SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ancestors parameter in the /system/dept/edit endpoint, enabling unauthorized data exfiltration or modification. Despite a critical classification, the CVSS v4.0 score of 2.1 reflects limited confidentiality and integrity impact; publicly available exploit code exists but EPSS exploitation probability remains low at 0.07%, suggesting the vulnerability requires authenticated access and may have limited real-world adoption or attack surface.
Reflected cross-site scripting in PHPGurukul Taxi Stand Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the registrationnumber or licensenumber parameters in /admin/new-autoortaxi-entry-form.php, requiring user interaction to trigger. The vulnerability carries a low CVSS score of 2.0 due to authentication and user-interaction requirements, though publicly available exploit code exists and EPSS scoring (0.07%) indicates minimal real-world exploitation probability.