Description
A flaw has been found in CodeAstro Online Classroom 1.0. The affected element is an unknown function of the file /OnlineClassroom/facultylogin. Executing a manipulation of the argument fid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unknown function within the /OnlineClassroom/facultylogin file of CodeAstro Online Classroom 1.0 allows manipulation of the fid argument, leading to SQL injection (CWE-74 and CWE-89). An attacker who supplies a crafted fid value can inject arbitrary SQL statements, potentially reading, modifying, or deleting sensitive data stored in the application database. The flaw presents a direct path to compromise data confidentiality, integrity, and availability without needing local access.

Affected Systems

The vulnerability affects CodeAstro Online Classroom version 1.0. No other product versions are listed as impacted.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, and no EPSS information is available, suggesting low-to-moderate exploitation likelihood at this time. The vulnerability is not listed in the CISA KEV catalog, but the fact that a published exploit exists means it could be employed by adversaries. As the attack vector is remote through the facultylogin interface, any publicly accessible instance is a potential target.

Generated by OpenCVE AI on May 4, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest CodeAstro Online Classroom patch that addresses the SQL injection flaw
  • If no patch is available, modify the facultylogin handler to use parameterized queries and validate the fid parameter before including it in SQL statements
  • Restrict access to the facultylogin endpoint by IP whitelisting or network segmentation, and monitor logs for suspicious query patterns

Generated by OpenCVE AI on May 4, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Codeastro
Codeastro online Classroom
Vendors & Products Codeastro
Codeastro online Classroom

Mon, 04 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in CodeAstro Online Classroom 1.0. The affected element is an unknown function of the file /OnlineClassroom/facultylogin. Executing a manipulation of the argument fid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.
Title CodeAstro Online Classroom facultylogin sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codeastro Online Classroom
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T10:33:28.119Z

Reserved: 2026-05-03T17:16:06.540Z

Link: CVE-2026-7742

cve-icon Vulnrichment

Updated: 2026-05-04T10:33:19.584Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T08:16:02.683

Modified: 2026-05-04T15:17:58.710

Link: CVE-2026-7742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T11:30:43Z

Weaknesses