Critical SQL Injection Vulnerability in CodeAstro Attendance System (CVE-2026-37749)

Severity: High (Score: 78.0)

Sources: cve.akaoma.com, infosec.exchange, github.com, Feedly, exploit-intel.com

Summary

A critical SQL injection vulnerability, identified as CVE-2026-37749, has been discovered in CodeAstro Simple Attendance Management System v1.0. This flaw allows remote unauthenticated attackers to bypass authentication through the username parameter in index.php, potentially granting unauthorized access to sensitive attendance records. The vulnerability can be exploited over the network without user interaction, making it particularly dangerous. A proof-of-concept exploit has been released, and a CVSS score of 9.8 indicates its critical nature. Immediate patching is recommended, and if patches cannot be applied, restricting network access to trusted sources is advised. The vulnerability was published on April 17, 2026, and has no confirmed exploitation reports as of now. Security professionals are urged to implement input validation and monitor database logs for suspicious activities. Key Points: • CVE-2026-37749 is a critical SQL injection vulnerability in CodeAstro Simple Attendance Management System. • Remote unauthenticated attackers can exploit this flaw to access sensitive data without valid credentials. • Immediate patching is recommended, with a CVSS score of 9.8 highlighting its severity.

Key Entities

• Sql Injection (attack_type)
• CVE-2026-37749 (cve)
• Cwe-89 - SQL Injection (cwe)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• CodeAstro Simple Attendance Management System (platform)