CVE-2026-12130
3.5 LOWA security flaw has been discovered in CodeAstro Human Resource Management System 1.0
Published: 2026-06-12 · Last updated: 2026-06-12
Severity and scoring
- CVSS
- 3.5 LOW
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- CWE
- CWE-79, CWE-94
Description
A security flaw has been discovered in CodeAstro Human Resource Management System 1.0. This affects an unknown part of the file /Projects/Add_Projects of the component Projects Management Page. The manipulation of the argument protitle results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-12130
- [Other]https://codeastro.com/
- [Other]https://github.com/ashikmd0507/CVE/tree/main/Stored-XSS-via-Project-Title
- [Other]https://vuldb.com/cve/CVE-2026-12130
- [Other]https://vuldb.com/submit/837202
- [Other]https://vuldb.com/vuln/370615
- [Other]https://vuldb.com/vuln/370615/cti
Related CVEs
Same CWE
- CVE-2026-12176 — A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 (4.3 MEDIUM)
- CVE-2026-5513 — The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '... (7.2 HIGH)
- CVE-2026-9629 — The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including... (6.4 MEDIUM)
- CVE-2026-3297 — The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anc... (6.4 MEDIUM)
- CVE-2026-9134 — The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in ve... (6.4 MEDIUM)