CodeAstro: Four SQLi and XSS Bugs Disclosed Across Two Management Systems

Key findings

• Four CVEs disclosed across CodeAstro Student Attendance and HR Management systems
• Two SQL injection flaws (CVE-2026-12175, CVE-2026-12131) in admin input fields
• Two XSS bugs (CVE-2026-12130, CVE-2026-12129) in project and dashboard forms
• All four vulnerabilities are remotely exploitable without authentication
• No official patches released as of disclosure date
• Exploit details for CVE-2026-12175 have been publicly published

On June 12–13, 2026, four security vulnerabilities were disclosed across two products from CodeAstro: the Student Attendance Management System 1.0 and the Human Resource Management System 1.0. The batch includes two SQL injection flaws and two stored cross-site scripting (XSS) bugs, all remotely exploitable. While the individual severity ratings range from Low to Medium, the cluster underscores recurring input-validation weaknesses in CodeAstro's PHP-based administrative panels.

SQL Injection Flaws

Two of the four CVEs are SQL injection vulnerabilities. CVE-2026-12175 (CVSS 4.7, Medium) affects the Student Attendance Management System 1.0 in the file /attendance-php/Admin/createStudents.php. An attacker can manipulate the admissionNumber argument to inject arbitrary SQL queries, potentially extracting or modifying student records. The exploit has been publicly disclosed, increasing the risk of weaponization.

CVE-2026-12131 (CVSS 6.3, Medium) targets the Human Resource Management System 1.0, specifically the Payroll Invoice Module in application/controllers/Payroll.php. By tampering with the ID argument, an unauthenticated remote attacker can perform SQL injection against the payroll database, which may expose sensitive employee compensation data.

Cross-Site Scripting Issues

The remaining two CVEs are reflected/stored XSS bugs in the Human Resource Management System 1.0. CVE-2026-12130 (CVSS 3.5, Low) resides in the Projects Management Page at /Projects/Add_Projects, where the protitle argument is not sanitized, allowing an attacker to inject arbitrary JavaScript. CVE-2026-12129 (CVSS 3.5, Low) is found in the Dashboard Interface at /dashboard/add_tod, where the todo_data parameter is similarly mishandled. Both attacks can be launched remotely and could lead to session hijacking or defacement.

Impact and Exploitation Context

All four vulnerabilities are remotely exploitable without authentication, making them attractive targets for opportunistic attackers. The SQL injection flaws (CVE-2026-12175, CVE-2026-12131) could allow data exfiltration from the underlying MySQL databases, while the XSS bugs (CVE-2026-12130, CVE-2026-12129) could be used to phish administrative credentials or pivot to internal systems. As of the disclosure date, no active exploitation in the wild has been reported, but the public availability of exploit details for CVE-2026-12175 lowers the barrier for attackers.

Response and Patch Status

CodeAstro has not yet released official patches for any of the four CVEs at the time of disclosure. Users of Student Attendance Management System 1.0 and Human Resource Management System 1.0 are advised to apply input validation and parameterized queries as interim mitigations. The vendor has not published a security advisory or version update timeline.

Why This Batch Matters

This disclosure event highlights a recurring pattern in CodeAstro's PHP applications: unsanitized user input in administrative forms leads to both SQLi and XSS. Organizations running these systems for academic or HR record-keeping should treat the batch as a signal to audit their CodeAstro deployments and restrict network access to admin interfaces until patches arrive.