Medium severity6.3NVD Advisory· Published Apr 5, 2026· Updated Apr 29, 2026

CVE-2026-5578

Description

A vulnerability was found in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /OnlineClassroom/addassessment.php of the component Parameter Handler. Performing a manipulation of the argument deleteid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in CodeAstro Online Classroom 1.0 via deleteid parameter in addassessment.php allows remote attackers to execute arbitrary SQL queries.

Vulnerability

Overview

A SQL injection vulnerability exists in CodeAstro Online Classroom version 1.0, specifically in the /OnlineClassroom/addassessment.php file. The root cause is insufficient validation of the deleteid parameter, which is directly incorporated into SQL queries without proper sanitization or parameterization [1]. This allows an attacker to inject malicious SQL code through the deleteid parameter.

Exploitation

The attack can be carried out remotely over HTTP GET requests. No authentication is required to reach the vulnerable endpoint. The attacker simply supplies a crafted deleteid value, such as a boolean-based blind or error-based payload, to manipulate the SQL query [1]. Proof-of-concept details have been publicly disclosed, increasing the risk of exploitation.

Impact

Successful exploitation enables an attacker to perform unauthorized database operations, including reading, modifying, or deleting sensitive data. In some cases, it may lead to full system compromise or denial of service [1]. The vulnerability poses a serious threat to data integrity and system availability.

Mitigation

As of the publication date, no official patch has been released by the vendor. Users are advised to implement input validation and use prepared statements or parameterized queries to mitigate the risk. Given the public availability of exploit code, immediate remediation is recommended.

References

codeastro Online Classroom V1.0 /OnlineClassroom/resultdetails.php SQL injection

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Hel Online Classroomllm-fuzzy
Range: = 1.0
Package: https://wordpress.org/plugins/hel-online-classroom

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

6.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.01%

VYPR risk score

Composite of severity, exploitation, and reach.

0.41medium

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-5578

Credits

Z(
zws58 (VulDB User)
reporter