CVE-2026-11507
Description
SQL injection vulnerability in CodeAstro Leave Management System 1.0 allows remote attackers to access, modify, or delete database data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in CodeAstro Leave Management System 1.0 allows remote attackers to access, modify, or delete database data.
Vulnerability
A SQL injection vulnerability exists in the delete_leave_type.php file of CodeAstro Leave Management System version 1.0. The vulnerability arises from insufficient validation of the leave_type parameter, which is directly incorporated into SQL queries without proper sanitization [1].
Exploitation
An attacker can exploit this vulnerability remotely by manipulating the leave_type argument via GET requests. By injecting malicious SQL code, an attacker can alter the intended SQL query. A proof-of-concept payload demonstrates a time-based blind SQL injection technique using a SLEEP function [1].
Impact
Successful exploitation allows attackers to gain unauthorized access to the database, potentially leading to sensitive data leakage, data tampering, or complete system control. In severe cases, it could also result in service interruption [1].
Mitigation
No specific patched version or release date for a fix has been disclosed in the available references. Users are advised to consult the vendor for the latest security updates. The vendor's website is available at [2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The 'leave_type' parameter is used directly in SQL queries without proper sanitization or validation."
Attack vector
An attacker can exploit this vulnerability remotely by manipulating the 'leave_type' argument in the `/admin/delete_leave_type.php` file. The vulnerability stems from insufficient validation of user input, allowing for the injection of malicious SQL queries. This can lead to unauthorized database access, data modification, or leakage of sensitive information [ref_id=1]. The attack can be executed via a GET request, as demonstrated by a time-based blind SQL injection payload targeting MySQL [ref_id=1].
Affected code
The vulnerability resides in the `/admin/delete_leave_type.php` file within the CodeAstro Leave Management System version 1.0. Specifically, the 'leave_type' parameter is directly incorporated into SQL queries without adequate sanitization, enabling SQL injection attacks [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on a fix. However, it recommends using prepared statements with parameter binding to separate SQL code from user input, and implementing strict input validation and filtering to ensure data conforms to expected formats. Additionally, it suggests minimizing database user permissions and conducting regular security audits [ref_id=1].
Preconditions
- authThe attacker needs to have 'PR:L' privileges, indicating low privileges are required.
- networkThe vulnerability is remotely exploitable ('AV:N').
- inputThe attacker must manipulate the 'leave_type' parameter.
Reproduction
leave_type=1' AND (SELECT 8174 FROM (SELECT(SLEEP(5)))Dnxm) AND 'aebZ'='aebZ
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Codeastro: Seven SQLi and XSS Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 8, 2026