MEDIUM 6.3

CVE-2026-11585: SQL Injection in CodeAstro Student Attendance System 1.0

CodeAstro Student Attendance Management System version 1.0 contains a SQL injection vulnerability in its class management functionality. An authenticated attacker can manipulate the classId parameter in the createClassArms.php file to inject malicious SQL commands, potentially allowing unauthorized access to or modification of the database. The vulnerability requires user authentication but can be exploited remotely without user interaction.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A vulnerability was determined in CodeAstro Student Attendance Management System 1.0. Affected is an unknown function of the file /attendance-php/Admin/createClassArms.php. This manipulation of the argument classId causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11585 is a SQL injection vulnerability (CWE-89, CWE-74) present in CodeAstro Student Attendance Management System 1.0. The vulnerability exists in /attendance-php/Admin/createClassArms.php where the classId argument is processed without sufficient input validation or parameterized query protection. An authenticated user with access to the affected endpoint can craft a malicious classId value containing SQL metacharacters to execute arbitrary database queries. The attack vector is network-based, requires valid credentials, and does not require user interaction beyond the attacker's own actions.

Business impact

This vulnerability poses a moderate risk to educational institutions and organizations using CodeAstro for attendance tracking. Authenticated administrators or users with access to class management features could read sensitive student records, modify attendance data, alter grades or enrollments, or potentially escalate privileges within the application. Data integrity of attendance records—critical for institutional compliance and reporting—cannot be assured. The reputational and operational impact depends on an organization's reliance on system data for accreditation, financial aid processing, or regulatory reporting.

Affected systems

CodeAstro Student Attendance Management System version 1.0 is confirmed affected. The vulnerability specifically impacts the Admin createClassArms functionality. Organizations running this product should inventory instances, particularly those internet-facing or accessible to untrusted administrative users. Verify your deployment version against vendor advisories, as patched versions may be available.

Exploitability

The vulnerability is moderately exploitable. Public disclosure has occurred, increasing the likelihood that proof-of-concept or attack tooling may emerge. However, exploitation requires valid authentication credentials—an attacker must already have admin or class-management access to the application. This reduces opportunistic exploitation risk but increases insider threat and compromised-account scenarios. The attack surface is limited to authenticated sessions.

Remediation

Apply a patched version of CodeAstro Student Attendance Management System released by the vendor. Verify the specific version number in the vendor advisory. As an interim measure, restrict network access to the /attendance-php/Admin/ directory to trusted IP ranges, enforce strong authentication policies, and monitor for unusual database query patterns or admin activity. Conduct a database audit to detect any unauthorized modifications to attendance records since deployment.

Patch guidance

Contact CodeAstro support or consult the vendor's advisory for the patched version. Apply updates in a test environment first to verify compatibility with your institutional integrations. Given the authentication requirement, patch deployment can typically be scheduled outside emergency windows, but should not be deferred indefinitely given public disclosure. Document the patch version applied for compliance and audit purposes.

Detection guidance

Monitor application logs for failed SQL syntax errors in the createClassArms.php handler, particularly those containing SQL keywords (UNION, SELECT, OR, AND) in the classId parameter. Query database audit logs for unexpected administrative queries or data access patterns initiated from the Admin interface. Look for HTTP requests to /attendance-php/Admin/createClassArms.php with unusual or Base64-encoded classId values. Implement Web Application Firewall (WAF) rules to block requests containing SQL injection patterns targeting this endpoint.

Why prioritize this

While CVSS 6.3 (Medium) reflects the authentication requirement, this vulnerability should be prioritized for patching in the near term because: (1) public disclosure increases weaponization risk, (2) educational data is sensitive and regulated in many jurisdictions, (3) attendance record integrity is fundamental to institutional operations, and (4) insider threats and credential compromise are realistic attack vectors in educational environments. Organizations should patch within 30–60 days depending on their patch management cycle.

Risk score, explained

CVSS 6.3 reflects a vulnerability with network accessibility and low complexity, but tempered by the requirement for prior authentication (PR:L). The impact scores of Low (C:L, I:L, A:L) indicate the attacker can read and modify data but cannot cause complete system denial. The lack of scope change (S:U) limits the blast radius. The score accurately captures a notable but not critical risk; however, context—such as exposure of sensitive student data—may warrant organizational risk elevation.

Frequently asked questions

Do we need to update immediately if we run CodeAstro 1.0?

Yes, but not necessarily in the next hour. Because exploitation requires valid credentials, you should prioritize patching within 30–60 days and apply additional controls (IP restrictions, enhanced monitoring) in the interim. Do not defer indefinitely—public disclosure increases the likelihood of weaponization.

What if we can't reach the vendor for a patch?

Implement compensating controls: restrict admin interface access via firewall or VPN, enforce multi-factor authentication for admin accounts, isolate the attendance system from the internet, and enable comprehensive logging of all database queries and admin actions. Escalate to the vendor through support channels and consider migrating to an alternative product if patches are not forthcoming.

Will this vulnerability affect student data if our database is properly backed up?

Backups protect against data loss but do not prevent unauthorized read or modification during an active attack. If an attacker injects SQL to exfiltrate student records, backups will not prevent the breach. Focus on preventing the attack itself through patching and access controls.

How does this affect our institutional compliance (FERPA, GDPR, etc.)?

Unpatched SQL injection vulnerabilities in systems handling student personal data represent a compliance risk. Most regulations require reasonable security controls to protect personal information. Document your remediation timeline and controls in your compliance file. If a breach occurs due to negligent non-patching, liability exposure increases significantly.

This analysis is based on vendor-supplied vulnerability data and public disclosures current as of June 2026. Security assessments are contextual; your organization's risk depends on deployment scope, network exposure, and access controls. Test all patches in non-production environments before deployment. SEC.co does not provide legal advice; consult your compliance and legal teams regarding regulatory obligations. This document does not constitute a guarantee of security and should be combined with your organization's standard risk management and patch governance processes. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).