Skip to main content
CVE-2026-32248 CRITICAL POC PATCH Act Now

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

Information Disclosure Node.js PostgreSQL Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28792 CRITICAL POC PATCH Act Now

TinaCMS CLI dev server combines a permissive CORS policy (Access-Control-Allow-Origin: *) with path traversal to enable drive-by attacks. A remote attacker can enumerate, write, and delete files on a developer's machine simply by having them visit a malicious webpage. PoC available.

Path Traversal Tinacms Cli
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.3%
CVE-2019-25533 HIGH POC This Week

Netartmedia PHP Business Directory 4.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25532 HIGH POC This Week

Netartmedia Jobs Portal 6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25531 HIGH POC This Week

Netartmedia Deals Portal contains an SQL injection vulnerability in the Email parameter of loginaction.php that allows unauthenticated attackers to manipulate database queries. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25537 HIGH POC This Week

Netartmedia Event Portal 2.0 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25536 HIGH POC This Week

Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25535 HIGH POC This Week

Netartmedia PHP Dating Site contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25534 HIGH POC This Week

Netartmedia PHP Car Dealer contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25509 HIGH POC This Week

XooDigital Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to extract sensitive database information. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25481 HIGH POC This Week

iScripts ReserveLogic contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the jqSearchDestination parameter. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25479 HIGH POC This Week

Inout RealEstate contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the city parameter. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25530 HIGH POC This Week

uHotelBooking System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the system_page GET parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-32246 HIGH POC PATCH This Week

High severity vulnerability in TinyAuth. #

Authentication Bypass Suse
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-28793 HIGH POC PATCH This Week

High severity vulnerability in TinaCMS. The TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory.

Path Traversal Tinacms Cli
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2019-25543 HIGH POC This Week

Netartmedia Real Estate Portal 5.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the page parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Real Estate Portal
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25542 HIGH POC This Week

Netartmedia Real Estate Portal 5.0 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_email parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Real Estate Portal
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25527 HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the numguest parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25525 HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the guests parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25524 HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25523 HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25522 HIGH POC This Week

XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25513 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25520 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting improper SQL query validation. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25510 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V2 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting improper SQL query validation. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25518 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the poll parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25517 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25516 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gallery_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25511 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the videoid parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25508 HIGH POC This Week

Jettweb Php Hazir Ilan Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'kat' parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Ready Advertisement Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25482 HIGH POC This Week

Jettweb PHP Hazir Rent A Car Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the arac_kategori_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Ready Rent A Car Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25539 HIGH POC This Week

202CMS v10 beta contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. [CVSS 8.2 HIGH]

PHP SQLi 202cms
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25541 HIGH POC This Week

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through unvalidated parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25540 HIGH POC This Week

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25538 HIGH POC This Week

202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. [CVSS 8.2 HIGH]

SQLi 202cms
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25528 HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the property1 parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25526 HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the location parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25521 HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25488 HIGH POC This Week

Jettweb Hazir Rent A Car Scripti V4 contains multiple SQL injection vulnerabilities in the admin panel that allow unauthenticated attackers to manipulate database queries through GET parameters. [CVSS 8.2 HIGH]

PHP SQLi Denial Of Service Php Ready Rent A Car Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25514 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25519 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the option parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2019-25512 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-32231 HIGH POC PATCH This Week

High severity vulnerability in ZeptoClaw. # The generic webhook channel trusts caller-supplied identity fields (`sender`, `chat_id`) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled (`auth_token: None`), an attacker who can reach `POST /webhook` can spoof an allowlisted sender and choose arbitrary `chat_id` values, enabling high-risk message sp...

Authentication Bypass Zeptoclaw
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-32247 HIGH POC PATCH This Week

High severity vulnerability in Graphiti. #

Code Injection Nosql Injection Graphiti
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-28356 HIGH POC PATCH This Week

High severity vulnerability in Python multipart. The `parse_options_header()` function in `multipart.py` uses a regular expression with an *ambiguous alternation*, which can cause *exponential backtracking (ReDoS)* when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for **denial of service (DoS)** attacks against web applications using this library to parse request headers or `multipart/form-data` streams.

Python Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2019-25515 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vulnerability in the login.php administration panel that allows unauthenticated attackers to gain administrative access by submitting crafted SQL syntax. [CVSS 7.5 HIGH]

PHP Authentication Bypass SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-32242 HIGH POC PATCH This Week

Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected. The fix ensures that a new adapter instance is created for each provider instead of reusing the singleton, so each provider's configuration is isolated. There is no known workaround. If only a single OAuth2 provider is configured, the race condition cannot occur. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.37

Node.js Race Condition Information Disclosure Parse Server
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.1%
CVE-2019-25529 HIGH POC This Week

Placeto CMS Alpha rv.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'page' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25473 HIGH POC This Week

Clinic Pro contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the month parameter. [CVSS 7.1 HIGH]

SQLi
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-32245 MEDIUM POC PATCH This Month

Medium severity vulnerability in TinyAuth. #

Authentication Bypass Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy