PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10260 CodeAstro CVE debrief

A SQL injection vulnerability exists in CodeAstro Online Job Portal 1.0, specifically within the /admin/jobs-admins/delete-jobs.php endpoint. The vulnerability stems from improper sanitization of the 'ID' parameter, allowing remote attackers to manipulate SQL queries. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no required privileges, and low impacts across confidentiality, integrity, and availability. The exploit has been publicly disclosed. The vendor identification carries low confidence based on reference domain analysis, with 'Codeastro' identified as a candidate vendor source.

Vendor
CodeAstro
Product
Online Job Portal
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running CodeAstro Online Job Portal 1.0; security teams monitoring public exploit disclosures; database administrators responsible for application security; web application firewall operators

Technical summary

The vulnerability resides in an unknown function within /admin/jobs-admins/delete-jobs.php of CodeAstro Online Job Portal 1.0. The ID parameter accepts unsanitized input that is incorporated into SQL queries without proper parameterization or escaping. This enables remote unauthenticated attackers to inject arbitrary SQL commands. The attack requires no privileges and no user interaction, with low attack complexity. The CVSS 4.0 score of 5.5 (MEDIUM) reflects limited impacts to confidentiality, integrity, and availability. The weakness is dual-classified under CWE-74 and CWE-89.

Defensive priority

medium

Recommended defensive actions

  • Apply input validation and parameterized queries to the ID parameter in /admin/jobs-admins/delete-jobs.php
  • Restrict administrative endpoint access through network segmentation or IP allowlisting
  • Monitor for anomalous database query patterns and unexpected DELETE operations
  • Review application logs for suspicious ID parameter values including SQL metacharacters
  • Contact CodeAstro for official patch availability and apply when released

Evidence notes

Vulnerability description sourced from official NVD record with VulDB as CNA. CVSS 4.0 vector provided in source metadata. Weaknesses mapped to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (SQL Injection). Public exploit availability confirmed through source references. Vendor attribution marked as low confidence with review flag set.

Official resources

public