Skip to main content
CVE-2025-7470 MEDIUM POC This Month

A security vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

File Upload PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7466 MEDIUM POC This Month

A critical SQL injection vulnerability exists in 1000projects ABC Courier Management version 1.0 affecting the /add_dealerrequest.php endpoint, where the 'Name' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making it an active threat.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7483 MEDIUM POC This Month

CVE-2025-7483 is a critical SQL injection vulnerability in PHPGurukul Vehicle Parking Management System version 1.13, specifically in the /users/forgot-password.php endpoint's email parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation a significant concern.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7480 MEDIUM POC This Month

CVE-2025-7480 is a critical SQL injection vulnerability in PHPGurukul Vehicle Parking Management System version 1.13, located in the /users/signup.php file where the email parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, though no KEV or EPSS data is referenced in the provided intelligence.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7478 MEDIUM POC This Month

CVE-2025-7478 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/category-list.php file, where the 'idCate' parameter is not properly sanitized, allowing unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with working exploits available, and while classified as critical in the original report, the CVSS 7.3 score indicates moderate-to-high real-world risk with potential for data exfiltration, modification, and denial of service. Active exploitation is likely given public POC availability and the ease of the attack vector.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7474 MEDIUM POC This Month

CVE-2025-7474 is a critical SQL injection vulnerability in code-projects Job Diary 1.0 affecting the /search.php file's Search parameter, allowing unauthenticated remote attackers to execute arbitrary SQL commands with potential data exfiltration, modification, and application disruption. The exploit has been publicly disclosed with proof-of-concept code available, and the vulnerability meets the criteria for inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog due to active real-world exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7461 MEDIUM POC This Month

CVE-2025-7461 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0, located in the /action.php file's proId parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially access, modify, or delete database contents. The vulnerability has been publicly disclosed with exploit code available, and the CVSS 7.3 score reflects moderate confidentiality, integrity, and availability impact; however, the attack requires no authentication or user interaction, making it immediately exploitable in network-accessible deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7476 MEDIUM POC This Month

CVE-2025-7476 is a critical SQL injection vulnerability in code-projects Simple Car Rental System 1.0 affecting the /admin/approve.php endpoint's ID parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, elevating real-world risk despite the CVSS 7.3 score suggesting moderate impact.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7475 MEDIUM POC This Month

CVE-2025-7475 is a critical SQL injection vulnerability in code-projects Simple Car Rental System version 1.0, located in the /pay.php file where the 'mpesa' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database records. The vulnerability has been publicly disclosed with proof-of-concept availability, indicating active exploitation risk in real-world deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7471 MEDIUM POC This Month

CVE-2025-7471 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0 affecting the /admin/login-back.php endpoint. An unauthenticated remote attacker can inject malicious SQL code via the 'user-name' parameter to compromise confidentiality, integrity, and availability of the application and underlying database. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7469 MEDIUM POC This Month

CVE-2025-7469 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System 1.0 affecting the product addition functionality (/pages/product_add.php). An unauthenticated remote attacker can manipulate the 'prod_name' parameter to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation likely in the near term.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7467 MEDIUM POC This Month

CVE-2025-7467 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0 affecting the /product-detail.php file's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially exfiltrate, modify, or delete database contents. The vulnerability has been publicly disclosed with exploit code available, and the CVSS 7.3 score reflects moderate-to-high real-world impact with low attack complexity and no authentication requirements.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2023-39338 MEDIUM PATCH This Month

CVE-2023-39338 is a security vulnerability (CVSS 6.8) that allows the user. Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.0
6.8
EPSS
1.3%
CVE-2025-36104 MEDIUM This Month

IBM Storage Scale 5.2.3.0 and 5.2.3.1 could allow an authenticated user to obtain sensitive information from files due to the insecure permissions inherited through the SMB protocol.

Information Disclosure IBM Storage Scale
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2021-4458 MEDIUM PATCH This Month

The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wp_ajax_mec_load_single_page' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable on sites with addslashes disabled.

WordPress SQLi Modern Events Calendar Lite
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-38648 MEDIUM PATCH This Month

A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials.

Information Disclosure Ivanti Authentication Bypass
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2023-39339 MEDIUM PATCH This Month

A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary file read via a maliciously crafted web request.

Ivanti Path Traversal Policy Secure
NVD
CVSS 3.0
4.9
EPSS
1.0%
CVE-2025-7518 MEDIUM This Month

The RSFirewall! plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.1.42 via the get_local_filename() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

WordPress Path Traversal PHP
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-7462 MEDIUM PATCH This Month

A vulnerability was found in Artifex GhostPDL up to 3989415a5b8e99b9d1b87cc9902bde9b7cdea145. It has been classified as problematic. This affects the function pdf_ferror of the file devices/vector/gdevpdf.c of the component New Output File Open Error Handler. The manipulation leads to null pointer dereference. It is possible to initiate the attack remotely. The identifier of the patch is 619a106ba4c4abed95110f84d5efcd7aee38c7cb. It is recommended to apply a patch to fix this issue.

Denial Of Service Ubuntu Debian
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy