Hard-coded cryptographic key in express-session component of code-projects Hospital Management System 1.0 allows remote attackers to bypass session security and disclose sensitive information. The vulnerability stems from use of a fixed secret parameter in the session middleware, enabling attackers to forge or predict session tokens. While a public exploit exists, the attack requires high complexity and difficult exploitation, reflected in the low CVSS 2.9 score and minimal EPSS probability (0.19%), suggesting limited real-world risk despite information disclosure impact.
SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the uid parameter in /admin/update-profile.php, enabling arbitrary database queries with limited confidentiality and integrity impact. Publicly available exploit code exists; however, the EPSS score of 0.04% and CVSS 2.1 severity indicate low real-world exploitation probability despite low barriers to attack (network-accessible, low complexity, no user interaction required).
SQL injection in code-projects E-Commerce Website 1.0 allows authenticated remote attackers to manipulate the prod_id parameter in /pages/product_add_qty.php, potentially leading to unauthorized database access or data disclosure. The vulnerability has a CVSS score of 2.1 with low impact across confidentiality, integrity, and availability, but public exploit code exists and may lower the exploitation barrier despite the requirement for prior authentication.
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the cname parameter in /addcategory.php, compromising data confidentiality and integrity. The vulnerability has publicly available exploit code and is confirmed to have limited scope impact (affecting only data confidentiality, integrity, and availability of specific queries); however, EPSS score of 0.03% (8th percentile) suggests minimal real-world exploitation likelihood despite public availability of proof-of-concept code.
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Category parameter in /addproduct.php. The vulnerability has low practical risk despite public exploit availability due to CVSS 2.1 scoring and minimal confidentiality/integrity impact, though it requires prior authentication. EPSS exploitation probability is extremely low at 0.03% percentile, suggesting limited real-world attack interest despite public POC availability.
SQL injection in SourceCodester Simple Inventory System 1.0 via the uemail parameter in /user.php allows authenticated remote attackers to manipulate database queries with low impact. CVSS 2.1 reflects the low severity due to authentication requirement and limited scope, but a public exploit exists and EPSS percentile of 8% indicates below-average real-world exploitation likelihood despite POC availability.
SQL injection in SourceCodester Simple Inventory System 1.0 via the editBrandName parameter in /brand.php allows authenticated remote attackers to manipulate database queries with low confidentiality, integrity, and availability impact. The CVSS 2.1 score reflects limited scope (authenticated access required, low impact to CIA triad), but publicly available exploit code exists despite minimal real-world exploitation probability (EPSS 0.03%, 8th percentile).
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Category parameter in /editproduct.php, with publicly available exploit code demonstrating the vulnerability. Despite a low CVSS score of 2.1, the vulnerability requires valid credentials and produces limited confidentiality impact, explaining the minimal EPSS exploitation probability of 0.03%.
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the cname parameter in editcategory.php, resulting in limited confidentiality and integrity impact. Publicly available exploit code exists; however, the EPSS score of 0.03% indicates minimal real-world exploitation probability despite remote network accessibility and low attack complexity.
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/actions/delete-equipment.php. The vulnerability requires valid user credentials (PR:L) and has publicly available exploit code; however, the EPSS score of 0.03% and limited impact scope (VC:L/VI:L/VA:L) indicate low real-world exploitation probability despite technical exploitability.
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/edit-equipmentform.php. The vulnerability requires valid user credentials (privilege level L) but no user interaction. Publicly available exploit code exists, though EPSS indicates very low real-world exploitation probability (0.03%, 8th percentile). Despite the public POC, the CVSS 2.1 score and minimal impact scope (VC:L/VI:L/VA:L with no scope change) suggest limited practical risk in most deployments.
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/actions/delete-member.php, enabling unauthorized database queries with limited confidentiality and integrity impact. The vulnerability requires valid administrative credentials and carries a CVSS score of 2.1 with low confidentiality and integrity impact but no availability risk. Publicly available exploit code exists, though real-world exploitation remains extremely limited based on a 0.03% EPSS score.
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the ename parameter in /admin/equipment-entry.php, enabling database query modification with low confidentiality, integrity, and availability impact. Publicly available exploit code exists but real-world risk is minimal due to low EPSS score (0.03%, 8th percentile), limited scope impact, and requirement for authenticated access despite the network attack vector.
SQL injection in Campcodes Online Apartment Visitor Management System 1.0 allows high-privileged remote attackers to manipulate the mobilenumber parameter in /admin-profile.php, potentially leading to unauthorized database access or modification. The vulnerability requires administrative privileges to exploit and has limited confidentiality and integrity impact; public exploit code is available but real-world exploitation risk remains low due to EPSS score of 0.03% and the administrative access prerequisite.
Path traversal vulnerability in MoneyPrinterTurbo up to version 1.2.6 allows authenticated remote attackers to manipulate file upload parameters in the music API endpoint, enabling arbitrary file write operations with limited confidentiality and integrity impact. Publicly available exploit code exists and the vulnerability has low EPSS exploitation probability (0.09%, 26th percentile), suggesting limited real-world weaponization despite proof-of-concept availability.
SQL injection in iPynch Social Network's Search component allows authenticated remote attackers to manipulate queries and access or modify database content with low complexity exploitation. The vulnerability affects the product up to commit b6933b6d7f82c84819abe458ccf0e59d61119541, and public exploit code has been released, though the EPSS score of 0.03% and CVSS base score of 2.1 suggest limited real-world exploitation probability despite the low attack complexity and public availability of proof-of-concept materials.