A security vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.
A critical SQL injection vulnerability exists in 1000projects ABC Courier Management version 1.0 affecting the /add_dealerrequest.php endpoint, where the 'Name' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making it an active threat.
CVE-2025-7483 is a critical SQL injection vulnerability in PHPGurukul Vehicle Parking Management System version 1.13, specifically in the /users/forgot-password.php endpoint's email parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation a significant concern.
CVE-2025-7480 is a critical SQL injection vulnerability in PHPGurukul Vehicle Parking Management System version 1.13, located in the /users/signup.php file where the email parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, though no KEV or EPSS data is referenced in the provided intelligence.
CVE-2025-7478 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/category-list.php file, where the 'idCate' parameter is not properly sanitized, allowing unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with working exploits available, and while classified as critical in the original report, the CVSS 7.3 score indicates moderate-to-high real-world risk with potential for data exfiltration, modification, and denial of service. Active exploitation is likely given public POC availability and the ease of the attack vector.
CVE-2025-7474 is a critical SQL injection vulnerability in code-projects Job Diary 1.0 affecting the /search.php file's Search parameter, allowing unauthenticated remote attackers to execute arbitrary SQL commands with potential data exfiltration, modification, and application disruption. The exploit has been publicly disclosed with proof-of-concept code available, and the vulnerability meets the criteria for inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog due to active real-world exploitation.
CVE-2025-7461 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0, located in the /action.php file's proId parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially access, modify, or delete database contents. The vulnerability has been publicly disclosed with exploit code available, and the CVSS 7.3 score reflects moderate confidentiality, integrity, and availability impact; however, the attack requires no authentication or user interaction, making it immediately exploitable in network-accessible deployments.
CVE-2025-7476 is a critical SQL injection vulnerability in code-projects Simple Car Rental System 1.0 affecting the /admin/approve.php endpoint's ID parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, elevating real-world risk despite the CVSS 7.3 score suggesting moderate impact.
CVE-2025-7475 is a critical SQL injection vulnerability in code-projects Simple Car Rental System version 1.0, located in the /pay.php file where the 'mpesa' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database records. The vulnerability has been publicly disclosed with proof-of-concept availability, indicating active exploitation risk in real-world deployments.
CVE-2025-7471 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0 affecting the /admin/login-back.php endpoint. An unauthenticated remote attacker can inject malicious SQL code via the 'user-name' parameter to compromise confidentiality, integrity, and availability of the application and underlying database. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing real-world exploitation risk.
CVE-2025-7469 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System 1.0 affecting the product addition functionality (/pages/product_add.php). An unauthenticated remote attacker can manipulate the 'prod_name' parameter to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation likely in the near term.
CVE-2025-7467 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0 affecting the /product-detail.php file's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially exfiltrate, modify, or delete database contents. The vulnerability has been publicly disclosed with exploit code available, and the CVSS 7.3 score reflects moderate-to-high real-world impact with low attack complexity and no authentication requirements.
CVE-2023-39338 is a security vulnerability (CVSS 6.8) that allows the user. Remediation should follow standard vulnerability management procedures.
IBM Storage Scale 5.2.3.0 and 5.2.3.1 could allow an authenticated user to obtain sensitive information from files due to the insecure permissions inherited through the SMB protocol.
The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wp_ajax_mec_load_single_page' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable on sites with addslashes disabled.
A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials.
A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary file read via a maliciously crafted web request.
The RSFirewall! plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.1.42 via the get_local_filename() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
A vulnerability was found in Artifex GhostPDL up to 3989415a5b8e99b9d1b87cc9902bde9b7cdea145. It has been classified as problematic. This affects the function pdf_ferror of the file devices/vector/gdevpdf.c of the component New Output File Open Error Handler. The manipulation leads to null pointer dereference. It is possible to initiate the attack remotely. The identifier of the patch is 619a106ba4c4abed95110f84d5efcd7aee38c7cb. It is recommended to apply a patch to fix this issue.