Executive Summary
CVE-2026-13537 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting CodeAstro Human Resource Management System (HRMS) version 1.0. This vulnerability enables remote attackers to execute unauthorized actions on behalf of authenticated users by leveraging crafted web requests. Public proof-of-concept (PoC) code is available, and exploitation is possible in the wild. However, as of this report, the vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and there is no CISA-confirmed evidence of active exploitation. Organizations using CodeAstro HRMS should urgently assess their exposure and implement robust mitigations to prevent unauthorized manipulation of sensitive HR data.
Technical Information
CVE-2026-13537 targets CodeAstro Human Resource Management System version 1.0 and is classified as a Cross-Site Request Forgery (CSRF) vulnerability. The flaw arises from the absence of anti-CSRF tokens and insufficient validation of HTTP request origins on sensitive endpoints. Attackers can exploit this by tricking authenticated users into visiting malicious web pages or clicking crafted links, which then submit unauthorized requests using the victim's session credentials.
The vulnerability is cataloged under CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization). The attack vector is remote, requiring the victim to be authenticated and to interact with a malicious resource. The CVSS v3.1 base score is 4.3 (Medium), with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, and the CVSS v4.0 base score is 2.1 (Low), with a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P.
A typical attack scenario involves an adversary hosting a web page containing a form that submits a POST request to a sensitive HRMS endpoint, such as department deletion or user management. If an authenticated user visits this page, the browser automatically includes the user's session cookies, causing the action to be executed as if performed by the user. The lack of CSRF tokens and insufficient origin validation make such attacks feasible.
Exploitation in the Wild
Public PoC code and technical write-ups for CVE-2026-13537 are available, notably on GitHub. The exploit demonstrates the attack using a simple HTML form targeting the department deletion endpoint of the CodeAstro HRMS. The NVD and VulDB confirm that the exploit has been made public and could be used in the wild. However, as of this writing, CVE-2026-13537 is not listed in the CISA KEV catalog, and there is no CISA-confirmed evidence of active exploitation. No specific APT or criminal group attribution has been reported.
APT Groups using this vulnerability
There is currently no public attribution of CVE-2026-13537 exploitation to any Advanced Persistent Threat (APT) groups or organized cybercriminal entities. The exploit is public and may be leveraged by opportunistic attackers, but no targeted campaigns or sector-specific attacks have been documented as of this report.
Affected Product Versions
The affected product is CodeAstro Human Resource Management System version 1.0. No other versions are listed as affected in the NVD, VulDB, or vendor advisories as of the date of this report. Organizations running this version should consider themselves at risk and take immediate action.
Workaround and Mitigation
To mitigate CVE-2026-13537, organizations should implement the following technical controls:
All state-changing operations in CodeAstro HRMS must be protected with unique, unpredictable CSRF tokens. The application should validate the Origin and Referer headers for all sensitive requests to ensure they originate from trusted sources. Session cookies should be set with the SameSite=Strict or SameSite=Lax attribute to prevent cross-origin request transmission. All endpoints performing sensitive actions must enforce proper authorization checks, ensuring that only users with appropriate privileges can execute critical operations. Destructive operations should not be performed via simple URL parameters; instead, require explicit user confirmation and implement role-based access controls for critical actions. Regularly update and patch the HRMS application as security advisories are released.
Indicators of Compromise
The following indicators of compromise (IOCs) were extracted from public PoC sources. These IOCs are point-in-time and should be validated before enforcement, as actual exploitation in the wild may use different infrastructure.
Type | Indicator | Reported (date) | Source
|
IPv4 | 192[.]168[.]1[.]37 | 2026-05-29 | https://github.com/ashikmd0507/CVE/tree/main/CSRF%20in%20Department%20Deletion%20Endpoint |
URL | hxxp://192[.]168[.]1[.]37/hrsystem/organization/Delete_dep/12 | 2026-05-29 | https://github.com/ashikmd0507/CVE/tree/main/CSRF%20in%20Department%20Deletion%20Endpoint |
Note: These IOCs are derived from proof-of-concept code and may not represent real-world attacker infrastructure.
References
- NVD Entry for CVE-2026-13537
- VulDB Entry
- CodeAstro Official Site
- GitHub PoC for Department Deletion Endpoint
Rescana is here for you
Rescana empowers organizations to manage third-party risk and supply chain security with our advanced TPRM platform, providing continuous monitoring, actionable intelligence, and automated workflows to help you stay ahead of emerging threats. We are happy to answer any questions at info@rescana.com.
