Skip to main content

CodeAstro Online Classroom CVE-2026-7196

LOW
SQL Injection (CWE-89)
2026-04-27 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 28, 2026 - 00:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 28, 2026 - 00:00 vuln.today
Analysis Generated
Apr 27, 2026 - 23:30 vuln.today
CVE Published
Apr 27, 2026 - 23:00 nvd
LOW 2.1

DescriptionCVE.org

A security vulnerability has been detected in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /guestdetails. Such manipulation of the argument deleteid leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

AnalysisAI

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the deleteid parameter in the /guestdetails endpoint, enabling unauthorized data access, modification, or deletion. The vulnerability has publicly available exploit code and a CVSS score of 6.3 reflecting moderate risk with low attack complexity.

Technical ContextAI

The vulnerability resides in SQL query construction within the /guestdetails file handler, where user-supplied input from the deleteid parameter is directly concatenated into SQL statements without proper sanitization or parameterized query preparation. This is a classic SQL injection flaw (CWE-89) common in web applications that fail to separate data from executable SQL logic. The attack surface is a web endpoint accessible remotely over HTTP/HTTPS, requiring only low-privilege authenticated credentials to trigger the vulnerability.

RemediationAI

Apply a security patch released by CodeAstro as soon as available via https://codeastro.com/. Immediate interim mitigation includes implementing input validation and parameterized prepared statements for all SQL queries, specifically in the /guestdetails endpoint handler to enforce type checking on the deleteid parameter and reject non-numeric or malformed input. Additionally, apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the deleteid parameter (keyword patterns: UNION, SELECT, DROP, INSERT, UPDATE, DELETE, EXEC, etc.). Restrict access to the /guestdetails endpoint to IP ranges or networks where guest detail queries are legitimately needed, reducing the attack surface. Apply the principle of least privilege to the database user account used by the application, removing or denying INSERT, UPDATE, DELETE permissions if the endpoint only reads guest details. Database-level monitoring for anomalous SQL query patterns or syntax errors should be enabled to detect exploitation attempts in real-time.

Share

CVE-2026-7196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy