CVE-2026-10260
Description
SQL injection in CodeAstro Online Job Portal 1.0 delete-jobs.php allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'id' parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in CodeAstro Online Job Portal 1.0 delete-jobs.php allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'id' parameter.
Vulnerability
The vulnerability exists in the delete-jobs.php file of CodeAstro Online Job Portal version 1.0. The id parameter is directly used in SQL queries without sanitization, allowing SQL injection. Affected versions: 1.0. [1]
Exploitation
The attack is remote and requires no authentication. An attacker can send a crafted GET request to /admin/jobs-admins/delete-jobs.php with a malicious id parameter. The provided payload demonstrates boolean-based blind and error-based SQL injection techniques. [1]
Impact
Successful exploitation allows an attacker to access, modify, or delete database contents, potentially leading to sensitive data leakage, data tampering, and full system compromise. [1]
Mitigation
As of the publication date, no official patch has been released. The vendor (CodeAstro) has not provided a fix. Users should consider input validation and parameterized queries as a workaround. The project may be EOL or unmaintained. [2]
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The 'id' parameter in delete-jobs.php is used directly in SQL queries without sanitization or validation, allowing SQL injection."
Attack vector
An unauthenticated remote attacker can send a crafted GET request to `/admin/jobs-admins/delete-jobs.php` with a malicious `id` parameter. No login or authorization is required [ref_id=1]. The payload can exploit boolean-based blind, error-based, stacked queries, or time-based blind SQL injection techniques to extract or manipulate database contents [ref_id=1].
Affected code
The vulnerability resides in the file `/admin/jobs-admins/delete-jobs.php` of CodeAstro Online Job Portal 1.0. The `id` parameter is taken directly from the GET request and used in SQL queries without sanitization or validation [ref_id=1].
What the fix does
The advisory recommends using prepared statements and parameter binding to separate SQL code from user input, strict input validation and filtering, minimizing database user permissions, and conducting regular security audits [ref_id=1]. No patch has been published by the vendor.
Preconditions
- configThe target must be running CodeAstro Online Job Portal 1.0 with the vulnerable delete-jobs.php endpoint accessible.
- authNo authentication or authorization is required to reach the vulnerable endpoint.
- networkThe attacker must be able to send HTTP GET requests to the server.
- inputThe attacker supplies a malicious 'id' parameter value in the query string.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.