CVE-2026-10235 CodeAstro CVE debrief

Who should care

Organizations running CodeAstro Ingredients Stock Management System 1.0; security teams monitoring PHP-based inventory/stock management applications; web application firewall administrators

Technical summary

The vulnerability is a classic SQL injection (CWE-89) in a PHP web application. The txt_search_category parameter in /Ingredients-Stock/stock_manager.php is not properly sanitized before being incorporated into SQL queries. An attacker with low privileges can send crafted HTTP requests to manipulate database queries remotely. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required user interaction, and low impacts across confidentiality, integrity, and availability dimensions. The exploit has been published, increasing the likelihood of active exploitation.

Defensive priority

medium

Recommended defensive actions

• Apply input validation and parameterized queries (prepared statements) for the txt_search_category parameter in stock_manager.php
• Implement least-privilege database access for the application
• Monitor web application logs for suspicious SQL injection patterns targeting /Ingredients-Stock/stock_manager.php
• Contact CodeAstro for official patch availability and vendor confirmation
• Review and restrict network access to the administrative interface if possible

Evidence notes

SQL injection is confirmed by CWE-89 classification from the CNA (VulDB). The attack vector is network-based with low attack complexity, requiring low privileges and no user interaction. The vulnerability affects confidentiality, integrity, and availability with low impact ratings.

Official resources