CodeAstro Online Classroom CVE-2026-7196
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A security vulnerability has been detected in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /guestdetails. Such manipulation of the argument deleteid leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
AnalysisAI
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the deleteid parameter in the /guestdetails endpoint, enabling unauthorized data access, modification, or deletion. The vulnerability has publicly available exploit code and a CVSS score of 6.3 reflecting moderate risk with low attack complexity.
Technical ContextAI
The vulnerability resides in SQL query construction within the /guestdetails file handler, where user-supplied input from the deleteid parameter is directly concatenated into SQL statements without proper sanitization or parameterized query preparation. This is a classic SQL injection flaw (CWE-89) common in web applications that fail to separate data from executable SQL logic. The attack surface is a web endpoint accessible remotely over HTTP/HTTPS, requiring only low-privilege authenticated credentials to trigger the vulnerability.
RemediationAI
Apply a security patch released by CodeAstro as soon as available via https://codeastro.com/. Immediate interim mitigation includes implementing input validation and parameterized prepared statements for all SQL queries, specifically in the /guestdetails endpoint handler to enforce type checking on the deleteid parameter and reject non-numeric or malformed input. Additionally, apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the deleteid parameter (keyword patterns: UNION, SELECT, DROP, INSERT, UPDATE, DELETE, EXEC, etc.). Restrict access to the /guestdetails endpoint to IP ranges or networks where guest detail queries are legitimately needed, reducing the attack surface. Apply the principle of least privilege to the database user account used by the application, removing or denying INSERT, UPDATE, DELETE permissions if the endpoint only reads guest details. Database-level monitoring for anomalous SQL query patterns or syntax errors should be enabled to detect exploitation attempts in real-time.
More in Online Classroom
View allSQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fid parameter in
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the sid parameter in
A flaw has been found in CodeAstro Online Classroom 1.0. This affects an unknown part of the file /addnewfaculty. Execut
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today