EUVD-2026-35199Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was determined in CodeAstro Student Attendance Management System 1.0. Affected is an unknown function of the file /attendance-php/Admin/createClassArms.php. This manipulation of the argument classId causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
SQL injection in CodeAstro Student Attendance Management System 1.0 exposes the backend database to manipulation by authenticated remote attackers via the classId parameter in /attendance-php/Admin/createClassArms.php. An attacker with low-privilege authenticated access to the admin panel can craft malicious SQL payloads to read, alter, or delete database records - impacting confidentiality, integrity, and availability (C:L/I:L/A:L per CVSS). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with at least low-privilege access (PR:L per CVSS) to the admin panel of CodeAstro Student Attendance Management System 1.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.3 (Medium) is driven by network reachability (AV:N), low complexity (AC:L), low-privilege authentication requirement (PR:L), no user interaction (UI:N), and partial CIA impact (C:L/I:L/A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or guessed low-privilege credentials to the CodeAstro admin panel sends a crafted HTTP request to `/attendance-php/Admin/createClassArms.php` with a malicious `classId` parameter containing SQL metacharacters (e.g., a UNION SELECT or time-based blind payload). Because the parameter is passed unsanitized to the database query, the injected SQL executes in the database context, allowing the attacker to enumerate table contents, extract credential hashes, or modify attendance records. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the available references point to VulDB (https://vuldb.com/vuln/369182) and a public POC issue (https://github.com/Andelstander/cve/issues/10), neither of which confirm a fixed release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today