Skip to main content

CodeAstro Online Job Portal CVE-2026-7071

| EUVDEUVD-2026-25747 MEDIUM
Insertion of Sensitive Information into Externally-Accessible File (CWE-538)
2026-04-27 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
PoC Detected
Apr 27, 2026 - 18:39 vuln.today
Public exploit code
Analysis Generated
Apr 27, 2026 - 01:29 vuln.today
CVSS changed
Apr 27, 2026 - 01:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)
EUVD ID Assigned
Apr 27, 2026 - 01:15 euvd
EUVD-2026-25747
Analysis Generated
Apr 27, 2026 - 01:15 vuln.today
CVE Published
Apr 27, 2026 - 00:30 nvd
MEDIUM 5.5

DescriptionCVE.org

A security vulnerability has been detected in CodeAstro Online Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /users/user-cvs/. The manipulation leads to file and directory information exposure. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

AnalysisAI

CodeAstro Online Job Portal 1.0 exposes file and directory information through the /users/user-cvs/ endpoint via remote unauthenticated access, allowing attackers to enumerate and retrieve sensitive resume and user data. The vulnerability has publicly available exploit code and affects all versions of the application via the CPE cpe:2.3:a:codeastro:online_job_portal:*:*:*:*:*:*:*:*. CVSS 5.5 with confirmed public exploit availability and EPSS exploitation probability indicates moderate real-world risk for deployments accessible over the network.

Technical ContextAI

CodeAstro Online Job Portal is a web-based job portal application written using a web framework exposing user-submitted resume files through a directory listing vulnerability. The /users/user-cvs/ endpoint fails to implement proper access controls and directory indexing restrictions, allowing remote attackers to enumerate and access stored curriculum vitae (CV) files without authentication. The root cause is CWE-538 (Information Exposure Through Publicly Accessible File), a file system misconfiguration that exposes sensitive application data. The CPE indicates all versions of the CodeAstro Online Job Portal are affected through the wildcard version pattern, suggesting the vulnerability exists in the baseline design rather than a specific version.

RemediationAI

The primary remediation is to implement proper access controls on the /users/user-cvs/ directory immediately by restricting HTTP requests to authenticated users only, removing directory listing capabilities, and requiring valid session tokens for CV retrieval. If available from CodeAstro, upgrade to a patched version once released; check https://codeastro.com/ for security advisories. As an interim compensating control, deploy a Web Application Firewall (WAF) rule to block or require authentication for requests to /users/user-cvs/ and similar sensitive paths, with side effect of requiring rule maintenance across application updates. Alternatively, restrict network access to the CodeAstro portal to trusted IP ranges or require VPN access; this prevents remote exploitation but impacts legitimate public-facing portals. Migrate any exposed resume files from the web-accessible /users/user-cvs/ directory to a protected location outside the web root and implement access logging to identify which CVs were exposed. Review stored resumes for PII and notify affected job applicants per applicable data protection regulations.

CVE-2023-46679 CRITICAL POC
9.8 Nov 07

Online Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. Rated critical severity

CVE-2023-46677 CRITICAL POC
9.8 Nov 07

Online Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. Rated critical severity

CVE-2023-43468 CRITICAL POC
9.8 Sep 23

SQL injection vulnerability in janobe Online Job Portal v.2020 allows a remote attacker to execute arbitrary code via th

CVE-2023-43469 CRITICAL
9.8 Sep 23

SQL injection vulnerability in janobe Online Job Portal v.2020 allows a remote attacker to execute arbitrary code via th

CVE-2026-14660 MEDIUM POC
5.5 Jul 04

SQL injection in code-projects Online Job Portal 1.0 exposes the login.php endpoint to remote unauthenticated exploitati

CVE-2026-15677 MEDIUM POC
5.5 Jul 14

Unrestricted file upload in code-projects Online Job Portal 1.0 exposes unauthenticated remote attackers to arbitrary fi

CVE-2026-15676 MEDIUM POC
5.5 Jul 14

SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/DeleteUser.php endpoint to unauthenticated remot

CVE-2026-15675 MEDIUM POC
5.5 Jul 14

SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/EditUser.php endpoint to remote database manipul

CVE-2024-1972 MEDIUM POC
5.4 Feb 28

A vulnerability was found in SourceCodester Online Job Portal 1.0 and classified as problematic. Rated medium severity (

CVE-2024-1922 MEDIUM POC
5.4 Feb 27

A vulnerability has been found in SourceCodester Online Job Portal 1.0 and classified as problematic. Rated medium sever

CVE-2024-1919 MEDIUM POC
5.4 Feb 27

A vulnerability classified as problematic was found in SourceCodester Online Job Portal 1.0. Rated medium severity (CVSS

CVE-2026-15678 LOW POC
2.0 Jul 14

Cross-site scripting in code-projects Online Job Portal 1.0 allows a remote, low-privileged attacker to inject malicious

Share

CVE-2026-7071 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy