CVE-2026-6010
SQL Injection in CodeAstro OnlineClassroom Enables Remote Exploit
Publication date: 2026-04-10
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codeastro | online_classroom | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6010 is a critical SQL injection vulnerability found in CodeAstro Online Classroom version 1.0, specifically in the file /OnlineClassroom/takeassessment2.php accessed with the parameter exid=14.
The vulnerability arises because the POST parameter Q1 is not properly validated or sanitized before being used in SQL queries. This allows attackers to inject malicious SQL code.
Different types of SQL injection attacks are possible, including Boolean-based blind SQL injection, error-based SQL injection, and time-based blind SQL injection, which can be used to extract sensitive information, manipulate data, or disrupt service.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to the database, leakage of sensitive data, modification or deletion of records, and potential full system compromise.
Attackers can also cause denial of service by delaying responses using time-based SQL injection techniques, disrupting the availability of the online classroom service.
Overall, it threatens system security and business continuity by allowing attackers to manipulate or damage critical data and services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the vulnerable parameter Q1 in POST requests to the file /OnlineClassroom/takeassessment2.php with exid=14 for SQL injection flaws.
Proof-of-concept payloads used to detect the vulnerability include Boolean-based blind SQL injection, error-based SQL injection, and time-based blind SQL injection techniques.
- Boolean-based blind SQL injection payload: Q1=1' RLIKE (SELECT (CASE WHEN (4057=4057) THEN 1 ELSE 0x28 END)) AND 'ewOh'='ewOh
- Error-based SQL injection payload: Q1=1' AND (SELECT 9112 FROM(SELECT COUNT(*),CONCAT(0x7176626271,(SELECT (ELT(9112=9112,1))),0x717a787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ONuA'='ONuA
- Time-based blind SQL injection payload: Q1=1' AND (SELECT 2796 FROM (SELECT(SLEEP(5)))nGPe) AND 'sRKd'='sRKd
The vulnerability was identified and tested using the sqlmap tool, which can be used to automate detection of this SQL injection vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing prepared statements with parameter binding to prevent SQL injection by separating SQL code from user input.
Enforce strict input validation and filtering to ensure that inputs conform to expected formats and do not contain malicious SQL code.
Minimize database user permissions by avoiding the use of high-privilege accounts such as root or admin for routine database operations.
Conduct regular security audits of code and systems to detect and remediate vulnerabilities promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in CodeAstro Online Classroom allows attackers to gain unauthorized access to the database, potentially leading to leakage, modification, or deletion of sensitive data.
Such unauthorized access and data compromise can violate data protection requirements mandated by common standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized disclosure or alteration.
Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to failure to protect data confidentiality, integrity, and availability.