CVE-2026-11583: SQL Injection in CodeAstro Student Attendance Management System 1.0
CodeAstro Student Attendance Management System version 1.0 contains a SQL injection vulnerability in the class creation administrative function. An authenticated attacker can manipulate the className input parameter to inject malicious SQL commands, potentially reading, modifying, or deleting database records. The vulnerability requires valid login credentials but can be exploited over the network without additional user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in CodeAstro Student Attendance Management System 1.0. This affects an unknown function of the file /attendance-php/Admin/createClass.php. The manipulation of the argument className leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11583 is a SQL injection flaw in /attendance-php/Admin/createClass.php affecting CodeAstro Student Attendance Management System 1.0. The className parameter is not properly sanitized before being incorporated into database queries, enabling an authenticated attacker to execute arbitrary SQL. The CVSS v3.1 score of 6.3 (Medium) reflects the requirement for prior authentication (PR:L), though network-accessible exploitation is possible. CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (SQL Injection) classify the root cause as inadequate input validation and query parameterization.
Business impact
Educational institutions using this system face potential exposure of sensitive student records, instructor data, and attendance information. Compromised databases could enable unauthorized enrollment manipulation, grade tampering, or data exfiltration. Depending on deployment scope, the vulnerability could affect institutional reputation, trigger privacy incident reporting obligations (FERPA, GDPR), and disrupt critical academic operations if database integrity is compromised.
Affected systems
CodeAstro Student Attendance Management System version 1.0 is confirmed vulnerable. Users should verify whether their installations are running this version. The vulnerability resides specifically in the administrative class creation interface, meaning accounts with administrative or class management privileges are the attack vector. Verify your exact product version against vendor documentation before assuming risk.
Exploitability
Public disclosure has occurred, increasing practical exploitation risk. The attack requires valid system credentials, which limits the immediate threat to insider threats or compromised accounts. However, the straightforward nature of SQL injection techniques and the authenticated access requirement (common in educational settings with multiple administrative accounts) suggests moderate real-world exploitability. No evidence indicates active exploitation in the wild at present, but the public nature of the disclosure warrants timely remediation.
Remediation
Contact CodeAstro directly to obtain patched versions of Student Attendance Management System. Until a patch is available, restrict administrative access to the class creation function to trusted personnel only, and implement database-level access controls to limit the damage a compromised account could cause. Consider isolating the system from untrusted networks if feasible. Ensure database backups are current and regularly tested for restore capability.
Patch guidance
Obtain the latest version of CodeAstro Student Attendance Management System directly from the vendor's official website or support portal. Verify the patch version against the vendor's advisory documentation and test in a non-production environment before deployment. The vendor should provide specific version numbers and release notes confirming SQL injection remediation. Prioritize patching of systems accessible to multiple administrative users.
Detection guidance
Monitor database query logs for anomalous SQL syntax, nested queries, or UNION-based injection patterns in the className parameter of class creation requests. Web application firewalls (WAF) should be configured to detect and block common SQL injection payloads. Audit administrative account login activity and filter for unusual class creation requests originating from unexpected users or IP addresses. Query database transaction logs for unexpected data access or modification patterns coinciding with the timing of suspicious administrative sessions.
Why prioritize this
Although CVSS severity is Medium, the vulnerability should be prioritized due to public exploit disclosure, the sensitive nature of educational data at risk, and the relatively low barrier to exploitation for users with administrative credentials. Organizations with distributed administrative teams or legacy credential management practices face elevated risk and should patch urgently.
Risk score, explained
The CVSS v3.1 score of 6.3 reflects limited scope (S:U—no impact beyond the vulnerable system), low confidentiality/integrity/availability impact (C:L/I:L/A:L—partial rather than complete compromise), and importantly, the requirement for prior authentication (PR:L). However, this score does not account for the public disclosure status or the sensitivity of data typically stored in student management systems, both of which should inform organizational risk appetite and remediation priority.
Frequently asked questions
Do we need administrative credentials to exploit this?
Yes, the vulnerability requires authenticated access to the administrative interface. However, this may be a lower bar than assumed if administrative credentials are widely shared or stored insecurely within your organization.
What data is at immediate risk if this is exploited?
Any data stored in the database backing the attendance system is at risk, including student records, attendance data, class rosters, and potentially grade or enrollment information, depending on the database schema.
Is this vulnerability currently being exploited in the wild?
There is no evidence of active exploitation in public threat feeds or exploit-as-a-service platforms at present. However, public disclosure means the technical details are available to potential attackers, making exploitation more likely over time.
Can we mitigate this without patching?
Temporary mitigations include restricting who can access the class creation function, implementing database-level permissions to limit what a compromised administrative account can do, and using a WAF to filter SQL injection patterns. However, these do not eliminate the underlying vulnerability and should not substitute for patching.
This analysis is based on publicly disclosed information current as of June 2026. Vulnerability details, patch availability, and vendor advisories may change; organizations should verify all remediation guidance against official vendor documentation before implementing. This intelligence does not constitute professional security advice for your specific environment. Conduct your own risk assessment and consult vendor support for definitive guidance on patch timelines and compatibility. SEC.co assumes no liability for damages arising from the use or misuse of this information. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController
- CVE-2026-10203MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10204MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface