Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security vulnerability has been detected in CodeAstro Online Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /users/user-cvs/. The manipulation leads to file and directory information exposure. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
AnalysisAI
CodeAstro Online Job Portal 1.0 exposes file and directory information through the /users/user-cvs/ endpoint via remote unauthenticated access, allowing attackers to enumerate and retrieve sensitive resume and user data. The vulnerability has publicly available exploit code and affects all versions of the application via the CPE cpe:2.3:a:codeastro:online_job_portal:*:*:*:*:*:*:*:*. CVSS 5.5 with confirmed public exploit availability and EPSS exploitation probability indicates moderate real-world risk for deployments accessible over the network.
Technical ContextAI
CodeAstro Online Job Portal is a web-based job portal application written using a web framework exposing user-submitted resume files through a directory listing vulnerability. The /users/user-cvs/ endpoint fails to implement proper access controls and directory indexing restrictions, allowing remote attackers to enumerate and access stored curriculum vitae (CV) files without authentication. The root cause is CWE-538 (Information Exposure Through Publicly Accessible File), a file system misconfiguration that exposes sensitive application data. The CPE indicates all versions of the CodeAstro Online Job Portal are affected through the wildcard version pattern, suggesting the vulnerability exists in the baseline design rather than a specific version.
RemediationAI
The primary remediation is to implement proper access controls on the /users/user-cvs/ directory immediately by restricting HTTP requests to authenticated users only, removing directory listing capabilities, and requiring valid session tokens for CV retrieval. If available from CodeAstro, upgrade to a patched version once released; check https://codeastro.com/ for security advisories. As an interim compensating control, deploy a Web Application Firewall (WAF) rule to block or require authentication for requests to /users/user-cvs/ and similar sensitive paths, with side effect of requiring rule maintenance across application updates. Alternatively, restrict network access to the CodeAstro portal to trusted IP ranges or require VPN access; this prevents remote exploitation but impacts legitimate public-facing portals. Migrate any exposed resume files from the web-accessible /users/user-cvs/ directory to a protected location outside the web root and implement access logging to identify which CVs were exposed. Review stored resumes for PII and notify affected job applicants per applicable data protection regulations.
More in Online Job Portal
View allOnline Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. Rated critical severity
Online Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. Rated critical severity
SQL injection vulnerability in janobe Online Job Portal v.2020 allows a remote attacker to execute arbitrary code via th
SQL injection vulnerability in janobe Online Job Portal v.2020 allows a remote attacker to execute arbitrary code via th
SQL injection in code-projects Online Job Portal 1.0 exposes the login.php endpoint to remote unauthenticated exploitati
Unrestricted file upload in code-projects Online Job Portal 1.0 exposes unauthenticated remote attackers to arbitrary fi
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/DeleteUser.php endpoint to unauthenticated remot
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/EditUser.php endpoint to remote database manipul
A vulnerability was found in SourceCodester Online Job Portal 1.0 and classified as problematic. Rated medium severity (
A vulnerability has been found in SourceCodester Online Job Portal 1.0 and classified as problematic. Rated medium sever
A vulnerability classified as problematic was found in SourceCodester Online Job Portal 1.0. Rated medium severity (CVSS
Cross-site scripting in code-projects Online Job Portal 1.0 allows a remote, low-privileged attacker to inject malicious
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25747