CVE-2026-11584: SQL Injection in CodeAstro Student Attendance Management System 1.0
A SQL injection vulnerability exists in CodeAstro Student Attendance Management System version 1.0 that allows authenticated users to manipulate a parameter in the class editing interface and execute arbitrary database commands. An attacker with login credentials can inject malicious SQL through the ID argument to read, modify, or delete sensitive student and attendance data. The vulnerability is network-accessible and exploit code has been publicly disclosed, increasing the practical attack surface.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability was found in CodeAstro Student Attendance Management System 1.0. This impacts an unknown function of the file /attendance-php/Admin/createClass.php?action=edit. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11584 is a SQL injection flaw (CWE-89, CWE-74) in the /attendance-php/Admin/createClass.php endpoint when the action parameter is set to 'edit'. The vulnerability stems from insufficient input validation on the ID parameter, which is directly concatenated into SQL queries without parameterized preparation. While the attack requires valid administrator or user authentication (reflected in the CVSS:3.1 PR:L requirement), the lack of complexity controls and network accessibility make exploitation straightforward for any authenticated session. The public disclosure of exploit code has eliminated the zero-day window.
Business impact
Organizations deploying CodeAstro SAMS 1.0 face direct risk to student records, attendance data integrity, and system availability. A compromised admin account or any authenticated user with editing permissions could exfiltrate personally identifiable information (PII) about students, modify attendance records for grade manipulation, or trigger denial-of-service conditions through resource-intensive queries. Educational institutions face regulatory exposure under FERPA (U.S.) and equivalent data protection laws, plus reputational damage if student data breaches occur. The vulnerability also enables lateral movement if the database host is shared with other systems.
Affected systems
CodeAstro Student Attendance Management System version 1.0 is confirmed vulnerable. No patch version has been announced by the vendor as of the last modification date. Organizations running this version should assume active exposure. Check your instance version in the application settings or database schema metadata. Newer versions, if available from the CodeAstro vendor, may contain remediations—verify directly with the vendor's security advisory.
Exploitability
Exploitability is high in practice despite a MEDIUM CVSS score. The vulnerability requires authentication but does not require special user interaction or privilege escalation—any valid login suffices. SQL injection attacks on this endpoint can be crafted using standard payloads (UNION-based, time-based blind, or error-based techniques). Public exploit code lowers the barrier for malicious actors, script kiddies, and insider threats. The network-accessible nature (AV:N) combined with no user interaction (UI:N) requirement means any authenticated user account—including compromised credentials from phishing or credential stuffing—can trigger the flaw.
Remediation
Primary remediation is vendor patching. Contact CodeAstro support to request a security update for version 1.0 or confirmation that a patched version exists and verify the version number against the official advisory. Until patching is available, implement network-level access controls to restrict admin interface access to trusted IP ranges, enforce multi-factor authentication for all admin accounts to reduce credential compromise risk, and apply a Web Application Firewall (WAF) rule to block SQL injection signatures in the createClass.php endpoint parameters. Monitor database query logs for anomalous SQL patterns in real time. Consider running CodeAstro SAMS in an isolated network segment to contain lateral movement risk.
Patch guidance
Verify the availability of a patched version directly from CodeAstro's official security advisory or support channel. When a patch is released, test it in a non-production environment before deploying to ensure no regression in attendance reporting or administrative functions. Patch deployment is recommended as critical priority due to public exploit availability. If the vendor discontinues support for version 1.0 without providing a patch, consider migration to an actively maintained alternative or implementing compensating controls (WAF rules, network segmentation, enhanced monitoring) as a temporary measure while procurement and deployment of a replacement system proceeds.
Detection guidance
Monitor application and database logs for: (1) unusual SQL keywords in createClass.php request parameters (SELECT, UNION, DROP, DELETE, INSERT); (2) encoded or obfuscated SQL payloads (%27, %2d%2d, /*, CHAR()); (3) multiple failed or slow database queries originating from the admin interface; (4) database errors logged immediately after requests to the createClass.php endpoint. Enable SQL query logging at the database layer (MySQL general_log or equivalent) with parameter capture during the investigation window. Web access logs should be parsed for suspicious ID parameter values. Set up alerting on any admin panel access from unexpected geographic locations or at unusual hours if baseline user behavior is known.
Why prioritize this
Although CVSS rates this as MEDIUM, the combination of public exploit availability, authenticated-only requirement (reducing perceived urgency in some environments), and high sensitivity of student data elevates practical priority. Educational institutions should treat this as HIGH priority because: (1) student PII is a high-value target for identity theft; (2) regulatory penalties for FERPA violations are severe; (3) any authenticated user can exploit it, including lower-privilege staff or compromised accounts; (4) the exploit is weaponized and public. Patch immediately if available, or implement compensating controls within 48 hours.
Risk score, explained
The CVSS:3.1 score of 6.3 reflects the requirement for prior authentication (PR:L), which reduces the baseline attack surface compared to an unauthenticated SQL injection. However, this does not account for: (1) the prevalence and ease of SQL injection exploitation; (2) the high sensitivity of student data in scope; (3) the public availability of working exploit code; (4) the likelihood that organizational password hygiene may be weak, making authentication a surmountable barrier. Organizations handling sensitive data should mentally adjust this to HIGH priority in their risk models. The CVSS vector correctly identifies impact to confidentiality, integrity, and availability (C:L, I:L, A:L)—SQL injection typically allows all three.
Frequently asked questions
Do I need an admin account to exploit this vulnerability?
No, the vulnerability affects the admin editing interface but does not require administrative role privileges. Any authenticated user with access to the class management function can inject SQL. In practice, this means compromised student staff accounts, teacher accounts, or lower-privilege admin accounts can trigger the flaw. Your user permission model should be reviewed to determine who has legitimate access to createClass.php.
What data can an attacker access or modify?
An attacker can read any data accessible to the database user account running CodeAstro SAMS—typically student records, attendance logs, grades, and class rosters. They can modify or delete attendance entries to alter academic records, change class assignments, or disrupt the database. The scope depends on the database schema and permissions, but assume student PII is at risk.
Is there a workaround if I cannot patch immediately?
Yes. Restrict admin interface access to a VPN or specific IP ranges using network firewall rules or reverse proxy authentication. Enable multi-factor authentication for all user accounts. Deploy a WAF rule to block SQL keywords in the ID parameter. Monitor database logs for suspicious queries. These controls reduce exposure but do not eliminate the vulnerability—treat them as interim measures while awaiting a patch.
Why is this not flagged as a Known Exploited Vulnerability (KEV) by CISA?
KEV designation follows specific CISA criteria and timeline; not all publicly exploited vulnerabilities are immediately added to the KEV catalog. Public availability of exploit code does not automatically trigger KEV status. You should still treat this as actively exploited and prioritize patching based on your organizational risk tolerance and data sensitivity, independent of KEV status.
This analysis is provided for informational purposes and reflects the vulnerability details and CVSS assessment as published. No guarantee is made regarding patch availability, timelines, or the completeness of affected product lists. Organizations should verify patch status directly with CodeAstro and test all mitigations in non-production environments before deployment. Liability for security incidents resulting from unpatched systems remains with the system owner. This page does not constitute legal or compliance advice; consult your counsel regarding regulatory obligations (FERPA, state data protection laws) triggered by this vulnerability. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController
- CVE-2026-10203MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10204MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface