CVE-2026-10261
Description
SQL injection in CodeAstro Online Job Portal 1.0 via the id parameter in /users/application_status.php allows unauthenticated remote attackers to compromise the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in CodeAstro Online Job Portal 1.0 via the `id` parameter in `/users/application_status.php` allows unauthenticated remote attackers to compromise the database.
Vulnerability
A SQL injection vulnerability exists in CodeAstro Online Job Portal version 1.0, specifically in the file /users/application_status.php. The id parameter is directly concatenated into SQL queries without proper sanitization or validation [1]. This flaw affects the application_status.php endpoint and is present in the publicly available source code [2].
Exploitation
An attacker can exploit this vulnerability remotely without requiring any authentication or prior authorization [1]. By sending a crafted GET request to the vulnerable endpoint with a malicious payload in the id parameter, the attacker can perform boolean-based blind, error-based, or other SQL injection techniques. For example, a payload such as id=1' OR NOT 7307=7307# triggers a boolean-based blind injection [1]. The exploit has been publicly disclosed and may be reused by other attackers.
Impact
Successful exploitation allows an attacker to gain unauthorized access to the underlying database. This can lead to sensitive data leakage (e.g., user credentials, personal information), data tampering (modification or deletion of records), and even complete system compromise under certain configurations. The impact includes breach of confidentiality, integrity, and availability of the application's data and services [1].
Mitigation
No official patch has been released by CodeAstro as of the CVE publication date (2026-06-01). The vendor has not provided a fixed version or workaround in the available references [1][2]. Until a patch is issued, administrators should apply input sanitization to the id parameter, implement parameterized queries, or consider disabling the vulnerable endpoint if possible.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `id` parameter in `/users/application_status.php` is used directly in SQL queries without input validation or sanitization, allowing SQL injection."
Attack vector
An unauthenticated remote attacker sends a crafted GET request to `/users/application_status.php` with a malicious `id` parameter. The payload is injected directly into the SQL query, enabling boolean-based blind, error-based, stacked-query, and time-based blind SQL injection [ref_id=1]. No login or authorization is required [ref_id=1].
Affected code
The vulnerability resides in `/users/application_status.php` of CodeAstro Online Job Portal 1.0. The `id` parameter is taken directly from the GET request and interpolated into SQL queries without sanitization or parameterization [ref_id=1].
What the fix does
The advisory recommends using prepared statements and parameter binding to separate SQL code from user input, strict input validation and filtering, minimizing database user permissions, and conducting regular security audits [ref_id=1]. No patch has been published in the bundle.
Preconditions
- authNo authentication required; the endpoint is publicly accessible
- networkAttacker must be able to send HTTP GET requests to the vulnerable server
- inputThe `id` parameter is accepted without sanitization
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.