HIGH 7.3

CVE-2026-10260: SQL Injection in CodeAstro Online Job Portal 1.0 Admin Panel

CodeAstro Online Job Portal version 1.0 contains a SQL injection vulnerability in its admin job deletion function. An attacker can manipulate the ID parameter in the /admin/jobs-admins/delete-jobs.php file to inject malicious SQL commands, potentially compromising the database. The vulnerability requires no authentication and can be exploited over the network. Proof-of-concept code has been released publicly, increasing the likelihood of active exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A vulnerability was detected in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /admin/jobs-admins/delete-jobs.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10260 is a remote SQL injection flaw arising from insufficient input validation in CodeAstro Online Job Portal 1.0. The vulnerable endpoint at /admin/jobs-admins/delete-jobs.php fails to properly sanitize the ID parameter before incorporating it into SQL queries. This allows unauthenticated attackers to craft malicious payloads that alter query logic, bypass authentication checks, or extract sensitive data. The vulnerability maps to CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (SQL Injection), reflecting both the root cause and the attack vector. The CVSS 3.1 score of 7.3 (HIGH) reflects the network-accessible nature, low complexity, and moderate impact on confidentiality, integrity, and availability.

Business impact

Organizations running CodeAstro Online Job Portal 1.0 face direct risk of unauthorized data access, modification, or deletion of job records and associated user information. Database compromise could expose applicant personal data, employment history, and credentials, triggering potential regulatory liability under data protection frameworks. Attackers could also manipulate job postings or delete records to disrupt business operations. The public availability of exploit code elevates the risk of opportunistic attacks against unpatched instances.

Affected systems

CodeAstro Online Job Portal version 1.0 is the confirmed affected product. Organizations should audit all deployments of this version, including development, staging, and production environments. The vulnerability is not limited to specific server configurations or operating systems; any instance running version 1.0 with network exposure is at risk. Later versions may not be vulnerable, but this requires verification against CodeAstro's advisory.

Exploitability

This vulnerability is readily exploitable. The attack requires no authentication, no user interaction, and minimal complexity—standard SQL injection techniques apply. Public exploit code is available, removing barriers to entry for both opportunistic and sophisticated threat actors. Network accessibility means any internet-connected instance is a potential target. The risk of active exploitation is high given the public availability of proof-of-concept materials and the administrative nature of the affected function.

Remediation

Immediate patching is the primary remediation. Organizations should update CodeAstro Online Job Portal to a patched version released by the vendor—verify the specific version number against CodeAstro's official security advisory. If immediate patching is not feasible, disable or restrict network access to the /admin/jobs-admins/ directory using firewall rules or web server configuration. Implement network segmentation to limit admin panel exposure to trusted networks only. Additionally, review database access logs and job records for evidence of unauthorized modification or deletion.

Patch guidance

Obtain the latest patched release from CodeAstro's official channels. Follow the vendor's upgrade instructions carefully, as database schema changes may be required. Test patches in a non-production environment first to ensure compatibility with custom configurations or integrations. After patching, verify that the admin job deletion function properly rejects malformed ID parameters and logs attempts. If you have not received vendor guidance on patch availability, contact CodeAstro support to confirm the release timeline and whether interim compensating controls are recommended.

Detection guidance

Monitor web server access logs for suspicious requests to /admin/jobs-admins/delete-jobs.php, especially those containing SQL metacharacters (single quotes, semicolons, 'OR', 'UNION') in the ID parameter. Database query logs should be reviewed for unusual DELETE or SELECT statements targeting job records, particularly those issued without corresponding admin actions. Intrusion detection systems should be configured to flag SQL injection signatures targeting this path. Log aggregation tools can correlate failed authentication attempts with subsequent requests to the admin panel, signaling reconnaissance activity.

Why prioritize this

This vulnerability warrants immediate attention due to the convergence of high CVSS score (7.3), public exploit availability, network accessibility, and lack of authentication requirements. The administrative context of the affected function amplifies the business impact—compromise of job deletion logic can corrupt or destroy critical operational data. Organizations running CodeAstro Online Job Portal 1.0 should prioritize patching or mitigation above other non-critical updates.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) reflects: (1) Network Attack Vector (AV:N), allowing remote exploitation without physical access; (2) Low Attack Complexity (AC:L), requiring standard SQL injection techniques; (3) No Privilege Requirements (PR:N), enabling unauthenticated attacks; (4) No User Interaction (UI:N), allowing autonomous exploitation; (5) Unchanged Scope (S:U), with impact limited to the vulnerable system; and (6) Low to Low impact on Confidentiality (C:L), Integrity (I:L), and Availability (A:L), reflecting database query tampering and potential record loss. The score does not account for public exploit availability or active threat activity, which elevate real-world risk beyond the CVSS baseline.

Frequently asked questions

Is CodeAstro Online Job Portal 1.0 still supported by the vendor?

Verify this with CodeAstro directly. If the product has reached end-of-life, the vendor may not release patches, making immediate migration or network isolation essential. Contact CodeAstro support or check their security advisories for patch availability and timelines.

Can this vulnerability be exploited without internet access to the job portal?

No. The vulnerability requires network access to the /admin/jobs-admins/delete-jobs.php endpoint. However, 'network' includes internal networks if the portal is accessible on a corporate LAN. Restrict network exposure using firewalls and access control lists.

What data is at highest risk if this vulnerability is exploited?

Job records and applicant information stored in the portal's database are at highest risk. Depending on what the portal tracks, this could include personal data, employment history, contact information, and login credentials. A complete database compromise is possible if the attacker escalates privileges through the SQL injection.

Does updating from 1.0 to a newer CodeAstro version guarantee this is fixed?

Likely, but not guaranteed. Verify the fix in CodeAstro's release notes or security advisory for the target version. Test in a staging environment before production deployment to confirm the vulnerability is remediated.

This analysis is based on publicly available vulnerability data current as of the publication date. Readers are responsible for verifying vendor advisories and patch availability directly with CodeAstro. SEC.co does not host, test, or distribute exploit code. Organizations should conduct their own risk assessment and testing before applying patches. CVSS scores are provided as baseline risk indicators and do not reflect organizational context, threat landscape, or custom mitigations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).