MEDIUM 6.3

CVE-2026-11510: SQL Injection in CodeAstro Leave Management System 1.0

CodeAstro Leave Management System version 1.0 contains a SQL injection vulnerability in its administrative interface. An authenticated attacker can manipulate the type_of_leave parameter when submitting leave requests through /admin/add_leave.php to inject malicious SQL commands. This allows unauthorized reading, modification, or deletion of database records. The vulnerability requires valid administrative credentials to exploit, but public exploit code is now available, increasing the practical risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in CodeAstro Leave Management System 1.0. This affects an unknown part of the file /admin/add_leave.php. Performing a manipulation of the argument type_of_leave results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11510 is a SQL injection flaw (CWE-89, CWE-74) in CodeAstro Leave Management System 1.0. The vulnerability exists in the /admin/add_leave.php endpoint where the type_of_leave parameter is processed without proper input validation or parameterized queries. An authenticated admin user can craft malicious SQL payloads to escape the intended query logic and execute arbitrary database commands. The CVSS 3.1 score of 6.3 reflects the requirement for prior authentication (PR:L) while acknowledging the potential for confidentiality, integrity, and availability impact (C:L/I:L/A:L). No network restrictions apply (AV:N/AC:L).

Business impact

Organizations using CodeAstro Leave Management System 1.0 face potential data breaches involving employee leave records, payroll data, or other sensitive HR information stored in the same database. Attackers with administrative access (or those who compromise admin credentials) can modify leave approvals, alter audit trails, or extract personal employee data. Service disruption through database manipulation could impair leave processing workflows. The availability of public exploits accelerates the timeline to weaponized attacks.

Affected systems

CodeAstro Leave Management System version 1.0 is the confirmed affected product. Organizations should inventory deployments of this software across their infrastructure, particularly those exposed to untrusted admin users or where admin credentials may have been compromised. The advisory does not specify patched versions; verify with CodeAstro's official security guidance for remediation availability.

Exploitability

The vulnerability is exploitable remotely but requires valid administrative credentials, limiting the attack surface to insider threats or compromised admin accounts. Public exploit code is available, reducing the barrier to attack execution. The relatively low complexity (AC:L) and straightforward manipulation of a web parameter mean that an attacker with admin access could execute this attack quickly and reliably without advanced technical skill. Organizations should assume active exploitation is possible.

Remediation

Immediately verify whether your organization runs CodeAstro Leave Management System 1.0. If deployed, contact CodeAstro for patched versions or security updates. In the interim, restrict administrative access to the /admin/add_leave.php endpoint through network segmentation or application-level controls. Implement web application firewalls (WAF) with SQL injection detection rules. Review admin account access logs for suspicious database query patterns. Consider implementing input validation and output encoding at the application layer if patches are delayed.

Patch guidance

Check CodeAstro's official security advisories and vendor website for patched versions of Leave Management System. Update to the latest available release as soon as testing permits. Verify patch applicability in your deployment environment before production rollout. If CodeAstro has not released a patch, escalate to the vendor for patch timeline estimates and interim compensating controls.

Detection guidance

Monitor admin panel access logs for unusual authentication patterns or failed login attempts that might indicate credential compromise. Use database audit logging to detect unexpected SQL query patterns, particularly those containing UNION, SELECT, or DROP commands in leave management transactions. Deploy a WAF configured to block common SQL injection payloads in the type_of_leave parameter. Review database query logs for evidence of data exfiltration or schema enumeration attempts following admin authentication.

Why prioritize this

Although CVSS 6.3 is rated medium, the combination of public exploit availability, database access risk, and HR/payroll data sensitivity warrants elevated prioritization. Admin-level credentials are often persistent and harder to rotate; compromise of a single admin account can lead to broad data exposure. Patch availability and timeline should drive your remediation schedule.

Risk score, explained

The CVSS 3.1 score of 6.3 reflects a network-accessible SQL injection requiring prior administrative login. The vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L indicates low attack complexity and no user interaction needed once authenticated, but confidentiality, integrity, and availability impacts are partial rather than total. The score appropriately captures the risk within the authenticated admin context, but organizations should weigh the business sensitivity of HR data and public exploit availability when deciding on patch priority.

Frequently asked questions

Can this vulnerability be exploited without administrative credentials?

No. The vulnerability requires valid administrative login credentials (PR:L in the CVSS vector). However, if admin credentials are compromised through phishing, password reuse, or lateral movement, the attack becomes feasible. Regularly audit admin account access and enforce strong credential hygiene.

What is the difference between CWE-74 and CWE-89 for this vulnerability?

CWE-89 is Improper Neutralization of Special Elements used in an SQL Command (SQL Injection). CWE-74 is Improper Neutralization of Special Elements in Output Used by a Downstream Component. Together, they indicate that the application fails to sanitize input (CWE-89) and this flows unsafely downstream into database queries. Both reflect the same root cause: insufficient input validation.

Does this vulnerability appear on the CISA Known Exploited Vulnerabilities (KEV) catalog?

No, CVE-2026-11510 is not currently listed on the CISA KEV catalog. However, public exploit code is confirmed available, and organizations should treat this as an active exploitation risk regardless of KEV status. KEV addition may follow as adoption and attacks are confirmed.

What if we cannot patch immediately? What are short-term controls?

Implement network segmentation to restrict access to the /admin/add_leave.php endpoint to trusted IP ranges. Deploy a WAF with SQL injection rules. Enable detailed database query auditing. Reduce the number of active admin accounts and rotate credentials. Monitor admin authentication logs closely for anomalies. These controls reduce risk but do not eliminate it; patching remains the primary remediation.

This analysis is based on publicly available information current as of the publication date. CVSS scores and affected product information are derived from official CVE records. Patch version numbers and vendor timelines should be verified directly with CodeAstro. Organizations should test any patches in non-production environments before deployment. This assessment does not constitute a substitute for professional security advice tailored to your specific environment. SEC.co makes no warranty regarding the completeness or accuracy of remediation steps relative to future vendor updates. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).