Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was determined in CodeAstro Online Classroom 1.0. This impacts an unknown function of the file /OnlineClassroom/facultydetails. This manipulation of the argument deleteid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via a crafted deleteid parameter in the /OnlineClassroom/facultydetails endpoint, enabling data exfiltration and potential database manipulation. The vulnerability has public exploit code available and CVSS 6.3 (medium severity) reflects the requirement for prior authentication and limited scope, though the exploitation probability is rated probable by scoring metadata.
Technical ContextAI
The vulnerability stems from improper input validation and sanitization of the deleteid parameter in the facultydetails file handler, allowing SQL metacharacters to be injected directly into database queries (CWE-89: SQL Injection). CodeAstro Online Classroom is an education platform that manages classroom and faculty data; the affected endpoint processes faculty detail records without parameterized queries or prepared statements. The CPE cpe:2.3:a:codeastro:online_classroom:*:*:*:*:*:*:*:* indicates all versions of the product are potentially vulnerable, though version 1.0 is explicitly documented as affected.
RemediationAI
Immediate action: contact CodeAstro for security patches or upgrade to the latest available version if a patched release is available-this must be verified directly with the vendor at https://codeastro.com/ as no specific fixed version is documented in available references. Primary mitigation is to implement parameterized queries (prepared statements) in the facultydetails endpoint to prevent SQL injection. Until a patch is available, apply input validation and sanitization to the deleteid parameter by implementing a whitelist allowing only valid numeric or alphanumeric identifiers, rejecting any input containing SQL metacharacters (semicolons, quotes, dashes, asterisks, parentheses). Restrict network access to the /OnlineClassroom/facultydetails endpoint using firewall rules or WAF (Web Application Firewall) rules to permit only authorized internal or VPN traffic, reducing the attack surface. Additionally, enforce strong authentication controls: require multi-factor authentication for educator and administrative accounts, audit access logs to the facultydetails endpoint for suspicious queries, and implement database query logging to detect SQL injection attempts. These compensating controls reduce exploitation likelihood but do not eliminate the underlying vulnerability and should be considered temporary until patching.
More in Online Classroom
View allSQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fid parameter in
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the sid parameter in
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
A flaw has been found in CodeAstro Online Classroom 1.0. This affects an unknown part of the file /addnewfaculty. Execut
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26933