EUVD-2026-35195Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in CodeAstro Student Attendance Management System 1.0. This affects an unknown function of the file /attendance-php/Admin/createClass.php. The manipulation of the argument className leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in CodeAstro Student Attendance Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized className parameter in /attendance-php/Admin/createClass.php. A publicly available proof-of-concept exploit (CVSS E:P) lowers the barrier to exploitation, though the CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - all confidentiality, integrity, and availability impacts are rated Low with no scope change. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Low-privilege authenticated access to the admin panel is required - CVSS PR:L confirms this is not an unauthenticated attack path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 2.1 (Low) is principally driven by the limited blast radius: all impact dimensions (VC:L, VI:L, VA:L) are rated Low, and there is no scope change to subsequent systems (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained low-privilege admin credentials - through phishing, credential reuse, or weak default passwords - authenticates to the Student Attendance Management System admin panel and navigates to the class creation form backed by `/attendance-php/Admin/createClass.php`. The attacker injects SQL metacharacters into the `className` field (e.g., a payload based on the publicly available proof-of-concept at https://github.com/Andelstander/cve/issues/8) to manipulate the underlying database query, potentially extracting sensitive records such as student data or admin credentials, or modifying attendance records. … |
| Remediation | No vendor-released patch has been identified at time of analysis - no patched version number is confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today