Medium severity6.3NVD Advisory· Published Apr 5, 2026· Updated Apr 29, 2026

CVE-2026-5580

Description

A vulnerability was identified in CodeAstro Online Classroom 1.0. Impacted is an unknown function of the file /OnlineClassroom/addvideos.php of the component Parameter Handler. The manipulation of the argument videotitle leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection vulnerability in CodeAstro Online Classroom 1.0 allows remote attackers to execute arbitrary SQL commands via the videotitle parameter.

Vulnerability

Overview A SQL injection vulnerability exists in CodeAstro Online Classroom version 1.0, specifically in the /OnlineClassroom/addvideos.php file. The root cause is insufficient validation of the videotitle parameter, which is directly concatenated into SQL queries without proper sanitization or parameterization. This flaw enables attackers to inject malicious SQL payloads through the parameter, leading to unauthorized database operations [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted POST request to the vulnerable script with a malicious videotitle value. No authentication appears to be required. A proof-of-concept payload for time-based blind SQL injection has been publicly disclosed, demonstrating reliable exploitation. The attack surface is accessible over the network, making it easy for remote adversaries to target the application [1].

Impact

Successful exploitation allows attackers to gain unauthorized access to the underlying database. Potential consequences include reading sensitive data (such as user credentials or personal information), modifying or deleting records, and in some cases achieving complete system compromise. The public availability of exploit code increases the risk of active attacks against unpatched installations [1].

Mitigation

The vendor (CodeAstro) has not released a fix for this vulnerability as of the publication date. Users are advised to implement input validation and use prepared statements with parameterized queries to prevent SQL injection. Until a patch is available, network-level controls such as web application firewalls may help mitigate exploitation. The software is available from CodeAstro's website [2].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Codeastro/OnlineClassroomllm-fuzzy
Range: = 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

6.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.01%

VYPR risk score

Composite of severity, exploitation, and reach.

0.41medium

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-5580

Credits

Z(
zws58 (VulDB User)
reporter