CVE-2026-11491

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in CodeAstro Human Resource Management System version 1.0. The vulnerability resides within the Notice Board Management component, specifically in the file /notice/All_notice. It is triggered by manipulating the Notice Title parameter with malicious input.

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted POST request to the /notice/All_notice endpoint. The request must include a malicious payload, such as `, within the Notice Title` parameter. No user interaction or special privileges are required for exploitation.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser. This can lead to session hijacking, defacement, or redirection to malicious websites, impacting the confidentiality and integrity of user data.

Mitigation

CodeAstro Human Resource Management System version 1.0 is affected. Information regarding a patched version or specific mitigation steps is not yet publicly disclosed in the available references. Users are advised to monitor the vendor's website for updates [1].