Skip to main content

CodeAstro Online Classroom EUVDEUVD-2026-26933

| CVE-2026-7745 LOW
SQL Injection (CWE-89)
2026-05-04 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
May 04, 2026 - 15:17 vuln.today
Public exploit code
Severity Changed
May 04, 2026 - 09:22 NVD
MEDIUM LOW
CVSS changed
May 04, 2026 - 09:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 04, 2026 - 09:15 vuln.today
EUVD ID Assigned
May 04, 2026 - 09:00 euvd
EUVD-2026-26933
Analysis Generated
May 04, 2026 - 09:00 vuln.today
CVE Published
May 04, 2026 - 07:45 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was determined in CodeAstro Online Classroom 1.0. This impacts an unknown function of the file /OnlineClassroom/facultydetails. This manipulation of the argument deleteid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via a crafted deleteid parameter in the /OnlineClassroom/facultydetails endpoint, enabling data exfiltration and potential database manipulation. The vulnerability has public exploit code available and CVSS 6.3 (medium severity) reflects the requirement for prior authentication and limited scope, though the exploitation probability is rated probable by scoring metadata.

Technical ContextAI

The vulnerability stems from improper input validation and sanitization of the deleteid parameter in the facultydetails file handler, allowing SQL metacharacters to be injected directly into database queries (CWE-89: SQL Injection). CodeAstro Online Classroom is an education platform that manages classroom and faculty data; the affected endpoint processes faculty detail records without parameterized queries or prepared statements. The CPE cpe:2.3:a:codeastro:online_classroom:*:*:*:*:*:*:*:* indicates all versions of the product are potentially vulnerable, though version 1.0 is explicitly documented as affected.

RemediationAI

Immediate action: contact CodeAstro for security patches or upgrade to the latest available version if a patched release is available-this must be verified directly with the vendor at https://codeastro.com/ as no specific fixed version is documented in available references. Primary mitigation is to implement parameterized queries (prepared statements) in the facultydetails endpoint to prevent SQL injection. Until a patch is available, apply input validation and sanitization to the deleteid parameter by implementing a whitelist allowing only valid numeric or alphanumeric identifiers, rejecting any input containing SQL metacharacters (semicolons, quotes, dashes, asterisks, parentheses). Restrict network access to the /OnlineClassroom/facultydetails endpoint using firewall rules or WAF (Web Application Firewall) rules to permit only authorized internal or VPN traffic, reducing the attack surface. Additionally, enforce strong authentication controls: require multi-factor authentication for educator and administrative accounts, audit access logs to the facultydetails endpoint for suspicious queries, and implement database query logging to detect SQL injection attempts. These compensating controls reduce exploitation likelihood but do not eliminate the underlying vulnerability and should be considered temporary until patching.

Share

EUVD-2026-26933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy