CVE-2026-11491: Stored XSS in CodeAstro HRMS Notice Board Management
CodeAstro Human Resource Management System version 1.0 contains a stored cross-site scripting (XSS) vulnerability in its Notice Board Management feature. An attacker with high privileges can inject malicious JavaScript into the Notice Title field, which is then executed in the browsers of other users viewing that notice. The vulnerability requires user interaction (a victim must view the affected notice) and has already been disclosed publicly with exploit code available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 2.4 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-79, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Impacted is an unknown function of the file /notice/All_notice of the component Notice Board Management. Such manipulation of the argument Notice Title with the input <svg onload="alert('Stored XSS Triggered by Ashik Mohamed')"> as part of POST leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the Notice Board Management component of CodeAstro HRMS 1.0, specifically in the /notice/All_notice endpoint. The application fails to properly sanitize user input in the Notice Title parameter when processing POST requests. An attacker can inject arbitrary SVG/JavaScript payloads (e.g., <svg onload="...">)—which are then stored in the application and executed client-side when other users view the notice. This is a classic stored XSS vulnerability (CWE-79) with code injection potential (CWE-94). The attack is network-accessible and requires high privilege level (administrative or notice management role) to inject the payload.
Business impact
The primary risk is to organizational reputation and employee trust. An authenticated attacker with notice management privileges could inject malicious scripts that steal session cookies, redirect users to phishing sites, or capture keystroke data from HR staff and employees viewing notices. In an HR context, this could expose sensitive employee data, payroll information, or personal details. The low CVSS score reflects the requirement for high-privilege access and user interaction; however, the stored nature means the payload persists and affects multiple victims over time until remediated.
Affected systems
CodeAstro Human Resource Management System version 1.0 is confirmed affected. The Notice Board Management feature and its /notice/All_notice endpoint are the specific attack surface. Any deployment of this version with notice functionality exposed is vulnerable. Organizations running older versions should verify their current deployment version, as the vendor's current roadmap and support status are not specified in available data.
Exploitability
While the CVSS vector indicates the exploit requires high privilege (PR:H) and user interaction (UI:R), the public availability of exploit code reduces practical friction for attackers with administrative access. Internal threats—disgruntled employees or compromised admin accounts—represent the most realistic exploitation path. The attack requires no special tools or network conditions, only the ability to post a notice through the application's intended workflow.
Remediation
Immediately review and restrict access to the Notice Board Management component to only trusted administrators. Verify the version of CodeAstro HRMS in use. Contact the CodeAstro vendor for a security update addressing input validation and output encoding in the Notice Title field. As an interim measure, implement Web Application Firewall (WAF) rules to block SVG and script tags in POST requests to the /notice/All_notice endpoint. Audit all existing notices for suspicious content or injection attempts and remove any that appear compromised.
Patch guidance
Check the CodeAstro vendor advisory and security bulletins for a patched version addressing CWE-79 and CWE-94 in the Notice Board component. Verify patch availability before deploying—given the limited vendor and product information in the public database, direct contact with CodeAstro support is strongly recommended to confirm the exact patched version and any deployment prerequisites. Test patches in a non-production environment first, particularly given the notice feature's role in internal communications.
Detection guidance
Monitor application logs for POST requests to /notice/All_notice with payloads containing <svg, onload=, onerror=, or other event handler syntax in the Notice Title parameter. Implement input validation logging to capture blocked injection attempts. Review stored notices in the database for suspicious tags or script content. Use browser developer tools to inspect notice page HTML and check for unescaped user input. Consider deploying a Web Application Firewall with XSS detection rules to identify and block malicious notice submissions in real-time.
Why prioritize this
Although the CVSS score is low (2.4), this vulnerability should not be deprioritized solely on that basis. The public availability of exploit code, combined with the stored nature of the payload (affecting many users), and the HR context (sensitive data exposure potential) warrant prompt remediation. Prioritize this for patching within 30 days, especially if your HRMS is internet-facing or used by remote employees. Organizations with strong internal access controls and strict administrator oversight may prioritize this lower, but it should remain on the active remediation roadmap.
Risk score, explained
The CVSS 3.1 score of 2.4 reflects the requirement for high-privilege access (PR:H) and user interaction (UI:R), plus the limited impact scope (integrity only, no confidentiality or availability impact). However, CVSS alone does not capture risk in context: the stored nature of the XSS, the sensitivity of HR data, public exploit availability, and the potential for lateral movement or credential theft warrant consideration above the numerical score when assessing organizational risk.
Frequently asked questions
Can this vulnerability be exploited remotely without an account?
No. The CVSS vector and vulnerability description indicate that high privilege is required (PR:H), meaning the attacker must have authenticated administrative or notice management access to inject the malicious payload. However, once injected, any user viewing the notice—including those without special privileges—will be affected.
What data could an attacker steal using this XSS vulnerability?
Depending on the attacker's objectives and the scope of the injected script, they could capture session cookies (enabling account takeover), steal personal or payroll information visible on the page, redirect users to credential harvesting sites, or inject keyloggers to capture passwords. In an HR context, exposure of employee records, salary data, or applicant information is a realistic concern.
If we can't get a patch immediately, what can we do?
Restrict access to the Notice Board Management interface to a minimal set of trusted administrators. Implement WAF rules to block requests with script or SVG injection patterns. Audit all existing notices for suspicious content. Consider temporarily disabling the notice feature if the risk tolerance is very low. Contact CodeAstro support urgently for patch timeline and workaround options.
Does this vulnerability require internet exposure to be a risk?
No. Even on an internal network, this vulnerability poses a risk to employees with HR system access. However, internet-facing deployments significantly increase the attack surface and should be remediated with higher urgency.
This analysis is provided for informational and defensive security purposes only. The vulnerability details, CVSS score, and affected software versions are based on public CVE data as of the publication and modification dates listed. Organizations should verify their exact software version and consult the CodeAstro vendor advisory for patch availability and deployment guidance. No exploit code is provided or endorsed. Security teams should conduct their own risk assessment and testing before deploying patches or workarounds in production environments. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10234LOWMettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
- CVE-2026-10244LOWSourceCodester Pharmacy Sales and Inventory System XSS Vulnerability
- CVE-2026-10245LOWStored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0
- CVE-2026-10246LOWStored XSS in SourceCodester Pharmacy System 1.0 – Remediation Guide
- CVE-2026-10247LOWXSS in SourceCodester Pharmacy Sales System 1.0
- CVE-2026-10514LOWCordysCRM Cross-Site Scripting (XSS) Vulnerability – Patch to 1.7.0