CVE-2026-5579

Vulnerability

A SQL injection vulnerability has been identified in CodeAstro Online Classroom version 1.0 within the /OnlineClassroom/updatedetailsfromfaculty.php script. The flaw exists in the parameter handler, specifically in the fname argument passed via POST request to the endpoint updatedetailsfromfaculty.php?myfid=108. The root cause is the application's failure to sanitize or validate user-supplied input before using it in SQL queries, allowing attackers to inject arbitrary SQL code [1].

Exploitation

The attack is remotely exploitable without prior authentication. According to the published proof of concept, the fname parameter is vulnerable to boolean-based blind SQL injection using MySQL RLIKE payloads. This means an attacker can extract information from the database by observing the application's response differences when injecting conditional SQL clauses [1]. The attack surface is accessible to any remote user who can send HTTP requests to the target application.

Impact

Successful exploitation can lead to unauthorized database access, exfiltration of sensitive data, data tampering, or even complete system compromise. The impact is significant because the database likely stores user credentials, personal information, and application content. An attacker could also modify or delete records, potentially disrupting the service [1].

Mitigation

As of the publication date, CVE-2026-5579 has been publicly disclosed with exploit details; however, no official patch or vendor statement has been provided. The vendor homepage offers the software for download [2]. Users should apply input validation and parameterized queries to all user-controllable parameters, especially fname, and restrict database permissions to limit the damage from future SQL injection attempts. Since the vulnerability is publicly known, immediate remediation is advised.