Skip to main content

CodeAstro Leave Management System CVE-2026-8132

| EUVDEUVD-2026-28521 MEDIUM
SQL Injection (CWE-89)
2026-05-08 VulDB GHSA-gggm-v39x-cpg8
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 04:34 vuln.today
Severity Changed
May 08, 2026 - 04:22 NVD
HIGH MEDIUM
CVSS changed
May 08, 2026 - 04:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
CVE Published
May 08, 2026 - 03:15 nvd
MEDIUM 5.5

DescriptionCVE.org

A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

SQL injection in CodeAstro Leave Management System 1.0 allows remote unauthenticated attackers to manipulate the txt_username parameter in /login.php, enabling database queries to be executed with low confidentiality and integrity impact. Publicly available exploit code exists for this vulnerability, increasing real-world exploitation risk despite the moderate CVSS score of 5.5.

Technical ContextAI

The vulnerability exists in the authentication handler at /login.php, where user input from the txt_username parameter is passed unsafely to SQL queries without proper parameterized statements or input validation. This is a classic CWE-89 SQL injection flaw in a PHP-based web application. The attack vector is network-based (AV:N) with low attack complexity (AC:L), meaning no special conditions are required beyond network access. The affected product is a leave management system built on PHP, a common framework for administrative and HR applications. The CPE indicates all versions of CodeAstro Leave Management System are potentially vulnerable, though version 1.0 is explicitly named.

RemediationAI

Immediate remediation requires contacting CodeAstro to obtain a patched version, as no specific fix version is referenced in available data. In the interim, apply the following compensating controls: (1) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the txt_username parameter (e.g., reject requests containing single quotes, double dashes, UNION keywords, or SQL comments) - trade-off is potential false positives on legitimate usernames containing special characters; (2) Restrict network access to /login.php to known IP ranges or corporate networks only, reducing the attack surface from global internet to trusted networks - trade-off is loss of remote access capability; (3) Disable the CodeAstro Leave Management System until a patch is available if the application is not business-critical. Contact CodeAstro at https://codeastro.com/ to report the vulnerability and request security updates. Monitor VulDB (https://vuldb.com/vuln/361922) for patch announcements.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-8132 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy