Description
A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw exists in the login.php file of CodeAstro Leave Management System 1.0. By manipulating the txt_username argument, an attacker can inject arbitrary SQL, potentially bypassing authentication and retrieving or altering database contents. The weakness is identified as input unsanitized, aligning with CWE-74 and CWE-89. Successful exploitation could allow unauthorized access to sensitive employee data and modifications that compromise system integrity.

Affected Systems

Affected products are CodeAstro:Leave Management System version 1.0. Only the login.php endpoint is vulnerable, and the flaw is present in the current 1.0 release. No other versions or modules are explicitly listed.

Risk and Exploitability

The CVSS score of 6.9 indicates high severity, and although the EPSS score is not available, the vulnerability is publicly available and can be triggered remotely via the web interface. It is not listed in CISA’s KEV catalog, but the remote nature and potential for data exfiltration mean that organizations should treat it as a significant risk. The available exploit code suggests a low barrier to exploitation for attackers with web access.

Generated by OpenCVE AI on May 8, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official patch or upgrade CodeAstro Leave Management System to a version that removes the SQL injection vulnerability.
  • Ensure that the txt_username input is validated and processed using parameterized queries or stored procedures to prevent injection.
  • Deploy a web application firewall or request filtering mechanism that blocks known SQL injection patterns against the login endpoint.

Generated by OpenCVE AI on May 8, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Codeastro
Codeastro leave Management System
Vendors & Products Codeastro
Codeastro leave Management System

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Title CodeAstro Leave Management System login.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codeastro Leave Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T20:05:10.452Z

Reserved: 2026-05-07T17:29:00.337Z

Link: CVE-2026-8132

cve-icon Vulnrichment

Updated: 2026-05-08T20:04:52.735Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T04:16:25.153

Modified: 2026-05-08T15:45:49.503

Link: CVE-2026-8132

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T16:11:07Z

Weaknesses