Vulnerabilities ›

CVE-2026-11506

Medium

CWE-74 — Weakness Type

                    Published: Jun 8, 2026                      ·  Modified: Jun 10, 2026                      ·  Source: NVD                

CVSS v3

6.3

🔗 NVD Official

📄 Description (English)

A vulnerability has been found in CodeAstro Leave Management System 1.0. This impacts an unknown function of the file /admin/search_staff_for_deletion.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

🤖 AI Executive Summary

CVE-2026-11506 is a SQL injection vulnerability in CodeAstro Leave Management System 1.0 affecting the /admin/search_staff_for_deletion.php endpoint through the Name parameter. With a CVSS score of 6.3 and publicly disclosed exploit details, this poses a medium-risk threat to organizations using this system for HR management. Remote exploitation is possible without authentication, making it a priority for affected Saudi organizations.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Jun 8, 2026 16:53

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi government agencies, educational institutions, and medium-sized enterprises using CodeAstro for HR management. Government entities under NCA oversight and organizations subject to SAMA regulations face elevated risk due to potential unauthorized access to employee data. Healthcare facilities and private sector companies managing sensitive personnel information are at risk of data breach, unauthorized staff record deletion, and compliance violations under Saudi data protection regulations.

🏢 Affected Saudi Sectors

Government Agencies Education Healthcare Banking and Financial Services Telecommunications Energy Sector Private Enterprises

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1557 - Man-in-the-Middle T1040 - Network Sniffing T1110 - Brute Force T1078 - Valid Accounts T1530 - Data from Cloud Storage

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all instances of CodeAstro Leave Management System 1.0 in your environment

2. Restrict network access to /admin/search_staff_for_deletion.php using WAF rules or firewall policies

3. Implement input validation: sanitize the Name parameter using parameterized queries and whitelist allowed characters

4. Enable SQL error suppression to prevent information disclosure



Patching Guidance:

5. Contact CodeAstro for security updates or migrate to a patched version if available

6. If no patch is available, implement prepared statements and stored procedures

7. Apply principle of least privilege to database accounts used by the application



Compensating Controls:

8. Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the Name parameter

9. Implement database activity monitoring (DAM) to detect suspicious SQL queries

10. Enable comprehensive logging and alerting for admin panel access

11. Conduct regular security assessments and penetration testing

12. Implement multi-factor authentication for admin access



Detection Rules:

- Monitor for SQL keywords (UNION, SELECT, DROP, INSERT) in Name parameter values

- Alert on unusual database query patterns or failed authentication attempts

- Track access to /admin/search_staff_for_deletion.php endpoint

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع حالات نظام إدارة الإجازات CodeAstro 1.0 في بيئتك

2. قيد الوصول إلى /admin/search_staff_for_deletion.php باستخدام قواعد WAF أو سياسات جدار الحماية

3. تطبيق التحقق من الإدخال: تطهير معامل الاسم باستخدام الاستعلامات المعاملة والأحرف المسموحة

4. تفعيل قمع أخطاء SQL لمنع الكشف عن المعلومات



إرشادات التصحيح:

5. اتصل بـ CodeAstro للحصول على تحديثات أمان أو الترقية إلى نسخة معدلة

6. إذا لم يكن هناك تصحيح متاح، قم بتطبيق العبارات المحضرة والإجراءات المخزنة

7. تطبيق مبدأ أقل امتياز على حسابات قاعدة البيانات



الضوابط البديلة:

8. نشر قواعد WAF للكشف عن أنماط حقن SQL وحجبها

9. تطبيق مراقبة نشاط قاعدة البيانات (DAM)

10. تفعيل السجلات والتنبيهات الشاملة لوصول لوحة التحكم

11. إجراء تقييمات أمان واختبارات اختراق منتظمة

12. تطبيق المصادقة متعددة العوامل لوصول المسؤول

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Information security requirements for system development and maintenance ECC 2024 A.14.2.5 - Secure development policy ECC 2024 A.12.6.1 - Management of technical vulnerabilities

🔵 SAMA CSF

SAMA CSF ID.GV-1 - Organizational governance SAMA CSF PR.DS-6 - Data is protected from unauthorized access SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events

🟡 ISO 27001:2022

ISO 27001:2022 A.8.1 - Organizational controls for information security ISO 27001:2022 A.14.2.1 - Secure development policy and procedures ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

PCI DSS 6.5.1 - Injection flaws prevention PCI DSS 6.2 - Security patches and updates

🔗 References & Sources 6

🔗

https://codeastro.com/

cna@vuldb.com

🔗

https://github.com/jimages/PoC/issues/1

cna@vuldb.com

🔗

https://vuldb.com/cve/CVE-2026-11506

cna@vuldb.com

🔗

https://vuldb.com/submit/835731

cna@vuldb.com

🔗

https://vuldb.com/vuln/369126

cna@vuldb.com

🔗

https://vuldb.com/vuln/369126/cti

cna@vuldb.com

📊 CVSS Score

6.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.3

CWECWE-74

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-06-08

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-74

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-11506

Introduce Yourself

Sign In Required