CVE-2026-12175

Vulnerability

A SQL injection vulnerability exists in the /attendance-php/Admin/createStudents.php file of CodeAstro Student Attendance Management System version 1.0. The admissionNumber parameter is directly incorporated into SQL queries without proper sanitization or validation, allowing injection of malicious SQL code. The vulnerability is classified as time-based blind SQL injection, requiring no special configuration beyond the default application setup. [1]

Exploitation

An attacker with network access to the application can send a crafted POST request to the vulnerable endpoint, supplying a malicious payload in the admissionNumber parameter. The exploit does not require authentication or prior privileges. The provided proof-of-concept payload uses a AND (SELECT ... FROM ... WHERE SLEEP(...)) technique to perform time-based blind SQL injection, enabling extraction of data character by character. The exploit code has been publicly released. [1]

Impact

Successful exploitation allows the attacker to gain unauthorized access to the underlying MySQL database. This can lead to leakage of sensitive data (e.g., student records, credentials), data tampering, or even complete compromise of the database server. The attacker may also achieve comprehensive system control or cause service interruption, as the injection can modify or delete database content. [1]

Mitigation

As of the publication date, no official patch or fixed version has been released. The vendor has not issued an advisory. Administrators should restrict access to the /attendance-php/Admin/ directory, implement strict input validation and parameterized queries, or consider migrating to a different attendance management solution. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]