CVE-2026-11510

Deferred Deferred - Pending Action

SQL Injection in CodeAstro Leave Management System

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description

A security flaw has been discovered in CodeAstro Leave Management System 1.0. This affects an unknown part of the file /admin/add_leave.php. Performing a manipulation of the argument type_of_leave results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-08

Last Modified

2026-06-08

Generated

2026-06-08

AI Q&A

2026-06-08

EPSS Evaluated

N/A

NVD

CVE-2026-11510

EUVD

EUVD-2026-35050

Affected Vendors & Products

Vendor	Product	Version / Range
codeastro	leave_management_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Mitigation Strategies

Immediate mitigation steps include applying strict input validation and sanitization on the type_of_leave parameter to prevent SQL injection.

Implement prepared statements or parameterized queries in the /admin/add_leave.php file.
Minimize database user permissions to limit the impact of a potential SQL injection attack.
Conduct regular security audits and code reviews focusing on input handling.
If possible, apply patches or updates provided by the vendor or community addressing this vulnerability.

Executive Summary

CVE-2026-11510 is a SQL injection vulnerability found in CodeAstro Leave Management System 1.0, specifically in the file /admin/add_leave.php. The flaw occurs due to inadequate input validation of the type_of_leave parameter, which allows an attacker to inject malicious SQL queries remotely.

Attackers can exploit this vulnerability using techniques such as boolean-based blind, error-based, and time-based blind SQL injection to manipulate database queries.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized access to the database, allowing attackers to tamper with data, leak sensitive information, and potentially compromise the entire system.

Detection Guidance

The vulnerability in CodeAstro Leave Management System 1.0 is an SQL injection in the /admin/add_leave.php file via the type_of_leave parameter. Detection can involve testing this parameter for SQL injection using boolean-based blind, error-based, or time-based blind techniques.

Use tools like sqlmap to test the type_of_leave parameter for SQL injection, e.g., sqlmap -u "http://target/LeaveManagement-PHP/admin/add_leave.php?type_of_leave=test" --batch
Manually test by injecting SQL payloads such as ' OR 1=1-- or ' AND SLEEP(5)-- into the type_of_leave parameter and observe the response delay or error messages.
Monitor network traffic for unusual or malformed SQL queries targeting the type_of_leave parameter.

Compliance Impact

The SQL injection vulnerability in CodeAstro Leave Management System 1.0 can lead to unauthorized database access, data tampering, and sensitive information leakage. Such security flaws can compromise the confidentiality and integrity of personal and sensitive data stored within the system.

This exposure may result in non-compliance with common data protection standards and regulations such as GDPR and HIPAA, which require organizations to protect personal data against unauthorized access and ensure data integrity.

Failure to address this vulnerability could lead to breaches that violate these regulations, potentially resulting in legal penalties, reputational damage, and loss of trust.

Hi! I’m here to help you understand CVE-2026-11510. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-11510

SQL Injection in CodeAstro Leave Management System

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart