CVE-2026-9542

Vulnerability

An SQL injection vulnerability exists in CodeAstro Leave Management System version 1.0, specifically in the /admin/add_staff.php file. The email_id parameter passed via POST request is directly used in SQL queries without proper sanitization or validation [1]. This allows an attacker to inject malicious SQL code through the email_id parameter. The software is available from the vendor's website [2].

Exploitation

The attack is remotely exploitable without authentication, as the /admin/add_staff.php script does not require prior login. An attacker can craft a POST request to the vulnerable endpoint, supplying a malicious payload in the email_id parameter. For example, a boolean-based blind SQL injection payload such as 123@12.com' AND 8158=8158 AND 'XhTn'='XhTn can be used to probe the database [1]. No special privileges or user interaction are required; the attacker only needs network access to the web server.

Impact

Successful exploitation enables an attacker to perform unauthorized operations on the underlying database. This can lead to unauthorized access to sensitive data (e.g., user credentials, personal information), data tampering, and potentially full system compromise. The impact includes information disclosure, data integrity loss, and service disruption [1].

Mitigation

As of the publication date, no official patch or updated version has been released by the vendor. The affected version 1.0 remains vulnerable. Workarounds include implementing input validation and parameterized queries for the email_id parameter in /admin/add_staff.php. Organizations using this software should monitor the vendor's website [2] for updates. This vulnerability has a public exploit, so immediate remediation is recommended. Not listed in CISA KEV at publication.