{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5578", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-04T15:01:44.416Z", "datePublished": "2026-04-05T15:45:11.471Z", "dateUpdated": "2026-04-06T18:06:49.923Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T15:45:11.471Z"}, "title": "CodeAstro Online Classroom Parameter addassessment.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "CodeAstro", "product": "Online Classroom", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["Parameter Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /OnlineClassroom/addassessment.php of the component Parameter Handler. Performing a manipulation of the argument deleteid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-04T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-04T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-04T17:07:04.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "zws58 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/355348", "name": "VDB-355348 | CodeAstro Online Classroom Parameter addassessment.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355348/cti", "name": "VDB-355348 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/783751", "name": "Submit #783751 | codeastro Online Classroom V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zgr0508/cve/issues/1", "tags": ["exploit", "issue-tracking"]}, {"url": "https://codeastro.com/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T18:06:39.203494Z", "id": "CVE-2026-5578", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:06:49.923Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5578", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T18:06:39.203494Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:06:44.798Z"}}], "cna": {"title": "CodeAstro Online Classroom Parameter addassessment.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "zws58 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "CodeAstro", "modules": ["Parameter Handler"], "product": "Online Classroom", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-04T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-04T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-04T17:07:04.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355348", "name": "VDB-355348 | CodeAstro Online Classroom Parameter addassessment.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355348/cti", "name": "VDB-355348 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/783751", "name": "Submit #783751 | codeastro Online Classroom V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zgr0508/cve/issues/1", "tags": ["exploit", "issue-tracking"]}, {"url": "https://codeastro.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /OnlineClassroom/addassessment.php of the component Parameter Handler. Performing a manipulation of the argument deleteid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T15:45:11.471Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5578", "state": "PUBLISHED", "dateUpdated": "2026-04-06T18:06:49.923Z", "dateReserved": "2026-04-04T15:01:44.416Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-05T15:45:11.471Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /OnlineClassroom/addassessment.php of the component Parameter Handler. Performing a manipulation of the argument deleteid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used."}], "id": "CVE-2026-5578", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-05T16:16:19.887", "references": [{"source": "cna@vuldb.com", "url": "https://codeastro.com/"}, {"source": "cna@vuldb.com", "url": "https://github.com/zgr0508/cve/issues/1"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/783751"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355348"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355348/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Online Classroom", "source": "cna", "vendor": "CodeAstro"}, "product": "online_classroom", "vendor": "codeastro"}], "analysis": {"en": {"generated_at": "2026-04-05T18:20:17.088585+00:00", "value": {"mitigation_remediation": ["Apply any available vendor patch for CodeAstro Online Classroom 1.0", "If a patch is not yet released, store the deleteid value in a whitelist or use parameterized queries to prevent injection", "Restrict access to addassessment.php to trusted users only", "Review and restrict database permissions so that the application uses the minimal privileges needed"], "summary": {"action": "Immediate Patch", "impact": "SQL Injection may permit unauthorized data modification or disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the CodeAstro Online Classroom product, specifically the addassessment.php component of the Parameter Handler. The affected release is 1.0; no other versions are listed in the advisory.", "description_and_impact": "A flaw exists in CodeAstro Online Classroom\u00a01.0 where the deleteid parameter within addassessment.php is incorporated into an SQL statement without proper sanitization, creating a classic SQL injection opportunity. An attacker can remotely craft a request that manipulates deleteid to execute arbitrary SQL commands. This can lead to unauthorized data exposure, data tampering, or even database compromise, consistent with the weaknesses identified as CWE\u201174 and CWE\u201189.", "risk_and_exploitability": "The CVSS base score is 5.3, indicating a moderate severity. No EPSS score is published, and the issue is not listed in the CISA KEV catalog, but the public nature of the exploit and the ability to execute the attack remotely increase its real\u2011world risk. An adversary could leverage this weakness to gain further insight into the application\u2019s database structure and potentially extract sensitive data."}}}}, "created": "2026-04-06T20:23:13.014062+00:00", "updated": "2026-04-06T21:56:33.506024+00:00", "vendors": ["codeastro", "codeastro$PRODUCT$online_classroom"]}