCVE AI on April 28, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to the latest available version of CodeAstro Online Classroom.
  • Restrict the /addnewfaculty functionality to authenticated and authorized administrative users only.
  • Implement stringent input validation and use parameterized/database‑prepared statements to prevent the execution of injected SQL code.

Generated by OpenCVE AI on April 28, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Codeastro
Codeastro online Classroom
Vendors & Products Codeastro
Codeastro online Classroom

Mon, 27 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in CodeAstro Online Classroom 1.0. This affects an unknown part of the file /addnewfaculty. Executing a manipulation of the argument fname can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.
Title CodeAstro Online Classroom addnewfaculty sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codeastro Online Classroom
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T20:12:45.919Z

Reserved: 2026-04-26T20:00:16.636Z

Link: CVE-2026-7148

cve-icon Vulnrichment

Updated: 2026-04-27T20:02:54.827Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T19:16:53.987

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:45:07Z

Weaknesses