Skip to main content
CVE-2025-6491 MEDIUM POC PATCH This Month

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

PHP Null Pointer Dereference Denial Of Service Debian Red Hat +1
NVD GitHub
CVSS 3.1
5.9
EPSS
0.2%
CVE-2025-7538 MEDIUM POC This Month

CVE-2025-7538 is a critical unrestricted file upload vulnerability in Campcodes Sales and Inventory System version 1.0, specifically in the /pages/product_update.php file's image parameter handling. An unauthenticated remote attacker can upload arbitrary files without restriction, potentially leading to remote code execution, data compromise, and system availability impact. The vulnerability has been publicly disclosed with exploit code available, making active exploitation a significant concern.

File Upload PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7547 MEDIUM POC This Month

CVE-2025-7547 is a critical unrestricted file upload vulnerability in Campcodes Online Movie Theater Seat Reservation System version 1.0, affecting the save_movie function in /admin/admin_class.php. An unauthenticated remote attacker can manipulate the 'cover' parameter to upload arbitrary files, potentially leading to remote code execution, data compromise, and service disruption. The exploit has been publicly disclosed and may be actively exploited in the wild.

File Upload PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7521 MEDIUM POC This Month

CVE-2025-7521 is a critical SQL injection vulnerability in PHPGurukul Vehicle Parking Management System version 1.13, specifically in the /admin/index.php file's Username parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system compromise. The vulnerability has been publicly disclosed with proof-of-concept code available, creating immediate exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7541 MEDIUM POC This Month

CVE-2025-7541 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, affecting the /get_town.php endpoint where the 'countryid' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the appointment booking system database. The vulnerability has been publicly disclosed with proof-of-concept code available, significantly increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7540 MEDIUM POC This Month

CVE-2025-7540 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System 1.0 affecting the /getclinic.php file's townid parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the database. The vulnerability has been publicly disclosed with exploit code available, creating immediate operational risk for deployed instances.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7539 MEDIUM POC This Month

CVE-2025-7539 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, specifically in the /getdoctordaybooking.php file via the 'cid' parameter. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database records. Exploitation has been publicly disclosed with proof-of-concept availability, and the vulnerability may be actively exploited in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7537 MEDIUM POC This Month

CVE-2025-7537 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0 affecting the /pages/product_update.php file. An unauthenticated remote attacker can manipulate the 'ID' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and active exploitation indicators suggest immediate remediation is warranted.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7536 MEDIUM POC This Month

CVE-2025-7536 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System 1.0 affecting the /pages/receipt_credit.php endpoint via the 'sid' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or system compromise. The vulnerability has been publicly disclosed with proof-of-concept code available, indicating active exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7535 MEDIUM POC This Month

CVE-2025-7535 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0, located in the /pages/reprint_cash.php file's 'sid' parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploits available, making it an immediate threat to deployed instances.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7534 MEDIUM POC This Month

CVE-2025-7534 is a critical SQL injection vulnerability in PHPGurukul Student Result Management System 2.0, exploitable through the 'nid' GET parameter in /notice-details.php. An unauthenticated remote attacker can manipulate this parameter to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the application database. Public exploit disclosure and confirmed attack surface (unauthenticated, network-accessible endpoint) elevate real-world risk despite the moderate CVSS 7.3 score.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7533 MEDIUM POC This Month

CVE-2025-7533 is a SQL injection vulnerability in code-projects Job Diary 1.0 affecting the /view-details.php file through the job_id parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially read, modify, or delete database contents. The vulnerability has a CVSS score of 7.3 (High) with public exploit disclosure and proof-of-concept availability, indicating active exploitation risk in the wild. This is a critical severity issue for all deployments of the affected version with direct database access implications.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7517 MEDIUM POC This Month

CVE-2025-7517 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, specifically in the /getDay.php file's cidval parameter. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and exploitation requires no special privileges or user interaction, making it an immediate threat to deployed instances.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7516 MEDIUM POC This Month

CVE-2025-7516 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, affecting the /cancelbookingpatient.php endpoint via the 'appointment' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of appointment records and sensitive patient information. Public disclosure and proof-of-concept availability indicate active exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7515 MEDIUM POC This Month

CVE-2025-7515 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, specifically in the /ulocateus.php file where the 'doctorname' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7514 MEDIUM POC This Month

A SQL injection vulnerability exists in code-projects Modern Bag version 1.0, specifically in the /admin/contact-list.php file where the 'idStatus' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation likely.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7513 MEDIUM POC This Month

CVE-2025-7513 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/slideupdate.php endpoint, where unsanitized idSlide parameter input allows unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with exploits available, enabling attackers to read, modify, or delete database records with moderate confidentiality, integrity, and availability impact.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7512 MEDIUM POC This Month

CVE-2025-7512 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0, affecting the /contact-back.php file's contact-name parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation potential with a CVSS score of 7.3.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7510 MEDIUM POC This Month

CVE-2025-7510 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/productadd_back.php file, where the 'namepro' parameter is improperly sanitized allowing remote unauthenticated attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with exploit code available, and carries a CVSS 7.3 score indicating moderate-to-high real-world risk with low attack complexity. An attacker can extract, modify, or delete database contents without authentication, compromising confidentiality, integrity, and availability of the application.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7509 MEDIUM POC This Month

CVE-2025-7509 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/slide.php endpoint via the idSlide parameter. An unauthenticated remote attacker can exploit this with no user interaction to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7508 MEDIUM POC This Month

CVE-2025-7508 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/product-update.php endpoint, where the 'idProduct' parameter is improperly validated before database queries. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially exfiltrating sensitive data, modifying product information, or gaining further system access. The vulnerability has public exploit disclosure and active real-world exploitation is likely given the low attack complexity and lack of authentication requirements.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7523 MEDIUM POC This Month

CVE-2025-7523 is an XML External Entity (XXE) injection vulnerability in Jinher OA 1.0 affecting the /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx endpoint. An unauthenticated remote attacker can exploit this to read sensitive files, modify data, or cause denial of service with low attack complexity. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

XXE
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7542 MEDIUM POC This Month

CVE-2025-7542 is a critical SQL injection vulnerability in PHPGurukul User Registration & Login and User Management System version 3.3, located in the /admin/user-profile.php file where the 'uid' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system compromise. The vulnerability has been publicly disclosed with proof-of-concept code available, and exploitation requires no special privileges or user interaction, making it a high-priority threat for affected deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-53865 MEDIUM PATCH This Month

In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).

XSS Debian
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-1735 MEDIUM PATCH This Month

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.

PHP PostgreSQL SQLi Debian Red Hat +1
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy