Codeastro: Seven SQLi and XSS Vulnerabilities Disclosed Together
Key findings • Seven vulnerabilities disclosed for Codeastro products on June 8, 2026. • Six SQL injection flaws affect Leave Management and Ingredients Stock Management systems. • One st…
Key findings
- Seven vulnerabilities disclosed for Codeastro products on June 8, 2026.
- Six SQL injection flaws affect Leave Management and Ingredients Stock Management systems.
- One stored XSS vulnerability impacts the Human Resource Management System.
- Multiple vulnerabilities are remotely exploitable.
- Public exploits are available for several of the disclosed vulnerabilities.
On June 8, 2026, a cluster of seven vulnerabilities affecting multiple Codeastro products was disclosed, spanning a five-hour window. The disclosures include six SQL injection flaws and one stored cross-site scripting (XSS) vulnerability, with several having publicly available exploits.
The majority of the disclosed vulnerabilities are SQL injection flaws affecting the CodeAstro Leave Management System 1.0. These include CVE-2026-11510 in /admin/add_leave.php via manipulation of the type_of_leave argument, CVE-2026-11509 in /admin/search_staff_for_updation.php via the Name argument, CVE-2026-11508 in /admin/search_staff_to_assign_pc.php via the Name argument, CVE-2026-11507 in /admin/delete_leave_type.php via the leave_type argument, and CVE-2026-11506 in /admin/search_staff_for_deletion.php via the Name argument. All of these SQL injection vulnerabilities are remotely exploitable.
Another SQL injection vulnerability, CVE-2026-11495, was found in the CodeAstro Ingredients Stock Management System 1.0. This flaw resides in /Ingredients-Stock/add_stock.php and is triggered by manipulating the ID argument. Like the others, it is remotely exploitable and has a public exploit available.
Adding to the batch is a stored XSS vulnerability, CVE-2026-11491, affecting the CodeAstro Human Resource Management System 1.0. This vulnerability is located within the Notice Board Management component, specifically in /notice/All_notice. The attack vector involves manipulating the Notice Title argument with malicious input, such as <svg onload="alert('Stored XSS Triggered by Ashik Mohamed')">, leading to stored XSS.
According to related reporting, several of these vulnerabilities, specifically four SQL injection flaws, were disclosed together, with public exploits available for all of them. The reporting also notes that these vulnerabilities were remotely exploitable and ranged in severity from Medium to High, though the provided CVE details indicate all are Medium or Low severity.
Details regarding specific version numbers affected or patches released were not immediately available for all disclosed vulnerabilities. However, the consistent disclosure timing suggests a coordinated release, potentially from a single researcher or security firm. Users of the affected Codeastro systems are advised to review the specific CVE details and consult any available advisories from Codeastro for patching information.
This batch of vulnerabilities highlights potential security weaknesses across several Codeastro product lines. The presence of publicly available exploits for multiple SQL injection flaws, in particular, increases the risk of exploitation for organizations using these systems. The stored XSS vulnerability also presents a risk of session hijacking or credential theft if not addressed promptly.