A vulnerability was found in code-projects Project Monitoring System 1.0. The impacted element is an unknown function of the file /useredit.php. The manipulation of the argument uid results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
A vulnerability has been found in code-projects Online Job Search Engine 1.0. The affected element is an unknown function of the file /searchjob.php. The manipulation of the argument txtspecialization leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
A flaw has been found in code-projects Online Job Search Engine 1.0. Impacted is an unknown function of the file /postjob.php. Executing manipulation of the argument txtjobID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.
A vulnerability was detected in code-projects Online Job Search Engine 1.0. This issue affects some unknown processing of the file /registration.php. Performing manipulation of the argument txtusername results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.
Stored Cross-Site Scripting in code-projects Simple Online Hotel Reservation System 1.0 allows a low-privileged attacker to inject persistent malicious JavaScript into the Add Room Description field, which executes in the administrator's browser session when room information is viewed, resulting in session cookie theft. The CVSS vector (PR:L/UI:R/S:C) confirms the attack requires authenticated access to add rooms and administrator interaction to trigger, but scope change to C:L reflects the realistic impact of session hijacking. A publicly available proof-of-concept exploit exists on GitHub, though no public exploitation has been confirmed and EPSS sits at a low 0.24th-percentile probability.
Privilege abuse and authentication bypass in Aybs Interaktif (by Usta Information Systems Inc.) expose high-confidentiality and high-integrity impacts to local attackers who require no prior privileges. The vulnerability cluster - spanning incorrect permission assignment, missing authorization, incorrect authorization, and sensitive data exposure (CWE-200) - enables an actor with local system access to bypass access controls, potentially reading sensitive resources and modifying data without authorization. No public exploit or CISA KEV listing is identified at time of analysis, but the Turkish National CERT (USOM) has issued advisory TR-25-0329 covering all versions from 2024 through build 28082025.
Arbitrary file upload in Mingsoft MCMS v6.0.1 enables remote code execution on the underlying server by uploading a crafted file - likely a JSP web shell - to a reachable endpoint. The NVD-assigned CVSS score of 6.5 with C:L/I:L impact subscores is materially inconsistent with the stated code execution impact, and this discrepancy should be independently verified. No public exploit has been confirmed as actively exploited per CISA KEV, though a Gist-based reference in NVD data may represent a proof-of-concept; EPSS is low at 0.28% (20th percentile), suggesting no widespread scanning or exploitation observed at time of analysis.
Drupal Protected Pages module fails to implement rate limiting on authentication attempts, enabling unauthenticated attackers to conduct brute force attacks against password-protected content. Affected versions include Protected Pages 0.0.0 through 1.7.x and 7.x-1.0 through 7.x-2.4. The vulnerability permits attackers to enumerate valid credentials and bypass access controls through repeated login submissions without detection or throttling mechanisms. No public exploit code or active exploitation has been confirmed; EPSS scoring of 0.05% (15th percentile) indicates low real-world exploitation likelihood despite the moderate CVSS score of 6.5.
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
Authorization bypass and sensitive information disclosure in Usta Information Systems Inc. Aybs Interaktif allows a locally authenticated low-privilege user to access unauthorized data through forceful browsing, parameter injection, and input data manipulation. The vulnerability chain - CWE-639 (user-controlled key bypass) combined with CWE-862 (missing authorization) and CWE-200 (information disclosure) - permits manipulation of application parameters to circumvent access controls and retrieve sensitive records belonging to other users or restricted contexts. No confirmed active exploitation (not in CISA KEV), and the EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation pressure at time of analysis.
A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0.