CVE-2026-11510
Description
SQL injection vulnerability in CodeAstro Leave Management System 1.0 allows remote attackers to manipulate database queries via the type_of_leave parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in CodeAstro Leave Management System 1.0 allows remote attackers to manipulate database queries via the type_of_leave parameter.
Vulnerability
A SQL injection vulnerability exists in CodeAstro Leave Management System version 1.0, specifically within the /admin/add_leave.php file. The issue arises from insufficient validation of the type_of_leave parameter, allowing attackers to inject malicious SQL code directly into database queries [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted POST request to the /admin/add_leave.php endpoint. By manipulating the type_of_leave parameter with SQL injection payloads, an attacker can execute arbitrary SQL commands [1].
Impact
Successful exploitation of this SQL injection vulnerability can lead to unauthorized database access, sensitive data leakage, data tampering, or even complete system compromise. This poses a significant threat to the confidentiality, integrity, and availability of the system and its data [1].
Mitigation
No specific patched version or release date for a fix has been disclosed in the available references. Users are advised to consult the vendor for information on mitigation or remediation. The vendor's homepage is available at [2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not properly sanitize user input in the 'type_of_leave' parameter, allowing it to be directly included in SQL queries."
Attack vector
An attacker can remotely exploit this vulnerability by sending a crafted POST request to the `/admin/add_leave.php` endpoint. The request must include a manipulated `type_of_leave` parameter containing SQL injection payloads. The `number_of_leaves` parameter is also required, but its value is less critical for the exploit itself. This allows attackers to execute arbitrary SQL commands against the database [ref_id=1].
Affected code
The vulnerability resides in the `/admin/add_leave.php` file within the CodeAstro Leave Management System. Specifically, the `type_of_leave` parameter is processed without adequate sanitization, leading to its direct inclusion in SQL queries [ref_id=1].
What the fix does
The advisory recommends using prepared statements with parameter binding to prevent SQL injection by treating user input as data rather than executable code. Additionally, it suggests implementing strict input validation and filtering to ensure data conforms to expected formats. Minimizing database user permissions and conducting regular security audits are also advised. No specific patch details are provided in the bundle, but these measures would address the root cause by preventing malicious SQL code from being executed.
Preconditions
- networkThe vulnerability is exploitable remotely over the network.
- authThe advisory indicates the vulnerability is in the `/admin/add_leave.php` file, suggesting that administrative access or privileges might be a prerequisite for exploitation, although the CVSS vector lists PR:L (Low Privileges).
- inputThe attacker must be able to control the value of the 'type_of_leave' parameter.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Codeastro: Seven SQLi and XSS Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 8, 2026