CVE-2026-11507: SQL Injection in CodeAstro Leave Management System 1.0
A SQL injection vulnerability exists in CodeAstro Leave Management System version 1.0 that allows authenticated users to manipulate the leave_type parameter in the admin delete function, potentially extracting or modifying database information. The flaw requires valid login credentials but no additional user interaction, and public exploit code is available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability was found in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /admin/delete_leave_type.php. The manipulation of the argument leave_type results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11507 is a SQL injection vulnerability (CWE-89, CWE-74) in the /admin/delete_leave_type.php endpoint of CodeAstro Leave Management System 1.0. The leave_type parameter fails to properly sanitize or parameterize user input before incorporating it into SQL queries. An authenticated attacker can inject arbitrary SQL commands to read, modify, or delete database records. The vulnerability is remotely exploitable and has been disclosed publicly with functional proof-of-concept code available.
Business impact
Organizations deploying CodeAstro Leave Management System 1.0 face potential data breach, unauthorized database modification, and operational disruption. An authenticated administrator or user with access to the admin panel could exfiltrate sensitive employee leave records, modify audit trails, or corrupt the leave management database. While authentication is required, compromised admin accounts—whether through phishing, weak credentials, or lateral movement—create a direct attack path.
Affected systems
CodeAstro Leave Management System version 1.0 is confirmed vulnerable. The vulnerability resides in the admin panel's leave type deletion functionality and is accessible to any user with authenticated access to that function. Organizations running earlier or later versions should verify their version status directly with CodeAstro, as no vendor product data has been formally published for this CVE.
Exploitability
Exploitability is moderate to high. The attack requires valid authentication credentials but no special privileges beyond typical admin panel access. The low attack complexity (AC:L) means standard SQL injection techniques apply without additional bypasses needed. Public exploit availability elevates practical risk, as threat actors have functional code. However, the requirement for prior authentication prevents unauthenticated mass exploitation.
Remediation
Immediately update CodeAstro Leave Management System to a patched version if available from the vendor. Pending patching, restrict admin panel access using network segmentation, VPN, or IP allowlisting. Enforce strong, unique passwords for admin accounts and enable multi-factor authentication if supported. Monitor database logs for suspicious SQL queries. Review admin access logs for unauthorized or anomalous activity since disclosure.
Patch guidance
Check CodeAstro's official security advisories and release notes for version 1.0 patches or fixed versions. Apply patches in a test environment first to verify compatibility with your deployment. If no patch is available from CodeAstro, escalate with the vendor for an expected timeline and interim protective measures. Document your patching plan and track deployment across all instances.
Detection guidance
Monitor application and database logs for SQL syntax errors, unusual query patterns, or multiple failed SQL operations in /admin/delete_leave_type.php. Watch for HTTP requests to that endpoint with suspicious leave_type parameter values (e.g., quotes, semicolons, UNION keywords, time-delay commands). Implement Web Application Firewall (WAF) rules to block common SQL injection payloads targeting the leave_type parameter. Track admin authentication events for suspicious login patterns or geographic anomalies.
Why prioritize this
This vulnerability warrants prompt attention due to authentication bypass risk in a sensitive function, public exploit availability, and direct access to employee data. While a CVSS score of 6.3 (MEDIUM) reflects the authentication requirement, the combination of SQL injection severity, public weaponization, and operational sensitivity justifies treating this as a near-term remediation target, especially if your admin credentials have any exposure risk.
Risk score, explained
The CVSS 3.1 score of 6.3 reflects a network-accessible, low-complexity SQL injection with low privileges required (authenticated access). The score factors in partial confidentiality, integrity, and availability impact (C:L, I:L, A:L)—the attacker can read sensitive data, modify records, or disrupt the leave system, but impact is scoped to the affected application rather than the wider system. The lack of user interaction (UI:N) and the availability of public exploits push this toward the upper end of MEDIUM severity.
Frequently asked questions
Does this vulnerability affect all users or only administrators?
The vulnerability requires authenticated access to the admin panel, typically limited to administrative users. However, if non-admin users have been granted access to the admin panel, or if admin credentials are compromised, the risk expands significantly. Review your access control lists to confirm who can reach /admin/delete_leave_type.php.
What data could an attacker access or modify?
An authenticated attacker exploiting this SQL injection can read any data accessible to the database user running the application (typically employee records, leave history, and system configuration). They can also modify or delete records, potentially altering leave balances, audit logs, or other sensitive information. The scope depends on the database user's permissions.
Is there a temporary workaround if we cannot patch immediately?
Yes. Restrict network access to the admin panel using firewall rules, VPN requirements, or IP allowlisting. Enforce strong, unique passwords and enable MFA on admin accounts if available. Disable the leave type deletion feature if operationally feasible, or monitor its use closely with alerts. These measures reduce attack surface until patching is completed.
Has this been exploited in the wild?
The vulnerability has been publicly disclosed with proof-of-concept code available, increasing the likelihood of exploitation. However, it is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog. This does not guarantee it has not been exploited—monitor your systems closely for suspicious activity and assume active threat actors are testing this vulnerability against exposed instances.
This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. CVE-2026-11507 details are based on public disclosures and vendor information available as of the publication date. Organizations should verify patch availability and compatibility with CodeAstro directly and conduct independent risk assessments appropriate to their deployment, data sensitivity, and threat landscape. SEC.co makes no warranty regarding the completeness or accuracy of this information and recommends consulting security professionals and official vendor advisories for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController
- CVE-2026-10203MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10204MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface