CVE-2026-6201

MEDIUM

CodeAstro Online Job Portal Delete Job Posting job-delete.php access control

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-6201. PoCs published by Xmyronn.

AI-analyzed exploit summary This repository provides a detailed technical analysis of an IDOR vulnerability (CVE-2026-6201) in CodeAstro's Online Job Portal, demonstrating how an authenticated employer can delete arbitrary job postings by manipulating the 'id' parameter in a GET request. The writeup includes step-by-step reproduction instructions, screenshots, and HTTP request/response examples.

Description

A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit is publicly available and might be used.

Exploits (1)

nomisec WRITEUP

by Xmyronn · poc

https://github.com/Xmyronn/CVE-2026-6201-IDOR

View Code ZIP pw:eip

This repository provides a detailed technical analysis of an IDOR vulnerability (CVE-2026-6201) in CodeAstro's Online Job Portal, demonstrating how an authenticated employer can delete arbitrary job postings by manipulating the 'id' parameter in a GET request. The writeup includes step-by-step reproduction instructions, screenshots, and HTTP request/response examples.

Classification

Writeup 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: CodeAstro Online Job Portal Project in PHP MySQL 1.0

Auth required

Prerequisites: Two employer accounts on the target platform · Burp Suite or similar intercepting proxy

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (5)

Core 5

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-357123 | CodeAstro Online Job Portal Delete Job Posting job-delete.php access control

https://vuldb.com/vuln/357123

Signature, Permissions Required signature permissions-required

VDB-357123 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/357123/cti

Third Party Advisory third-party-advisory

Submit #797515 | CodeAstro Online Job Portal Project in PHP MySQL 1.0 Improper Access Controls

https://vuldb.com/submit/797515

Exploit exploit

https://github.com/Xmyronn/CodeAstro-Online-Job-Portal-IDOR.git

Product product

https://codeastro.com/

Scores

CVSS v3 5.4

EPSS 0.0033

EPSS Percentile 25.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-266 CWE-284

Status published

Products (1)

CodeAstro/Online Job Portal 1.0

Published Apr 13, 2026

Tracked Since Apr 14, 2026