Skip to main content

CodeAstro Online Classroom CVE-2026-7743

| EUVDEUVD-2026-26929 LOW
SQL Injection (CWE-89)
2026-05-04 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
May 04, 2026 - 15:17 vuln.today
Public exploit code
Severity Changed
May 04, 2026 - 08:22 NVD
MEDIUM LOW
CVSS changed
May 04, 2026 - 08:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 04, 2026 - 08:15 vuln.today
EUVD ID Assigned
May 04, 2026 - 07:45 euvd
EUVD-2026-26929
Analysis Generated
May 04, 2026 - 07:45 vuln.today
CVE Published
May 04, 2026 - 07:15 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability has been found in CodeAstro Online Classroom 1.0. The impacted element is an unknown function of the file /OnlineClassroom/studentdetails. The manipulation of the argument deleteid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the deleteid parameter in the /OnlineClassroom/studentdetails endpoint, enabling unauthorized data access, modification, and potential denial of service. The vulnerability has publicly available exploit code and confirmed exploitation potential, affecting all versions up to 1.0.

Technical ContextAI

The vulnerability exists in the student details management functionality of CodeAstro Online Classroom. The /OnlineClassroom/studentdetails endpoint fails to properly sanitize or parameterize the deleteid input parameter before incorporating it into SQL queries. This is a classic SQL injection flaw (CWE-89) where attacker-controlled input is concatenated directly into dynamic SQL statements without input validation or prepared statement usage. The CPE cpe:2.3:a:codeastro:online_classroom:*:*:*:*:*:*:*:* indicates all versions of the product are affected. The vulnerability requires network access and low-level privileges (PR:L in CVSS vector), suggesting the attacker must be an authenticated user of the system, such as a student or legitimate user account.

RemediationAI

Immediate action required: Contact CodeAstro for patched versions and apply the update to all instances of Online Classroom. Until patching is possible, implement input validation and parameterized queries (prepared statements) in the /OnlineClassroom/studentdetails endpoint, specifically for the deleteid parameter - replace string concatenation with parameterized SQL to prevent injection. Additionally, apply least-privilege database access controls by restricting the application's database user account to only the minimum required permissions (removing rights to drop tables, alter schema, or access sensitive data outside the application's scope). Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the deleteid parameter, such as detecting single quotes, SQL keywords (UNION, SELECT, DROP), and comment sequences. However, note that WAF alone is insufficient and may be bypassed with encoding - this must be paired with code-level fixes. Enable database query logging and monitoring to detect injection attempts. Restrict network access to the /OnlineClassroom/studentdetails endpoint to trusted internal networks only if possible, reducing the attack surface to authenticated local users rather than remote access. For comprehensive guidance, refer to the VulDB submission at https://vuldb.com/submit/807695 and monitor https://codeastro.com/ for official security patches.

Share

CVE-2026-7743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy