In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.
CVE-2025-7538 is a critical unrestricted file upload vulnerability in Campcodes Sales and Inventory System version 1.0, specifically in the /pages/product_update.php file's image parameter handling. An unauthenticated remote attacker can upload arbitrary files without restriction, potentially leading to remote code execution, data compromise, and system availability impact. The vulnerability has been publicly disclosed with exploit code available, making active exploitation a significant concern.
CVE-2025-7547 is a critical unrestricted file upload vulnerability in Campcodes Online Movie Theater Seat Reservation System version 1.0, affecting the save_movie function in /admin/admin_class.php. An unauthenticated remote attacker can manipulate the 'cover' parameter to upload arbitrary files, potentially leading to remote code execution, data compromise, and service disruption. The exploit has been publicly disclosed and may be actively exploited in the wild.
CVE-2025-7521 is a critical SQL injection vulnerability in PHPGurukul Vehicle Parking Management System version 1.13, specifically in the /admin/index.php file's Username parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system compromise. The vulnerability has been publicly disclosed with proof-of-concept code available, creating immediate exploitation risk.
CVE-2025-7541 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, affecting the /get_town.php endpoint where the 'countryid' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the appointment booking system database. The vulnerability has been publicly disclosed with proof-of-concept code available, significantly increasing real-world exploitation risk.
CVE-2025-7540 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System 1.0 affecting the /getclinic.php file's townid parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the database. The vulnerability has been publicly disclosed with exploit code available, creating immediate operational risk for deployed instances.
CVE-2025-7539 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, specifically in the /getdoctordaybooking.php file via the 'cid' parameter. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database records. Exploitation has been publicly disclosed with proof-of-concept availability, and the vulnerability may be actively exploited in the wild.
CVE-2025-7537 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0 affecting the /pages/product_update.php file. An unauthenticated remote attacker can manipulate the 'ID' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and active exploitation indicators suggest immediate remediation is warranted.
CVE-2025-7536 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System 1.0 affecting the /pages/receipt_credit.php endpoint via the 'sid' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or system compromise. The vulnerability has been publicly disclosed with proof-of-concept code available, indicating active exploitation risk.
CVE-2025-7535 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0, located in the /pages/reprint_cash.php file's 'sid' parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploits available, making it an immediate threat to deployed instances.
CVE-2025-7534 is a critical SQL injection vulnerability in PHPGurukul Student Result Management System 2.0, exploitable through the 'nid' GET parameter in /notice-details.php. An unauthenticated remote attacker can manipulate this parameter to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the application database. Public exploit disclosure and confirmed attack surface (unauthenticated, network-accessible endpoint) elevate real-world risk despite the moderate CVSS 7.3 score.
CVE-2025-7533 is a SQL injection vulnerability in code-projects Job Diary 1.0 affecting the /view-details.php file through the job_id parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially read, modify, or delete database contents. The vulnerability has a CVSS score of 7.3 (High) with public exploit disclosure and proof-of-concept availability, indicating active exploitation risk in the wild. This is a critical severity issue for all deployments of the affected version with direct database access implications.
CVE-2025-7517 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, specifically in the /getDay.php file's cidval parameter. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and exploitation requires no special privileges or user interaction, making it an immediate threat to deployed instances.
CVE-2025-7516 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, affecting the /cancelbookingpatient.php endpoint via the 'appointment' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of appointment records and sensitive patient information. Public disclosure and proof-of-concept availability indicate active exploitation risk.
CVE-2025-7515 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, specifically in the /ulocateus.php file where the 'doctorname' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing real-world exploitation risk.
A SQL injection vulnerability exists in code-projects Modern Bag version 1.0, specifically in the /admin/contact-list.php file where the 'idStatus' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation likely.
CVE-2025-7513 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/slideupdate.php endpoint, where unsanitized idSlide parameter input allows unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with exploits available, enabling attackers to read, modify, or delete database records with moderate confidentiality, integrity, and availability impact.
CVE-2025-7512 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0, affecting the /contact-back.php file's contact-name parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation potential with a CVSS score of 7.3.
CVE-2025-7510 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/productadd_back.php file, where the 'namepro' parameter is improperly sanitized allowing remote unauthenticated attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with exploit code available, and carries a CVSS 7.3 score indicating moderate-to-high real-world risk with low attack complexity. An attacker can extract, modify, or delete database contents without authentication, compromising confidentiality, integrity, and availability of the application.
CVE-2025-7509 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/slide.php endpoint via the idSlide parameter. An unauthenticated remote attacker can exploit this with no user interaction to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.
CVE-2025-7508 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/product-update.php endpoint, where the 'idProduct' parameter is improperly validated before database queries. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially exfiltrating sensitive data, modifying product information, or gaining further system access. The vulnerability has public exploit disclosure and active real-world exploitation is likely given the low attack complexity and lack of authentication requirements.
CVE-2025-7523 is an XML External Entity (XXE) injection vulnerability in Jinher OA 1.0 affecting the /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx endpoint. An unauthenticated remote attacker can exploit this to read sensitive files, modify data, or cause denial of service with low attack complexity. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.
CVE-2025-7542 is a critical SQL injection vulnerability in PHPGurukul User Registration & Login and User Management System version 3.3, located in the /admin/user-profile.php file where the 'uid' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system compromise. The vulnerability has been publicly disclosed with proof-of-concept code available, and exploitation requires no special privileges or user interaction, making it a high-priority threat for affected deployments.
In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.