Skip to main content

CodeAstro Online Classroom EUVDEUVD-2026-26928

| CVE-2026-7742 LOW
SQL Injection (CWE-89)
2026-05-04 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
May 04, 2026 - 15:17 vuln.today
Public exploit code
Severity Changed
May 04, 2026 - 08:22 NVD
MEDIUM LOW
CVSS changed
May 04, 2026 - 08:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 04, 2026 - 08:15 vuln.today
EUVD ID Assigned
May 04, 2026 - 07:45 euvd
EUVD-2026-26928
Analysis Generated
May 04, 2026 - 07:45 vuln.today
CVE Published
May 04, 2026 - 07:00 nvd
LOW 2.1

DescriptionCVE.org

A flaw has been found in CodeAstro Online Classroom 1.0. The affected element is an unknown function of the file /OnlineClassroom/facultylogin. Executing a manipulation of the argument fid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.

AnalysisAI

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fid parameter in the /OnlineClassroom/facultylogin endpoint, leading to unauthorized data access, modification, and denial of service. The vulnerability has a publicly available proof-of-concept exploit and is likely to be actively exploited given the moderate CVSS score (6.3) and confirmed POC availability.

Technical ContextAI

The vulnerability resides in the facultylogin functionality of CodeAstro Online Classroom, where user-supplied input in the fid parameter is passed directly into SQL queries without proper sanitization or parameterized query preparation. This is a classic SQL injection vulnerability (CWE-89) where an attacker can manipulate SQL logic by injecting SQL syntax through the fid field. The attack occurs over the network (AV:N) against the web-based classroom management system, requiring only low privileges (authenticated user account PR:L) and no user interaction (UI:N), making it relatively straightforward to exploit once an attacker gains initial access.

RemediationAI

The primary remediation is to upgrade CodeAstro Online Classroom to a patched version released by CodeAstro; however, no specific patch version number is provided in the available data. Contact CodeAstro immediately at https://codeastro.com/ to obtain the latest security update for version 1.0 or migrate to a newer release if available. In the interim, implement the following compensating controls: (1) Apply strict input validation and whitelisting on the fid parameter to accept only expected numeric or alphanumeric formats, rejecting any input containing SQL metacharacters (quotes, dashes, semicolons, comments); (2) enforce parameterized queries or prepared statements in the facultylogin endpoint code to prevent SQL syntax injection; (3) restrict network access to the /OnlineClassroom/facultylogin endpoint using a Web Application Firewall (WAF) rule that blocks requests containing SQL keywords ('union', 'select', 'insert', 'drop', etc.) in the fid parameter; (4) limit database account privileges - ensure the database user account used by the application has only SELECT permissions required for legitimate queries, preventing INSERT, UPDATE, DELETE, or DROP operations even if injection succeeds; (5) monitor authentication logs and SQL query logs for suspicious patterns in facultylogin requests, alerting on multiple failed login attempts or unexpected SQL error messages. These controls have a side effect of potentially impacting legitimate users if input filters are too restrictive; test thoroughly before deployment to production.

Share

EUVD-2026-26928 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy