PHP
Monthly
Unauthenticated remote SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index2.php to arbitrary query manipulation via the Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special attack complexity, making this trivially reachable from the network. Publicly available exploit code exists (POC confirmed via GitHub), though no CISA KEV listing has been issued, meaning widespread active exploitation is not confirmed at time of analysis.
Improper authorization in the BeikeShop e-commerce platform (versions up to 1.6.0.22) allows remote unauthenticated attackers to forge Stripe payment webhook callbacks and mark unpaid orders as paid. The flawed `callback` function in `plugins/Stripe/Controllers/StripeController.php` accepts arbitrary request bodies without verifying the Stripe-Signature header, and publicly available exploit code exists on GitHub. CVSS is 7.3 with EPSS not provided; the issue is not in CISA KEV but has a public POC, raising the practical risk for any internet-exposed BeikeShop store.
SQL injection in Chanjet CRM 1.0 allows remote unauthenticated attackers to manipulate the gblOrgID parameter of /tools/jxf_dump_systable.php to inject arbitrary SQL into the backend database. Publicly available exploit code exists (referenced via a public gist), and the vendor did not respond to disclosure attempts, leaving deployments exposed without official remediation. EPSS data was not provided and the issue is not in CISA KEV, but the combination of network-reachable HTTP GET handler, no authentication requirement, and a public POC makes opportunistic exploitation realistic.
Path traversal in the Quick Playground WordPress plugin (versions ≤ 1.3.4) exposes arbitrary server files to authenticated administrators. The flaw exists in client-qckply_data.php where the qckply_data() function forwards a user-supplied filename POST parameter directly into file_get_contents() without sanitization, enabling traversal sequences to escape the webroot and reach files such as wp-config.php or /etc/passwd. No public exploit exists and the vulnerability is not listed in the CISA KEV catalog, but exploitation would yield database credentials and other secrets with high confidentiality impact.
Stored Cross-Site Scripting in the Click to Chat - WA Widget WordPress plugin (holithemes, all versions through 4.38) allows authenticated Contributor-level users to inject persistent JavaScript payloads that execute in victim browsers when the rendered WhatsApp chat button is clicked. The root cause is a double-encoding bypass: esc_attr() sanitization produces HTML entities that are decoded back to literal characters by the browser's HTML parser before JavaScript evaluation inside an onclick event handler, completely defeating the intended escaping. No public exploit has been identified at time of analysis, but the detailed technical write-up from Wordfence combined with publicly browsable vulnerable source code significantly lowers the barrier to exploitation. Vendor-released patch version 4.39 is available.
PHP Object Injection in the LearnPress - Backup & Migration Tool WordPress plugin (versions ≤ 4.1.4, by ThimPress) allows authenticated administrators to supply maliciously crafted serialized data through the plugin's import functionality, triggering unsafe PHP deserialization. The vulnerability itself carries no direct impact in isolation - exploitation is contingent on a separate plugin or theme installing a usable POP (Property-Oriented Programming) chain on the same site, at which point an attacker can escalate to arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS score of 6.6 (High complexity, High privileges required) reflects the constrained real-world conditions.
Stored Cross-Site Scripting in the Master Addons for Elementor WordPress plugin (versions up to and including 3.1.0) allows authenticated attackers with author-level access to inject persistent JavaScript into pages by exploiting a broken authorization boundary in the Custom JS Extension. The flaw arises because the unfiltered_html capability check is enforced only during UI rendering (Elementor control registration) and entirely absent from the save handler, permitting a crafted POST to admin-ajax.php?action=elementor_ajax to store arbitrary scripts that execute in every subsequent visitor's browser. No public exploit or CISA KEV listing has been identified at time of analysis, though the Wordfence disclosure and direct source-code references confirm the issue is well-documented.
Local File Inclusion in the WP User Manager WordPress plugin (versions through 2.9.17) allows unauthenticated remote attackers to include and execute arbitrary .php files on the server via the profile tab query parameter. The flaw stems from missing validation of the tab value before it is passed to the profile template loader, enabling path traversal to any PHP file the web server can read. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV, but POC behavior is effectively documented in the upstream fix's traversal test cases.
Authenticated remote code execution in the Admin Columns WordPress plugin (versions through 7.0.18) allows Contributor-level users to inject serialized PHP objects via post meta and trigger a bundled POP gadget chain through the Laravel SerializableClosure component. Reported by Wordfence with CVSS 8.8, no public exploit identified at time of analysis, though the low privilege barrier and bundled gadget chain make weaponization straightforward for any researcher with plugin access.
Sandbox policy bypass in Twig templating engine versions 3.25.0 and earlier allows sandboxed template authors to invoke arbitrary `__toString()` methods on any `Stringable` object reachable in the render context, even when those methods are not allowlisted by `SecurityPolicy::checkMethodAllowed()`. The flaw stems from `SandboxNodeVisitor` only wrapping a hardcoded subset of AST nodes in `CheckToStringNode`, leaving many string-coercion points (conditional expressions, comparison/`matches` operators, tests, ranges, includes, spread arguments) unguarded - and the comparison-operator vector enables byte-by-byte oracle recovery of sensitive object string forms. No public exploit identified at time of analysis; fix shipped in Twig 3.26.0 (also referenced by Symfony's advisory page).
Cross-site scripting in Twig's profiler HtmlDumper component (twig/twig >= 3.0.0, < 3.26.0) allows an attacker who can control template names - via an ArrayLoader key, a database-backed loader row ID, or similar - to inject arbitrary HTML that executes in any browser rendering the profiler output. The root cause is a missing htmlspecialchars() call in HtmlDumper::formatTemplate() and related methods before writing Profile::getTemplate() and Profile::getName() into the HTML response. No public exploit or CISA KEV listing has been identified at time of analysis, but the vendor confirmed the issue and shipped a fix in v3.26.0 as part of a coordinated batch of security releases.
Weak cryptographic salt generation in HAX CMS (haxcms-php) versions prior to 26.0.1 allows remote unauthenticated attackers to predict or recover salt values used during installation and authentication-related operations. The flaw stems from using PHP's uniqid() - a timestamp-based, non-cryptographic function - as a randomness source (CWE-338). No public exploit has been identified at time of analysis and the CVE is not on CISA KEV.
Persistent session token access in HAX CMS (haxtheweb) prior to version 26.0.0 allows attackers who possess a valid authentication token to retain access to CMS administrative functions and metadata even after the legitimate user has logged out. The root cause is CWE-613 (Insufficient Session Expiration): authentication tokens are not invalidated server-side upon logout, meaning the session termination mechanism is cosmetic rather than functional. Both PHP and NodeJS backend deployments are affected. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, but the fix is available in version 26.0.0.
Arbitrary file upload in HAX CMS (PHP backend) versions 11.0.6 through 24.x allows authenticated remote attackers to upload PHP webshells disguised as images by abusing a regex-only extension check that ignores MIME type and content inspection, leading to remote code execution on the web server. CVSS v4.0 scores this 8.7 (High) with PR:L indicating low-privilege authentication is required, and no public exploit was identified at time of analysis although the underlying CWE-434 pattern is highly automatable.
Session token disclosure in HAX CMS versions 25.0.0 through 26.0.0 (exclusive) stems from the haxcms_refresh_token cookie being issued without the Secure flag, allowing the browser to send it over plaintext HTTP. A network-positioned attacker can capture the refresh token via passive sniffing and hijack the victim's authenticated session. No public exploit identified at time of analysis, and the vendor has published a fix in version 26.0.0.
Local File Inclusion in HAX CMS's saveOutline endpoint allows an authenticated low-privileged user to read arbitrary files on the server by injecting path traversal sequences into the location field written to site.json. Both the PHP and NodeJS backend variants (haxtheweb/haxcms-php and haxtheweb/haxcms-nodejs) are affected across all versions prior to 26.0.0. There is no public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, though the confidentiality impact is rated High given that exfiltrable targets include /etc/passwd, application secrets, and web-server-readable configuration files.
Remote code execution in WP Captcha PRO (premium version of the Advanced Google reCAPTCHA WordPress plugin) through version 5.38 allows authenticated Subscriber-level attackers to upload arbitrary files, including PHP webshells, by abusing the licensing module's save_ajax() capability check and the unrestricted archive extraction in sync_cloud_protection(). No public exploit identified at time of analysis, but the CVSS 8.8 rating and trivial Subscriber-level prerequisite - common on sites with open registration - make this a high-priority WordPress ecosystem flaw. Wordfence is the original reporter and primary intelligence source.
OS command injection in HAX CMS (haxtheweb/haxcms-php) prior to version 26.0.0 allows authenticated remote attackers to execute arbitrary commands as the web server user via Git operations in the PHP backend. The Git.php library passes unsanitized input into proc_open() across 16 of 17 shell-invoking functions, with only commit() correctly using escapeshellarg(). No public exploit identified at time of analysis, though the vendor advisory describes a clear chain to full RCE when combined with configuration manipulation.
Stored cross-site scripting in HAX CMS PHP before 26.0.0 lets authenticated low-privilege users upload HTML files with uppercase extensions (.HTML, .Html, .HTM) that bypass the case-sensitive .htaccess Content-Disposition: attachment rule, causing browsers to render the file inline and execute embedded JavaScript in the HAXcms origin. The flaw defeats the mitigation shipped for CVE-2026-22704 and carries a CVSS 8.7 score driven by scope change (S:C) into the victim browser context. No public exploit identified at time of analysis, though the GitHub Security Advisory describes the bypass technique in enough detail to reproduce.
Unauthenticated repository exposure in HAX CMS PHP (versions 2.0.0 through 25.x) allows any remote attacker to browse git repositories and full commit history via the unprotected gitlist plugin. The CVSS 4.0 vector confirms no authentication, no user interaction, and network-level access with low complexity, making exploitation trivially achievable against any public-facing instance. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the absence of access controls on the gitlist endpoint represents a direct confidentiality risk for any sensitive data stored in or committed to those repositories.
Authenticated remote code execution affects HAX CMS PHP backend versions prior to 26.0.0, where attackers with valid credentials can configure malicious Git filter commands to overwrite files and execute arbitrary code on the server. The flaw carries a CVSS 4.0 score of 9.4 due to full compromise of confidentiality, integrity, and availability with cascading subsequent system impact. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unrestricted file upload in code-projects Vehicle Management System 1.0 allows remote unauthenticated attackers to upload arbitrary files via the photo parameter of the New Driver Registration Form (newdriver.php), enabling remote code execution. Publicly available exploit code exists on GitHub, increasing the likelihood of opportunistic abuse against exposed instances despite no CISA KEV listing.
SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the 'room' parameter of /details.php to inject arbitrary SQL queries. Publicly available exploit code exists (published via GitHub by researcher and indexed by VulDB), increasing the likelihood of opportunistic exploitation against exposed instances. The flaw is reachable over the network with no privileges or user interaction, making any internet-facing deployment of this PHP application a viable target.
Cross-site scripting in tittuvarghese's PHP-based CollegeManagementSystem exposes users to script injection via the unvalidated `department_name` parameter in `/dashboard_page/forms/fetch.php`, exploitable remotely without authentication but requiring victim interaction. Publicly available exploit code (GitHub issue #6) lowers the technical barrier for opportunistic attacks, though CVSS scope remains unchanged with only low integrity impact. No patch has been released and the project maintainer has not responded to the coordinated disclosure, leaving all deployed instances permanently exposed under the rolling release model.
Improper authorization in tittuvarghese CollegeManagementSystem exposes the Admin Interface to privilege escalation by low-privileged authenticated users who can manipulate the UserAuthData parameter in dashboard_page/admin_page.php. A publicly available exploit exists (referenced in GitHub issue #5), raising practical risk above what the mid-range CVSS score of 6.3 alone would suggest. The vendor has not responded to the responsible disclosure, and no patch has been released; all deployed instances across the rolling release track remain exposed.
Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.
SQL injection in tittuvarghese CollegeManagementSystem (rolling-release PHP project) allows remote unauthenticated attackers to manipulate the department_code parameter in dashboard_page/forms/fetch.php to inject arbitrary SQL. Publicly available exploit code exists (disclosed via VulDB and a GitHub issue), and because the project uses continuous delivery with no tagged versions, defenders cannot pin a fixed release. The maintainer has been notified but has not responded, increasing operational risk for any deployment.
Unrestricted file upload in tittuvarghese CollegeManagementSystem exposes the Student Data Upload endpoint (`dashboard_page/forms/upload_student_data.php`) to remote exploitation by authenticated low-privilege users, allowing arbitrary file types - including PHP web shells - to be uploaded to the server by manipulating the Student-Data-CSV argument. All deployed instances across all commits are affected given the project's rolling release model, and no vendor-released patch exists as the maintainer has not responded to responsible disclosure. Publicly available exploit code exists, raising real-world risk above what the CVSS 6.3 score alone implies.
Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create editor profiles without authentication, then leverage that capability to upload and execute arbitrary PHP code on the server. With a CVSS 4.0 score of 10.0 and the CVSS:4.0 'U:Red' urgency flag set by the vendor, this represents a critical broken-access-control flaw, though no public exploit has been identified at time of analysis.
Multiple reflected Cross-Site Scripting vulnerabilities in damasac's thaipalliative_lte PHP application (through version 3.0) allow unauthenticated remote attackers to inject arbitrary JavaScript into victim browsers by crafting malicious URLs. The vulnerable file /substudy/ezform.php unsafely echoes four distinct user-controlled parameters - idFormMain, id (in two locations), and ptid_key - directly into HTML attributes and JavaScript contexts without output encoding. A proof-of-concept exists per SSVC data; however, EPSS is very low at 0.08% (23rd percentile) and exploitation is not confirmed by CISA KEV, suggesting limited widespread attacker interest at time of analysis.
SQL injection in SourceCodester Ship Ferry Ticket Reservation System 1.0 exposes the admin login panel to unauthenticated remote attackers via a crafted Username parameter in /admin/login.php, enabling authentication bypass and backend database manipulation. Publicly available exploit code (POC) has been published on Medium demonstrating the authentication bypass technique, elevating real-world risk despite the moderate CVSS 4.0 score of 5.5. No KEV listing at time of analysis, but the zero-prerequisite network attack vector combined with a public POC makes this a credible threat to any internet-facing deployment.
SQL injection in projectworlds Online Art Gallery Shop 1.0 enables remote low-privileged attackers to manipulate the `social_insta` parameter within `/admin/adminHome.php`, achieving limited read, write, and availability impact against the underlying database. Publicly available exploit code exists (CVSS 4.0 E:P), though the overall CVSS 4.0 score of 2.1 reflects a constrained impact scope - no subsequent system compromise is possible. This is not listed in the CISA KEV catalog; exploitation requires authenticated access rather than open unauthenticated attack.
Server-side request forgery in Shopware's media subsystem allows authenticated admin users to make arbitrary HTTP HEAD requests to internal network addresses and cloud metadata endpoints via the `/api/_action/media/external-link` endpoint. The root cause is an inconsistency between two URL-handling flows in `MediaUploadService`: the `uploadFromURL` flow correctly validates resolved IPs against private/reserved ranges, while the `linkURL` flow only checks that the URL begins with `http://` or `https://`. Exploiting this, an admin can probe cloud metadata services, enumerate internal ports, and leak `content-length` values from internal services; no public exploit has been identified at time of analysis, and a vendor-released patch exists in version 6.7.10.1.
Stored cross-site scripting in Shopware's media manager allows any authenticated admin to upload an unsanitized SVG file containing arbitrary JavaScript that executes in the Shopware domain context when the file is accessed by any user. The upload pipeline - spanning MediaUploadController, FileSaver, and TypeDetector - classifies SVG as a valid ImageType with VECTOR_GRAPHIC flag but performs zero content sanitization: no DOMPurify, no enshrined/svg-sanitize, no strip_tags on SVG XML content. In an e-commerce context this enables admin account takeover, customer data exfiltration, and malicious plugin installation. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV.
Unauthorized payment triggering in Shopware's `/store-api/handle-payment` endpoint allows any low-privileged Store API caller - including guest checkout contexts - to initiate or retry the payment flow for another customer's order by supplying a known foreign `orderId`. The flaw affects `shopware/platform` and `shopware/core` versions below 6.6.10.18 and versions 6.7.0.0 through 6.7.10.0, and is confirmed fixed in releases 6.6.10.18 and 6.7.10.1 per GitHub advisory GHSA-9v5m-39wh-5chq. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS score of 4.3 (Medium) reflects limited scope: integrity of order and payment workflows is the primary risk, with no direct confidentiality or availability impact.
Order state transition endpoints in Shopware's Admin API expose a vertical authorization bypass (CWE-862) where authenticated low-privileged users can manipulate order lifecycle states - including cancellation, fulfillment, and payment transitions - without holding the required `order:update` ACL privilege. The structural gap exists across both the 6.6.x and 6.7.x release lines because the affected routes in `OrderActionController.php` carry no ACL metadata, causing `AclAnnotationValidator` to exit without enforcing any privilege check, and the downstream `StateMachineRegistry` then executes writes under `Context::SYSTEM_SCOPE`. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation is mechanically trivial for any authenticated Admin API user regardless of their assigned role.
Timing-based administrator username enumeration in Shopware's OAuth token endpoint exposes valid admin accounts to unauthenticated remote attackers. The flaw exists in shopware/platform and shopware/core packages across the 6.6.x and 6.7.x branches, where the API endpoint api/oauth/token responds measurably faster for non-existent usernames than for valid ones due to skipping the Argon2id password_verify() call. A publicly available proof-of-concept exploit exists; while not confirmed actively exploited in CISA KEV, the POC lowers the barrier for targeted brute-force, credential stuffing, and spear phishing campaigns against Shopware admin panels. CVSS rates this 3.7 (AC:H), reflecting that reliable exploitation requires statistical timing analysis across many requests.
Privilege escalation in Shopware's Admin API allows authenticated users holding only the low-privilege `user:create` or `user:update` ACL to promote any account - including newly created ones - to full administrator access. The flaw exists in `UserController::upsertUser()` across composer packages `shopware/platform` and `shopware/core`, affecting all releases below 6.6.10.18 and the 6.7.x line below 6.7.10.1. Shopware has released patched versions; no public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is straightforward for any user with delegated user-management API access.
Admin account takeover in Shopware's PHP e-commerce platform is achievable by any low-privilege admin holding the user_recovery:read ACL through a three-endpoint attack chain requiring no special tooling. The vulnerability stems from the UserRecoveryDefinition exposing a secret password-reset hash via the Admin API search endpoint - a hash the recovery flow assumes is delivered exclusively via email - enabling the attacker to bypass the intended out-of-band delivery mechanism entirely. Patched versions 6.6.10.18 and 6.7.10.1 are available; no public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is fully documented in the GitHub Security Advisory GHSA-8v9p-g828-v98f.
Privilege escalation in Shopware's Sync API allows an authenticated API user holding the `integration:create` ACL to self-elevate to full administrator by posting `admin: true` via `POST /api/_action/sync`. The dedicated `IntegrationController` correctly enforces an admin-only guard on this field, but the Sync API routes writes through `SyncService → EntityWriter::upsert()`, which only validates entity-level ACL and `WriteProtection` flags - neither of which are present on the `admin` BoolField in `IntegrationDefinition`. Affected are `shopware/platform` and `shopware/core` prior to 6.6.10.18 and prior to 6.7.10.1; no public exploit or CISA KEV listing is confirmed at time of analysis, though the attack is mechanically trivial for any credential holder with the prerequisite ACL.
Stored XSS in AVideo's YouTubeAPI plugin allows any YouTube video uploader whose video matches the AVideo operator's configured search keyword to inject arbitrary JavaScript into every visitor's browser via the homepage gallery section. The `snippet.title` field returned by the YouTube Data API is rendered verbatim across four HTML output sites in `plugin/YouTubeAPI/gallerySection.php`, three of which apply no encoding whatsoever; the fourth applies only a partial `str_replace` that strips double-quotes and leaves the other three sinks untouched. Publicly available exploit code is documented in GHSA-66q5-cj5g-wrfx; the payload persists for up to 3600 seconds (the default cache TTL) after the hostile video is removed from YouTube, and when the victim is an authenticated AVideo administrator the injected script can escalate to full administrative takeover via cookie-based requests lacking CSRF protection.
Reflected XSS in WWBN AVideo's YouTubeAPI plugin allows any unauthenticated remote attacker to execute arbitrary JavaScript in a victim's browser by inducing the victim to open a single crafted URL. The unsanitized `$_GET['search']` parameter is interpolated raw into pagination link href attributes in `plugin/YouTubeAPI/gallerySection.php`, and the AVideo Layout plugin then automatically hoists the injected script tag into a clean executable inline script block at page bottom - bypassing naive attribute-context filters. A detailed proof-of-concept is publicly documented in GitHub Security Advisory GHSA-hgjh-6wj8-gcgf; no active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting in WWBN AVideo (all versions through 29.0) lets an authenticated user execute arbitrary JavaScript in other connected users' browsers via the SQLite-backed YPTSocket WebSocket messaging system. The flaw is an incomplete-fix bypass of CVE-2026-43874: the prior patch only stripped the `autoEvalCodeOnHTML` key from `$json['msg']`, but `msgToResourceId()` prioritizes the sibling `json` key, so a payload placed there reaches the victim unsanitized. Publicly available exploit code exists in the GitHub advisory PoC; EPSS is low (0.13%) and it is not on CISA KEV, so no active exploitation is indicated.
Missing authorization on the Admin Dashboard endpoint of LakshayD02's Hostel-Management-System-PHP allows low-privileged authenticated users to manipulate the ID parameter in hostel/index.php to access or modify records beyond their permitted scope. All commits up to f87e67c283bab6f718faf2fec6ae39a13bd7036b are affected; the project uses no formal versioning, so no unaffected release exists. Publicly available exploit code exists, and the project maintainer had not responded to coordinated disclosure at time of reporting.
SQL injection in itsourcecode Fees Management System 1.0 exposes the `/receipt.php` endpoint to database manipulation by authenticated remote attackers via the `ef_id` parameter. The CVSS temporal metric E:P confirms a publicly available exploit, disclosed via a GitHub issue, meaning exploitation is accessible to low-skilled attackers. No CISA KEV listing is present, but the combination of public POC, network-reachable attack vector, and low attack complexity makes this a credible threat for any internet-facing deployment of this PHP application.
Improper input validation in MISP's over-correlations endpoint allows an authenticated high-privileged attacker to inject arbitrary ordering clauses into database queries via the user-controlled `order` request parameter. All MISP instances running version 2.5.38 and earlier are affected. While direct impact is bounded by query-ordering manipulation, the vulnerability carries SQLi tags and high subsequent system impact scores (SC:H/SI:H/SA:H in CVSS 4.0), suggesting that a successfully crafted ordering expression could escalate to unsafe query construction or unintended data exposure. No public exploit has been identified at time of analysis.
WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser session by manipulating the 'page' parameter in /navbar.php. The attack requires user interaction - a victim must follow a crafted URL - limiting mass exploitation, but publicly available exploit code (referenced via a GitHub issue) lowers the barrier for targeted phishing campaigns. No CISA KEV listing; EPSS data was not provided, though the combination of no authentication requirement and public POC warrants prompt attention for exposed deployments.
SQL injection in itsourcecode Fees Management System 1.0 allows authenticated remote attackers with low privileges to manipulate database queries via the `ID` parameter in `/manage_user.php`. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-accessible exploitation requiring only a low-privilege account, with confidentiality, integrity, and availability all partially impacted. A public proof-of-concept exploit is available (E:P in CVSS temporal metrics, corroborated by a GitHub issue), though no active exploitation has been confirmed via CISA KEV. No vendor-released patch has been identified at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the `ID` parameter in `/manage_student.php`, resulting in partial compromise of confidentiality, integrity, and availability. The affected product is a PHP-based academic fee tracking application; exploitation requires a valid low-privilege account but no additional user interaction. A publicly available proof-of-concept exploit (referenced via GitHub) lowers the bar for opportunistic exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
Unrestricted file upload in Stumasy (mjperpinosa) allows a low-privileged authenticated attacker to upload arbitrary files through the profile image change endpoint, potentially enabling server-side code execution. The vulnerable parameter `pr_profile_image` in `application/PHP/objects/profiles/change_profile_image.php` performs no meaningful file type validation, making it trivial to submit non-image payloads including PHP webshells. A publicly available exploit exists via the project GitHub issue tracker; the vendor has not responded to the disclosure, and no patch has been released. No CISA KEV listing at time of analysis.
Unrestricted file upload in mjperpinosa's stumasy PHP application allows authenticated remote attackers to upload arbitrary and potentially dangerous file types via the up_file_to_post parameter in add_post.php, enabling likely remote code execution through web shell deployment. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation requiring only low-privilege authentication with no user interaction. A publicly available proof-of-concept exploit exists (disclosed via GitHub issue), and the vendor has not responded to the responsible disclosure - no patch is available at time of analysis.
Unauthenticated information disclosure in the SP Project & Document Manager WordPress plugin (versions up to and including 4.71) allows remote attackers to enumerate file metadata and obtain download links for arbitrary files stored within project folders. The flaw stems from a broken authorization gate in the view_file AJAX handler where a negated nonce check is OR-chained with permission checks, causing the entire condition to evaluate true when no valid nonce is supplied. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects confidentiality-only impact with no integrity or availability consequences.
Authentication bypass in ealpha072's Student-Management-System PHP application exposes the administrative backend to remote unauthenticated attackers via a flaw in admin/config.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero prerequisites - no privileges, no user interaction, no special attack conditions - and a proof-of-concept exploit is publicly available via a GitHub issue report. The vendor has not responded to responsible disclosure and no patched release has been issued, leaving all deployments at or before commit 01451bd7a2f58cdda07bd0b86e3967582e3ecd08 without an official remediation path.
Authenticated zone-file injection in Froxlor <=2.3.6 allows a customer with DNS editing enabled to inject newline characters into TXT record content via the DomainZones.add API, breaking out of the record line in the generated BIND zone file and injecting arbitrary BIND directives ($INCLUDE, $GENERATE) or DNS records (A, MX, CNAME). The flaw is an incomplete fix for CVE-2026-30932, which sanitized LOC/RP/SSHFP/TLSA records but left TXT handling reliant only on Dns::encloseTXTContent(), which strips no control characters. Publicly available exploit code exists (detailed PoC including a Python script in the GHSA advisory), but there is no public exploit identified at time of analysis in CISA KEV and no EPSS score was provided.
PHP object injection in Concrete CMS versions below 9.5.2 allows authenticated high-privileged attackers to trigger arbitrary PHP object instantiation through unsafe unserialize() calls in the Workflow, Form block, and File/Set components. The vulnerability requires a malicious serialized payload to be placed in the database beforehand, and no public exploit identified at time of analysis. The vendor scored this 8.4 (CVSS 4.0), and CISA SSVC indicates no observed exploitation but total technical impact if successfully chained.
SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter sent to the Login function in /admin/admin_class_novo.php, compromising the administrative authentication flow. Publicly available exploit code exists per the referenced GitHub proof-of-concept, raising opportunistic exploitation risk despite the limited deployment footprint of this small-scale PHP e-commerce application. No KEV listing or EPSS score is provided, so exploitation appears opportunistic rather than confirmed active.
File inclusion in SourceCodester Online Food Ordering System 2.0 allows remote attackers to manipulate the 'page' parameter of /index.php to include arbitrary files via the application's include() function. Publicly available exploit code exists (referenced on GitHub), and the CVSS 7.3 score combined with no authentication or user interaction requirements (AV:N/AC:L/PR:N/UI:N) makes this trivially exploitable against any exposed deployment. The vulnerability falls under CWE-73 (External Control of File Name or Path) and primarily enables information disclosure, though depending on PHP configuration it may escalate to code execution.
Weak password hashing in QloApps through 1.7.0 enables credential compromise because Tools::encrypt() in classes/Tools.php hashes passwords with unsalted MD5 concatenated with a static cookie key, allowing offline brute-force recovery of customer and employee credentials. The risk is amplified by an 8-character auto-generated password used during guest-to-customer conversion in classes/Customer.php, making cracked hashes practically trivial. No public exploit identified at time of analysis, but the upstream fix in commit 64e9722 replaces MD5 with the PasswordHashing class for credential storage.
Insecure Direct Object Reference (IDOR) in SourceCodester Human Resource Management 1.0 allows authenticated remote attackers to read other employees' records by manipulating the `employeeid` parameter in `/detailview.php`. The vulnerability results in unauthorized disclosure of employee data across account boundaries, with no integrity or availability impact. A publicly available proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at time of analysis.
SQL injection in code-projects Student Admission System 1.0 allows remote unauthenticated attackers to manipulate the 'eid' and 'did' parameters in /index.php to inject arbitrary SQL queries. Publicly available exploit code exists (referenced via GitHub issue tracker), increasing the likelihood of opportunistic attacks against exposed deployments. The vulnerability carries a CVSS 3.1 base score of 7.3, with low impact across confidentiality, integrity, and availability, but no special prerequisites for exploitation.
SQL injection in DedeCMS 5.7.88 allows remote unauthenticated attackers to manipulate the database through the carbuyaction.php endpoint by supplying crafted postname or des parameter values that bypass the RemoveXSS sanitization function. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no complexity, and no special conditions are required for exploitation. A public proof-of-concept exploit has been released (CVSS E:P modifier), though no CISA KEV listing exists, indicating no confirmed widespread active exploitation at time of analysis.
SQL injection in DedeCMS 5.7.88 allows remote unauthenticated attackers to manipulate database queries via the `msg` parameter in `/plus/flink.php`, where the `dede_htmlspecialchars` function fails to adequately sanitize input before use in SQL operations. The CVSS 4.0 vector confirms no authentication, no user interaction, and low complexity - making this trivially reachable over the network. Publicly available exploit code exists (CVSS E:P), though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
Missing authorization in NamelessMC 2.2.4 allows authenticated low-privileged users to add reactions to wall posts on private profiles or profiles that have blocked them, bypassing expected privacy and blocking controls. The flaw exists in `core/classes/Misc/ProfilePostReactionContext.php`, which validates only that the target post exists but performs no check against the profile's visibility settings or block relationships. No public exploit identified at time of analysis, and the vendor has released a patch in version 2.2.5.
Authorization bypass in NamelessMC 2.2.4's profile wall system allows low-privileged authenticated users to post to private or blocking profiles, and to inject replies into wall posts belonging to arbitrary profiles they would otherwise be restricted from accessing. The profile.php module processes wall post submissions before performing the visibility and block-list authorization checks, meaning the write completes before any rejection occurs. A second independent flaw in the reply branch skips verification that the target wall post belongs to the profile being accessed, enabling cross-profile reply injection via a restricted profile URL. No public exploit code has been identified and this is not listed in CISA KEV, but a patch is available in version 2.2.5.
SQL injection in DedeCMS 5.7.88 exposes the feedback submission endpoint to unauthenticated remote attackers who can manipulate the `msg` parameter passed to the `TrimMsg` function in `/plus/feedback.php`. The CVSS 4.0 vector (PR:N/UI:N/AC:L/AT:N) confirms no authentication or user interaction is required, and the E:P modifier indicates exploit code has been publicly disclosed per VulDB submission 829413. No CISA KEV listing was identified at time of analysis, but the combination of unauthenticated network access and a public POC elevates practical risk above the moderate base score of 5.5.
Missing authorization controls in NamelessMC 2.2.4 expose private profile post reaction data to unauthenticated visitors and allow low-privileged authenticated users to interact with posts from profiles they are blocked by or that are set to private. Two distinct code paths are vulnerable: the reaction query endpoint in `modules/Core/queries/reactions.php` accepts unauthenticated GET requests without enforcing privacy settings, while `core/classes/Misc/ProfilePostReactionContext.php` only validates post existence rather than caller access rights. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog, but the unauthenticated read path requires no prerequisites against internet-facing installations.
NamelessMC 2.2.4's forum module exposes a broken object-level authorization flaw that allows authenticated users to read and modify reactions on topics they are explicitly forbidden from viewing. The vulnerability exists in `modules/Forum/classes/ForumPostReactionContext.php`, which enforces only forum-level access (`can view the forum`) but omits the topic-level `view_other_topics` permission check - meaning the access control boundary is incomplete by design. Attackers with a low-privilege forum account in a restricted forum can bypass the `view_other_topics` restriction to interact with other users' topic reactions. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.
Broken access control in NamelessMC 2.2.4 (Minecraft community website software) allows any low-privileged authenticated user to read posts from hidden, private, or staff-only forums by sending crafted requests to the get_quotes.php endpoint. The Forum module's quote helper only verifies that the caller is logged in and fails to enforce forum/topic visibility ACLs that the normal topic view does enforce. No public exploit identified at time of analysis, but the issue is trivial to weaponize given an account on the affected site.
Local File Inclusion in Select-Themes WaveRide WordPress theme versions up to and including 1.4 allows remote attackers to coerce the application into including arbitrary local PHP files via improper validation of a filename used in an include/require statement. The flaw is rated CVSS 8.1 (high) with network attack vector and no authentication required, though high attack complexity tempers exploitability; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in Code Supply Co. Blueprint WordPress theme versions prior to 1.1.5 allows remote unauthenticated attackers to include arbitrary local PHP files through improper filename validation in include/require statements. CVSS rates the issue 8.1 (High) with high attack complexity, and no public exploit has been identified at time of analysis. Despite the CWE-98 classification suggesting Remote File Inclusion, the vendor advisory explicitly scopes the impact to Local File Inclusion.
Reflected XSS in NamelessMC 2.2.4 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via the unsanitized `id` parameter at the `/index.php?route=/queries/user/` endpoint. Exploitation requires victim interaction (UI:R per CVSS), making this a social-engineering-dependent attack suited to targeted phishing against Minecraft server administrators or users. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; version 2.2.5 fully resolves the issue.
Local File Inclusion in Axiomthemes Racquet WordPress theme (versions through 1.12.0) allows remote unauthenticated attackers to include arbitrary local PHP files via improperly validated filename input, leading to information disclosure and potential code execution. The flaw is classified as CWE-98 (PHP Remote File Inclusion) with a CVSS 8.1 (High) rating, though high attack complexity (AC:H) tempers its real-world exploitability. No public exploit identified at time of analysis, and the issue was reported through the Patchstack research program.
Local File Inclusion in androThemes Cookiteer WordPress theme versions up to and including 1.4.8 allows remote unauthenticated attackers to include and execute arbitrary local PHP files on the underlying server. The flaw is classified as PHP Remote File Inclusion (CWE-98) but the practical impact described is LFI, which can lead to sensitive information disclosure and potential code execution through log poisoning or session file abuse. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Local File Inclusion in Axiomthemes Fermentio WordPress theme through version 1.5.0 allows remote unauthenticated attackers to include arbitrary local files via improperly controlled filename parameters in PHP include/require statements. The flaw is tracked under CWE-98 (PHP Remote File Inclusion) but per the description is exploitable as LFI, with no public exploit identified at time of analysis and high attack complexity reflected in the CVSS vector.
Local File Inclusion in the Axiomthemes Spin WordPress theme (versions up to and including 1.8) allows remote attackers to coerce the PHP runtime into including arbitrary local files via an unsanitized filename parameter passed to an include/require statement. Successful exploitation can disclose sensitive configuration data (such as wp-config.php) and, depending on server configuration, escalate into remote code execution by including attacker-controlled content. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Local file inclusion in the Axiomthemes Crafti WordPress theme (versions up to and including 1.12) allows remote unauthenticated attackers to coerce the PHP runtime into including arbitrary local files through improperly validated include/require parameters. Successful exploitation can lead to disclosure of sensitive server-side files, configuration data, and under certain conditions code execution via included content. No public exploit identified at time of analysis, but the issue is catalogued by Patchstack in their WordPress vulnerability database.
Local file inclusion in the UnboundStudio Accordion FAQ WordPress plugin (versions up to and including 2.2.1) allows authenticated remote attackers to include and execute arbitrary PHP files from the server filesystem via improperly controlled include/require statements. The flaw, reported by Patchstack and tagged as LFI/Information Disclosure, can lead to full compromise of the WordPress instance through disclosure of sensitive configuration data (e.g., wp-config.php) and potential code execution if attacker-controlled files are reachable. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in Axiomthemes Confidant WordPress theme (versions up to and including 1.4) allows remote unauthenticated attackers to include arbitrary local PHP files on the server, potentially leading to sensitive information disclosure and code execution. The vulnerability is reported by Patchstack with a CVSS 8.1 (High) rating; no public exploit identified at time of analysis and the CVE is not present in CISA KEV. The high attack complexity (AC:H) suggests exploitation requires specific conditions to be met, despite the network-reachable, no-auth attack surface.
Server-side request forgery in DedeCMS 5.7.88 allows low-privileged authenticated remote attackers to make the server issue arbitrary HTTP requests by manipulating the base64-decoded Link argument in /plus/download.php?open=1. Exploitation enables internal network probing, potential access to cloud metadata endpoints (e.g., AWS IMDSv1), and limited confidentiality, integrity, and availability impact (C:L/I:L/A:L per CVSS). Publicly available exploit code exists (CVSS temporal E:P; description confirms exploit publication), though no confirmed active exploitation or CISA KEV listing has been identified at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 exposes database contents and integrity to authenticated low-privilege remote attackers via the unsanitized `ID` parameter in `/manage_payment.php`. The CVSS vector (PR:L) confirms exploitation requires a valid user account, but no elevated privileges are needed beyond basic authentication. A publicly available proof-of-concept exploit exists (GitHub), raising the practical exploitation risk; no vendor-released patch has been identified at time of analysis.
Stored Cross-Site Scripting in the Simple Custom Login Page WordPress plugin (versions ≤ 1.0.3) allows authenticated administrators to inject arbitrary CSS rules into wp-login.php, which is then rendered for every unauthenticated visitor to the login page. The changed scope (S:C in CVSS) is the critical risk amplifier: a single administrator-level compromise or malicious admin can silently overlay phishing UI elements on the WordPress login page, harvesting credentials from any user who subsequently visits. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Local File Inclusion via null byte injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with low-privilege accounts to read arbitrary files from the server by manipulating the `page` parameter in `/index.php`. Publicly available exploit code exists, published as a GitHub writeup demonstrating the null byte (%00) bypass technique. No CISA KEV listing at time of analysis, but the public POC lowers the bar for targeted exploitation against low-security PHP deployments.
Unauthenticated remote SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index2.php to arbitrary query manipulation via the Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special attack complexity, making this trivially reachable from the network. Publicly available exploit code exists (POC confirmed via GitHub), though no CISA KEV listing has been issued, meaning widespread active exploitation is not confirmed at time of analysis.
Improper authorization in the BeikeShop e-commerce platform (versions up to 1.6.0.22) allows remote unauthenticated attackers to forge Stripe payment webhook callbacks and mark unpaid orders as paid. The flawed `callback` function in `plugins/Stripe/Controllers/StripeController.php` accepts arbitrary request bodies without verifying the Stripe-Signature header, and publicly available exploit code exists on GitHub. CVSS is 7.3 with EPSS not provided; the issue is not in CISA KEV but has a public POC, raising the practical risk for any internet-exposed BeikeShop store.
SQL injection in Chanjet CRM 1.0 allows remote unauthenticated attackers to manipulate the gblOrgID parameter of /tools/jxf_dump_systable.php to inject arbitrary SQL into the backend database. Publicly available exploit code exists (referenced via a public gist), and the vendor did not respond to disclosure attempts, leaving deployments exposed without official remediation. EPSS data was not provided and the issue is not in CISA KEV, but the combination of network-reachable HTTP GET handler, no authentication requirement, and a public POC makes opportunistic exploitation realistic.
Path traversal in the Quick Playground WordPress plugin (versions ≤ 1.3.4) exposes arbitrary server files to authenticated administrators. The flaw exists in client-qckply_data.php where the qckply_data() function forwards a user-supplied filename POST parameter directly into file_get_contents() without sanitization, enabling traversal sequences to escape the webroot and reach files such as wp-config.php or /etc/passwd. No public exploit exists and the vulnerability is not listed in the CISA KEV catalog, but exploitation would yield database credentials and other secrets with high confidentiality impact.
Stored Cross-Site Scripting in the Click to Chat - WA Widget WordPress plugin (holithemes, all versions through 4.38) allows authenticated Contributor-level users to inject persistent JavaScript payloads that execute in victim browsers when the rendered WhatsApp chat button is clicked. The root cause is a double-encoding bypass: esc_attr() sanitization produces HTML entities that are decoded back to literal characters by the browser's HTML parser before JavaScript evaluation inside an onclick event handler, completely defeating the intended escaping. No public exploit has been identified at time of analysis, but the detailed technical write-up from Wordfence combined with publicly browsable vulnerable source code significantly lowers the barrier to exploitation. Vendor-released patch version 4.39 is available.
PHP Object Injection in the LearnPress - Backup & Migration Tool WordPress plugin (versions ≤ 4.1.4, by ThimPress) allows authenticated administrators to supply maliciously crafted serialized data through the plugin's import functionality, triggering unsafe PHP deserialization. The vulnerability itself carries no direct impact in isolation - exploitation is contingent on a separate plugin or theme installing a usable POP (Property-Oriented Programming) chain on the same site, at which point an attacker can escalate to arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS score of 6.6 (High complexity, High privileges required) reflects the constrained real-world conditions.
Stored Cross-Site Scripting in the Master Addons for Elementor WordPress plugin (versions up to and including 3.1.0) allows authenticated attackers with author-level access to inject persistent JavaScript into pages by exploiting a broken authorization boundary in the Custom JS Extension. The flaw arises because the unfiltered_html capability check is enforced only during UI rendering (Elementor control registration) and entirely absent from the save handler, permitting a crafted POST to admin-ajax.php?action=elementor_ajax to store arbitrary scripts that execute in every subsequent visitor's browser. No public exploit or CISA KEV listing has been identified at time of analysis, though the Wordfence disclosure and direct source-code references confirm the issue is well-documented.
Local File Inclusion in the WP User Manager WordPress plugin (versions through 2.9.17) allows unauthenticated remote attackers to include and execute arbitrary .php files on the server via the profile tab query parameter. The flaw stems from missing validation of the tab value before it is passed to the profile template loader, enabling path traversal to any PHP file the web server can read. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV, but POC behavior is effectively documented in the upstream fix's traversal test cases.
Authenticated remote code execution in the Admin Columns WordPress plugin (versions through 7.0.18) allows Contributor-level users to inject serialized PHP objects via post meta and trigger a bundled POP gadget chain through the Laravel SerializableClosure component. Reported by Wordfence with CVSS 8.8, no public exploit identified at time of analysis, though the low privilege barrier and bundled gadget chain make weaponization straightforward for any researcher with plugin access.
Sandbox policy bypass in Twig templating engine versions 3.25.0 and earlier allows sandboxed template authors to invoke arbitrary `__toString()` methods on any `Stringable` object reachable in the render context, even when those methods are not allowlisted by `SecurityPolicy::checkMethodAllowed()`. The flaw stems from `SandboxNodeVisitor` only wrapping a hardcoded subset of AST nodes in `CheckToStringNode`, leaving many string-coercion points (conditional expressions, comparison/`matches` operators, tests, ranges, includes, spread arguments) unguarded - and the comparison-operator vector enables byte-by-byte oracle recovery of sensitive object string forms. No public exploit identified at time of analysis; fix shipped in Twig 3.26.0 (also referenced by Symfony's advisory page).
Cross-site scripting in Twig's profiler HtmlDumper component (twig/twig >= 3.0.0, < 3.26.0) allows an attacker who can control template names - via an ArrayLoader key, a database-backed loader row ID, or similar - to inject arbitrary HTML that executes in any browser rendering the profiler output. The root cause is a missing htmlspecialchars() call in HtmlDumper::formatTemplate() and related methods before writing Profile::getTemplate() and Profile::getName() into the HTML response. No public exploit or CISA KEV listing has been identified at time of analysis, but the vendor confirmed the issue and shipped a fix in v3.26.0 as part of a coordinated batch of security releases.
Weak cryptographic salt generation in HAX CMS (haxcms-php) versions prior to 26.0.1 allows remote unauthenticated attackers to predict or recover salt values used during installation and authentication-related operations. The flaw stems from using PHP's uniqid() - a timestamp-based, non-cryptographic function - as a randomness source (CWE-338). No public exploit has been identified at time of analysis and the CVE is not on CISA KEV.
Persistent session token access in HAX CMS (haxtheweb) prior to version 26.0.0 allows attackers who possess a valid authentication token to retain access to CMS administrative functions and metadata even after the legitimate user has logged out. The root cause is CWE-613 (Insufficient Session Expiration): authentication tokens are not invalidated server-side upon logout, meaning the session termination mechanism is cosmetic rather than functional. Both PHP and NodeJS backend deployments are affected. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, but the fix is available in version 26.0.0.
Arbitrary file upload in HAX CMS (PHP backend) versions 11.0.6 through 24.x allows authenticated remote attackers to upload PHP webshells disguised as images by abusing a regex-only extension check that ignores MIME type and content inspection, leading to remote code execution on the web server. CVSS v4.0 scores this 8.7 (High) with PR:L indicating low-privilege authentication is required, and no public exploit was identified at time of analysis although the underlying CWE-434 pattern is highly automatable.
Session token disclosure in HAX CMS versions 25.0.0 through 26.0.0 (exclusive) stems from the haxcms_refresh_token cookie being issued without the Secure flag, allowing the browser to send it over plaintext HTTP. A network-positioned attacker can capture the refresh token via passive sniffing and hijack the victim's authenticated session. No public exploit identified at time of analysis, and the vendor has published a fix in version 26.0.0.
Local File Inclusion in HAX CMS's saveOutline endpoint allows an authenticated low-privileged user to read arbitrary files on the server by injecting path traversal sequences into the location field written to site.json. Both the PHP and NodeJS backend variants (haxtheweb/haxcms-php and haxtheweb/haxcms-nodejs) are affected across all versions prior to 26.0.0. There is no public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, though the confidentiality impact is rated High given that exfiltrable targets include /etc/passwd, application secrets, and web-server-readable configuration files.
Remote code execution in WP Captcha PRO (premium version of the Advanced Google reCAPTCHA WordPress plugin) through version 5.38 allows authenticated Subscriber-level attackers to upload arbitrary files, including PHP webshells, by abusing the licensing module's save_ajax() capability check and the unrestricted archive extraction in sync_cloud_protection(). No public exploit identified at time of analysis, but the CVSS 8.8 rating and trivial Subscriber-level prerequisite - common on sites with open registration - make this a high-priority WordPress ecosystem flaw. Wordfence is the original reporter and primary intelligence source.
OS command injection in HAX CMS (haxtheweb/haxcms-php) prior to version 26.0.0 allows authenticated remote attackers to execute arbitrary commands as the web server user via Git operations in the PHP backend. The Git.php library passes unsanitized input into proc_open() across 16 of 17 shell-invoking functions, with only commit() correctly using escapeshellarg(). No public exploit identified at time of analysis, though the vendor advisory describes a clear chain to full RCE when combined with configuration manipulation.
Stored cross-site scripting in HAX CMS PHP before 26.0.0 lets authenticated low-privilege users upload HTML files with uppercase extensions (.HTML, .Html, .HTM) that bypass the case-sensitive .htaccess Content-Disposition: attachment rule, causing browsers to render the file inline and execute embedded JavaScript in the HAXcms origin. The flaw defeats the mitigation shipped for CVE-2026-22704 and carries a CVSS 8.7 score driven by scope change (S:C) into the victim browser context. No public exploit identified at time of analysis, though the GitHub Security Advisory describes the bypass technique in enough detail to reproduce.
Unauthenticated repository exposure in HAX CMS PHP (versions 2.0.0 through 25.x) allows any remote attacker to browse git repositories and full commit history via the unprotected gitlist plugin. The CVSS 4.0 vector confirms no authentication, no user interaction, and network-level access with low complexity, making exploitation trivially achievable against any public-facing instance. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the absence of access controls on the gitlist endpoint represents a direct confidentiality risk for any sensitive data stored in or committed to those repositories.
Authenticated remote code execution affects HAX CMS PHP backend versions prior to 26.0.0, where attackers with valid credentials can configure malicious Git filter commands to overwrite files and execute arbitrary code on the server. The flaw carries a CVSS 4.0 score of 9.4 due to full compromise of confidentiality, integrity, and availability with cascading subsequent system impact. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unrestricted file upload in code-projects Vehicle Management System 1.0 allows remote unauthenticated attackers to upload arbitrary files via the photo parameter of the New Driver Registration Form (newdriver.php), enabling remote code execution. Publicly available exploit code exists on GitHub, increasing the likelihood of opportunistic abuse against exposed instances despite no CISA KEV listing.
SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the 'room' parameter of /details.php to inject arbitrary SQL queries. Publicly available exploit code exists (published via GitHub by researcher and indexed by VulDB), increasing the likelihood of opportunistic exploitation against exposed instances. The flaw is reachable over the network with no privileges or user interaction, making any internet-facing deployment of this PHP application a viable target.
Cross-site scripting in tittuvarghese's PHP-based CollegeManagementSystem exposes users to script injection via the unvalidated `department_name` parameter in `/dashboard_page/forms/fetch.php`, exploitable remotely without authentication but requiring victim interaction. Publicly available exploit code (GitHub issue #6) lowers the technical barrier for opportunistic attacks, though CVSS scope remains unchanged with only low integrity impact. No patch has been released and the project maintainer has not responded to the coordinated disclosure, leaving all deployed instances permanently exposed under the rolling release model.
Improper authorization in tittuvarghese CollegeManagementSystem exposes the Admin Interface to privilege escalation by low-privileged authenticated users who can manipulate the UserAuthData parameter in dashboard_page/admin_page.php. A publicly available exploit exists (referenced in GitHub issue #5), raising practical risk above what the mid-range CVSS score of 6.3 alone would suggest. The vendor has not responded to the responsible disclosure, and no patch has been released; all deployed instances across the rolling release track remain exposed.
Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.
SQL injection in tittuvarghese CollegeManagementSystem (rolling-release PHP project) allows remote unauthenticated attackers to manipulate the department_code parameter in dashboard_page/forms/fetch.php to inject arbitrary SQL. Publicly available exploit code exists (disclosed via VulDB and a GitHub issue), and because the project uses continuous delivery with no tagged versions, defenders cannot pin a fixed release. The maintainer has been notified but has not responded, increasing operational risk for any deployment.
Unrestricted file upload in tittuvarghese CollegeManagementSystem exposes the Student Data Upload endpoint (`dashboard_page/forms/upload_student_data.php`) to remote exploitation by authenticated low-privilege users, allowing arbitrary file types - including PHP web shells - to be uploaded to the server by manipulating the Student-Data-CSV argument. All deployed instances across all commits are affected given the project's rolling release model, and no vendor-released patch exists as the maintainer has not responded to responsible disclosure. Publicly available exploit code exists, raising real-world risk above what the CVSS 6.3 score alone implies.
Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create editor profiles without authentication, then leverage that capability to upload and execute arbitrary PHP code on the server. With a CVSS 4.0 score of 10.0 and the CVSS:4.0 'U:Red' urgency flag set by the vendor, this represents a critical broken-access-control flaw, though no public exploit has been identified at time of analysis.
Multiple reflected Cross-Site Scripting vulnerabilities in damasac's thaipalliative_lte PHP application (through version 3.0) allow unauthenticated remote attackers to inject arbitrary JavaScript into victim browsers by crafting malicious URLs. The vulnerable file /substudy/ezform.php unsafely echoes four distinct user-controlled parameters - idFormMain, id (in two locations), and ptid_key - directly into HTML attributes and JavaScript contexts without output encoding. A proof-of-concept exists per SSVC data; however, EPSS is very low at 0.08% (23rd percentile) and exploitation is not confirmed by CISA KEV, suggesting limited widespread attacker interest at time of analysis.
SQL injection in SourceCodester Ship Ferry Ticket Reservation System 1.0 exposes the admin login panel to unauthenticated remote attackers via a crafted Username parameter in /admin/login.php, enabling authentication bypass and backend database manipulation. Publicly available exploit code (POC) has been published on Medium demonstrating the authentication bypass technique, elevating real-world risk despite the moderate CVSS 4.0 score of 5.5. No KEV listing at time of analysis, but the zero-prerequisite network attack vector combined with a public POC makes this a credible threat to any internet-facing deployment.
SQL injection in projectworlds Online Art Gallery Shop 1.0 enables remote low-privileged attackers to manipulate the `social_insta` parameter within `/admin/adminHome.php`, achieving limited read, write, and availability impact against the underlying database. Publicly available exploit code exists (CVSS 4.0 E:P), though the overall CVSS 4.0 score of 2.1 reflects a constrained impact scope - no subsequent system compromise is possible. This is not listed in the CISA KEV catalog; exploitation requires authenticated access rather than open unauthenticated attack.
Server-side request forgery in Shopware's media subsystem allows authenticated admin users to make arbitrary HTTP HEAD requests to internal network addresses and cloud metadata endpoints via the `/api/_action/media/external-link` endpoint. The root cause is an inconsistency between two URL-handling flows in `MediaUploadService`: the `uploadFromURL` flow correctly validates resolved IPs against private/reserved ranges, while the `linkURL` flow only checks that the URL begins with `http://` or `https://`. Exploiting this, an admin can probe cloud metadata services, enumerate internal ports, and leak `content-length` values from internal services; no public exploit has been identified at time of analysis, and a vendor-released patch exists in version 6.7.10.1.
Stored cross-site scripting in Shopware's media manager allows any authenticated admin to upload an unsanitized SVG file containing arbitrary JavaScript that executes in the Shopware domain context when the file is accessed by any user. The upload pipeline - spanning MediaUploadController, FileSaver, and TypeDetector - classifies SVG as a valid ImageType with VECTOR_GRAPHIC flag but performs zero content sanitization: no DOMPurify, no enshrined/svg-sanitize, no strip_tags on SVG XML content. In an e-commerce context this enables admin account takeover, customer data exfiltration, and malicious plugin installation. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV.
Unauthorized payment triggering in Shopware's `/store-api/handle-payment` endpoint allows any low-privileged Store API caller - including guest checkout contexts - to initiate or retry the payment flow for another customer's order by supplying a known foreign `orderId`. The flaw affects `shopware/platform` and `shopware/core` versions below 6.6.10.18 and versions 6.7.0.0 through 6.7.10.0, and is confirmed fixed in releases 6.6.10.18 and 6.7.10.1 per GitHub advisory GHSA-9v5m-39wh-5chq. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS score of 4.3 (Medium) reflects limited scope: integrity of order and payment workflows is the primary risk, with no direct confidentiality or availability impact.
Order state transition endpoints in Shopware's Admin API expose a vertical authorization bypass (CWE-862) where authenticated low-privileged users can manipulate order lifecycle states - including cancellation, fulfillment, and payment transitions - without holding the required `order:update` ACL privilege. The structural gap exists across both the 6.6.x and 6.7.x release lines because the affected routes in `OrderActionController.php` carry no ACL metadata, causing `AclAnnotationValidator` to exit without enforcing any privilege check, and the downstream `StateMachineRegistry` then executes writes under `Context::SYSTEM_SCOPE`. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation is mechanically trivial for any authenticated Admin API user regardless of their assigned role.
Timing-based administrator username enumeration in Shopware's OAuth token endpoint exposes valid admin accounts to unauthenticated remote attackers. The flaw exists in shopware/platform and shopware/core packages across the 6.6.x and 6.7.x branches, where the API endpoint api/oauth/token responds measurably faster for non-existent usernames than for valid ones due to skipping the Argon2id password_verify() call. A publicly available proof-of-concept exploit exists; while not confirmed actively exploited in CISA KEV, the POC lowers the barrier for targeted brute-force, credential stuffing, and spear phishing campaigns against Shopware admin panels. CVSS rates this 3.7 (AC:H), reflecting that reliable exploitation requires statistical timing analysis across many requests.
Privilege escalation in Shopware's Admin API allows authenticated users holding only the low-privilege `user:create` or `user:update` ACL to promote any account - including newly created ones - to full administrator access. The flaw exists in `UserController::upsertUser()` across composer packages `shopware/platform` and `shopware/core`, affecting all releases below 6.6.10.18 and the 6.7.x line below 6.7.10.1. Shopware has released patched versions; no public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is straightforward for any user with delegated user-management API access.
Admin account takeover in Shopware's PHP e-commerce platform is achievable by any low-privilege admin holding the user_recovery:read ACL through a three-endpoint attack chain requiring no special tooling. The vulnerability stems from the UserRecoveryDefinition exposing a secret password-reset hash via the Admin API search endpoint - a hash the recovery flow assumes is delivered exclusively via email - enabling the attacker to bypass the intended out-of-band delivery mechanism entirely. Patched versions 6.6.10.18 and 6.7.10.1 are available; no public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is fully documented in the GitHub Security Advisory GHSA-8v9p-g828-v98f.
Privilege escalation in Shopware's Sync API allows an authenticated API user holding the `integration:create` ACL to self-elevate to full administrator by posting `admin: true` via `POST /api/_action/sync`. The dedicated `IntegrationController` correctly enforces an admin-only guard on this field, but the Sync API routes writes through `SyncService → EntityWriter::upsert()`, which only validates entity-level ACL and `WriteProtection` flags - neither of which are present on the `admin` BoolField in `IntegrationDefinition`. Affected are `shopware/platform` and `shopware/core` prior to 6.6.10.18 and prior to 6.7.10.1; no public exploit or CISA KEV listing is confirmed at time of analysis, though the attack is mechanically trivial for any credential holder with the prerequisite ACL.
Stored XSS in AVideo's YouTubeAPI plugin allows any YouTube video uploader whose video matches the AVideo operator's configured search keyword to inject arbitrary JavaScript into every visitor's browser via the homepage gallery section. The `snippet.title` field returned by the YouTube Data API is rendered verbatim across four HTML output sites in `plugin/YouTubeAPI/gallerySection.php`, three of which apply no encoding whatsoever; the fourth applies only a partial `str_replace` that strips double-quotes and leaves the other three sinks untouched. Publicly available exploit code is documented in GHSA-66q5-cj5g-wrfx; the payload persists for up to 3600 seconds (the default cache TTL) after the hostile video is removed from YouTube, and when the victim is an authenticated AVideo administrator the injected script can escalate to full administrative takeover via cookie-based requests lacking CSRF protection.
Reflected XSS in WWBN AVideo's YouTubeAPI plugin allows any unauthenticated remote attacker to execute arbitrary JavaScript in a victim's browser by inducing the victim to open a single crafted URL. The unsanitized `$_GET['search']` parameter is interpolated raw into pagination link href attributes in `plugin/YouTubeAPI/gallerySection.php`, and the AVideo Layout plugin then automatically hoists the injected script tag into a clean executable inline script block at page bottom - bypassing naive attribute-context filters. A detailed proof-of-concept is publicly documented in GitHub Security Advisory GHSA-hgjh-6wj8-gcgf; no active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting in WWBN AVideo (all versions through 29.0) lets an authenticated user execute arbitrary JavaScript in other connected users' browsers via the SQLite-backed YPTSocket WebSocket messaging system. The flaw is an incomplete-fix bypass of CVE-2026-43874: the prior patch only stripped the `autoEvalCodeOnHTML` key from `$json['msg']`, but `msgToResourceId()` prioritizes the sibling `json` key, so a payload placed there reaches the victim unsanitized. Publicly available exploit code exists in the GitHub advisory PoC; EPSS is low (0.13%) and it is not on CISA KEV, so no active exploitation is indicated.
Missing authorization on the Admin Dashboard endpoint of LakshayD02's Hostel-Management-System-PHP allows low-privileged authenticated users to manipulate the ID parameter in hostel/index.php to access or modify records beyond their permitted scope. All commits up to f87e67c283bab6f718faf2fec6ae39a13bd7036b are affected; the project uses no formal versioning, so no unaffected release exists. Publicly available exploit code exists, and the project maintainer had not responded to coordinated disclosure at time of reporting.
SQL injection in itsourcecode Fees Management System 1.0 exposes the `/receipt.php` endpoint to database manipulation by authenticated remote attackers via the `ef_id` parameter. The CVSS temporal metric E:P confirms a publicly available exploit, disclosed via a GitHub issue, meaning exploitation is accessible to low-skilled attackers. No CISA KEV listing is present, but the combination of public POC, network-reachable attack vector, and low attack complexity makes this a credible threat for any internet-facing deployment of this PHP application.
Improper input validation in MISP's over-correlations endpoint allows an authenticated high-privileged attacker to inject arbitrary ordering clauses into database queries via the user-controlled `order` request parameter. All MISP instances running version 2.5.38 and earlier are affected. While direct impact is bounded by query-ordering manipulation, the vulnerability carries SQLi tags and high subsequent system impact scores (SC:H/SI:H/SA:H in CVSS 4.0), suggesting that a successfully crafted ordering expression could escalate to unsafe query construction or unintended data exposure. No public exploit has been identified at time of analysis.
WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser session by manipulating the 'page' parameter in /navbar.php. The attack requires user interaction - a victim must follow a crafted URL - limiting mass exploitation, but publicly available exploit code (referenced via a GitHub issue) lowers the barrier for targeted phishing campaigns. No CISA KEV listing; EPSS data was not provided, though the combination of no authentication requirement and public POC warrants prompt attention for exposed deployments.
SQL injection in itsourcecode Fees Management System 1.0 allows authenticated remote attackers with low privileges to manipulate database queries via the `ID` parameter in `/manage_user.php`. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-accessible exploitation requiring only a low-privilege account, with confidentiality, integrity, and availability all partially impacted. A public proof-of-concept exploit is available (E:P in CVSS temporal metrics, corroborated by a GitHub issue), though no active exploitation has been confirmed via CISA KEV. No vendor-released patch has been identified at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the `ID` parameter in `/manage_student.php`, resulting in partial compromise of confidentiality, integrity, and availability. The affected product is a PHP-based academic fee tracking application; exploitation requires a valid low-privilege account but no additional user interaction. A publicly available proof-of-concept exploit (referenced via GitHub) lowers the bar for opportunistic exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
Unrestricted file upload in Stumasy (mjperpinosa) allows a low-privileged authenticated attacker to upload arbitrary files through the profile image change endpoint, potentially enabling server-side code execution. The vulnerable parameter `pr_profile_image` in `application/PHP/objects/profiles/change_profile_image.php` performs no meaningful file type validation, making it trivial to submit non-image payloads including PHP webshells. A publicly available exploit exists via the project GitHub issue tracker; the vendor has not responded to the disclosure, and no patch has been released. No CISA KEV listing at time of analysis.
Unrestricted file upload in mjperpinosa's stumasy PHP application allows authenticated remote attackers to upload arbitrary and potentially dangerous file types via the up_file_to_post parameter in add_post.php, enabling likely remote code execution through web shell deployment. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation requiring only low-privilege authentication with no user interaction. A publicly available proof-of-concept exploit exists (disclosed via GitHub issue), and the vendor has not responded to the responsible disclosure - no patch is available at time of analysis.
Unauthenticated information disclosure in the SP Project & Document Manager WordPress plugin (versions up to and including 4.71) allows remote attackers to enumerate file metadata and obtain download links for arbitrary files stored within project folders. The flaw stems from a broken authorization gate in the view_file AJAX handler where a negated nonce check is OR-chained with permission checks, causing the entire condition to evaluate true when no valid nonce is supplied. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects confidentiality-only impact with no integrity or availability consequences.
Authentication bypass in ealpha072's Student-Management-System PHP application exposes the administrative backend to remote unauthenticated attackers via a flaw in admin/config.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero prerequisites - no privileges, no user interaction, no special attack conditions - and a proof-of-concept exploit is publicly available via a GitHub issue report. The vendor has not responded to responsible disclosure and no patched release has been issued, leaving all deployments at or before commit 01451bd7a2f58cdda07bd0b86e3967582e3ecd08 without an official remediation path.
Authenticated zone-file injection in Froxlor <=2.3.6 allows a customer with DNS editing enabled to inject newline characters into TXT record content via the DomainZones.add API, breaking out of the record line in the generated BIND zone file and injecting arbitrary BIND directives ($INCLUDE, $GENERATE) or DNS records (A, MX, CNAME). The flaw is an incomplete fix for CVE-2026-30932, which sanitized LOC/RP/SSHFP/TLSA records but left TXT handling reliant only on Dns::encloseTXTContent(), which strips no control characters. Publicly available exploit code exists (detailed PoC including a Python script in the GHSA advisory), but there is no public exploit identified at time of analysis in CISA KEV and no EPSS score was provided.
PHP object injection in Concrete CMS versions below 9.5.2 allows authenticated high-privileged attackers to trigger arbitrary PHP object instantiation through unsafe unserialize() calls in the Workflow, Form block, and File/Set components. The vulnerability requires a malicious serialized payload to be placed in the database beforehand, and no public exploit identified at time of analysis. The vendor scored this 8.4 (CVSS 4.0), and CISA SSVC indicates no observed exploitation but total technical impact if successfully chained.
SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter sent to the Login function in /admin/admin_class_novo.php, compromising the administrative authentication flow. Publicly available exploit code exists per the referenced GitHub proof-of-concept, raising opportunistic exploitation risk despite the limited deployment footprint of this small-scale PHP e-commerce application. No KEV listing or EPSS score is provided, so exploitation appears opportunistic rather than confirmed active.
File inclusion in SourceCodester Online Food Ordering System 2.0 allows remote attackers to manipulate the 'page' parameter of /index.php to include arbitrary files via the application's include() function. Publicly available exploit code exists (referenced on GitHub), and the CVSS 7.3 score combined with no authentication or user interaction requirements (AV:N/AC:L/PR:N/UI:N) makes this trivially exploitable against any exposed deployment. The vulnerability falls under CWE-73 (External Control of File Name or Path) and primarily enables information disclosure, though depending on PHP configuration it may escalate to code execution.
Weak password hashing in QloApps through 1.7.0 enables credential compromise because Tools::encrypt() in classes/Tools.php hashes passwords with unsalted MD5 concatenated with a static cookie key, allowing offline brute-force recovery of customer and employee credentials. The risk is amplified by an 8-character auto-generated password used during guest-to-customer conversion in classes/Customer.php, making cracked hashes practically trivial. No public exploit identified at time of analysis, but the upstream fix in commit 64e9722 replaces MD5 with the PasswordHashing class for credential storage.
Insecure Direct Object Reference (IDOR) in SourceCodester Human Resource Management 1.0 allows authenticated remote attackers to read other employees' records by manipulating the `employeeid` parameter in `/detailview.php`. The vulnerability results in unauthorized disclosure of employee data across account boundaries, with no integrity or availability impact. A publicly available proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at time of analysis.
SQL injection in code-projects Student Admission System 1.0 allows remote unauthenticated attackers to manipulate the 'eid' and 'did' parameters in /index.php to inject arbitrary SQL queries. Publicly available exploit code exists (referenced via GitHub issue tracker), increasing the likelihood of opportunistic attacks against exposed deployments. The vulnerability carries a CVSS 3.1 base score of 7.3, with low impact across confidentiality, integrity, and availability, but no special prerequisites for exploitation.
SQL injection in DedeCMS 5.7.88 allows remote unauthenticated attackers to manipulate the database through the carbuyaction.php endpoint by supplying crafted postname or des parameter values that bypass the RemoveXSS sanitization function. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no complexity, and no special conditions are required for exploitation. A public proof-of-concept exploit has been released (CVSS E:P modifier), though no CISA KEV listing exists, indicating no confirmed widespread active exploitation at time of analysis.
SQL injection in DedeCMS 5.7.88 allows remote unauthenticated attackers to manipulate database queries via the `msg` parameter in `/plus/flink.php`, where the `dede_htmlspecialchars` function fails to adequately sanitize input before use in SQL operations. The CVSS 4.0 vector confirms no authentication, no user interaction, and low complexity - making this trivially reachable over the network. Publicly available exploit code exists (CVSS E:P), though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
Missing authorization in NamelessMC 2.2.4 allows authenticated low-privileged users to add reactions to wall posts on private profiles or profiles that have blocked them, bypassing expected privacy and blocking controls. The flaw exists in `core/classes/Misc/ProfilePostReactionContext.php`, which validates only that the target post exists but performs no check against the profile's visibility settings or block relationships. No public exploit identified at time of analysis, and the vendor has released a patch in version 2.2.5.
Authorization bypass in NamelessMC 2.2.4's profile wall system allows low-privileged authenticated users to post to private or blocking profiles, and to inject replies into wall posts belonging to arbitrary profiles they would otherwise be restricted from accessing. The profile.php module processes wall post submissions before performing the visibility and block-list authorization checks, meaning the write completes before any rejection occurs. A second independent flaw in the reply branch skips verification that the target wall post belongs to the profile being accessed, enabling cross-profile reply injection via a restricted profile URL. No public exploit code has been identified and this is not listed in CISA KEV, but a patch is available in version 2.2.5.
SQL injection in DedeCMS 5.7.88 exposes the feedback submission endpoint to unauthenticated remote attackers who can manipulate the `msg` parameter passed to the `TrimMsg` function in `/plus/feedback.php`. The CVSS 4.0 vector (PR:N/UI:N/AC:L/AT:N) confirms no authentication or user interaction is required, and the E:P modifier indicates exploit code has been publicly disclosed per VulDB submission 829413. No CISA KEV listing was identified at time of analysis, but the combination of unauthenticated network access and a public POC elevates practical risk above the moderate base score of 5.5.
Missing authorization controls in NamelessMC 2.2.4 expose private profile post reaction data to unauthenticated visitors and allow low-privileged authenticated users to interact with posts from profiles they are blocked by or that are set to private. Two distinct code paths are vulnerable: the reaction query endpoint in `modules/Core/queries/reactions.php` accepts unauthenticated GET requests without enforcing privacy settings, while `core/classes/Misc/ProfilePostReactionContext.php` only validates post existence rather than caller access rights. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog, but the unauthenticated read path requires no prerequisites against internet-facing installations.
NamelessMC 2.2.4's forum module exposes a broken object-level authorization flaw that allows authenticated users to read and modify reactions on topics they are explicitly forbidden from viewing. The vulnerability exists in `modules/Forum/classes/ForumPostReactionContext.php`, which enforces only forum-level access (`can view the forum`) but omits the topic-level `view_other_topics` permission check - meaning the access control boundary is incomplete by design. Attackers with a low-privilege forum account in a restricted forum can bypass the `view_other_topics` restriction to interact with other users' topic reactions. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.
Broken access control in NamelessMC 2.2.4 (Minecraft community website software) allows any low-privileged authenticated user to read posts from hidden, private, or staff-only forums by sending crafted requests to the get_quotes.php endpoint. The Forum module's quote helper only verifies that the caller is logged in and fails to enforce forum/topic visibility ACLs that the normal topic view does enforce. No public exploit identified at time of analysis, but the issue is trivial to weaponize given an account on the affected site.
Local File Inclusion in Select-Themes WaveRide WordPress theme versions up to and including 1.4 allows remote attackers to coerce the application into including arbitrary local PHP files via improper validation of a filename used in an include/require statement. The flaw is rated CVSS 8.1 (high) with network attack vector and no authentication required, though high attack complexity tempers exploitability; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in Code Supply Co. Blueprint WordPress theme versions prior to 1.1.5 allows remote unauthenticated attackers to include arbitrary local PHP files through improper filename validation in include/require statements. CVSS rates the issue 8.1 (High) with high attack complexity, and no public exploit has been identified at time of analysis. Despite the CWE-98 classification suggesting Remote File Inclusion, the vendor advisory explicitly scopes the impact to Local File Inclusion.
Reflected XSS in NamelessMC 2.2.4 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via the unsanitized `id` parameter at the `/index.php?route=/queries/user/` endpoint. Exploitation requires victim interaction (UI:R per CVSS), making this a social-engineering-dependent attack suited to targeted phishing against Minecraft server administrators or users. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; version 2.2.5 fully resolves the issue.
Local File Inclusion in Axiomthemes Racquet WordPress theme (versions through 1.12.0) allows remote unauthenticated attackers to include arbitrary local PHP files via improperly validated filename input, leading to information disclosure and potential code execution. The flaw is classified as CWE-98 (PHP Remote File Inclusion) with a CVSS 8.1 (High) rating, though high attack complexity (AC:H) tempers its real-world exploitability. No public exploit identified at time of analysis, and the issue was reported through the Patchstack research program.
Local File Inclusion in androThemes Cookiteer WordPress theme versions up to and including 1.4.8 allows remote unauthenticated attackers to include and execute arbitrary local PHP files on the underlying server. The flaw is classified as PHP Remote File Inclusion (CWE-98) but the practical impact described is LFI, which can lead to sensitive information disclosure and potential code execution through log poisoning or session file abuse. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Local File Inclusion in Axiomthemes Fermentio WordPress theme through version 1.5.0 allows remote unauthenticated attackers to include arbitrary local files via improperly controlled filename parameters in PHP include/require statements. The flaw is tracked under CWE-98 (PHP Remote File Inclusion) but per the description is exploitable as LFI, with no public exploit identified at time of analysis and high attack complexity reflected in the CVSS vector.
Local File Inclusion in the Axiomthemes Spin WordPress theme (versions up to and including 1.8) allows remote attackers to coerce the PHP runtime into including arbitrary local files via an unsanitized filename parameter passed to an include/require statement. Successful exploitation can disclose sensitive configuration data (such as wp-config.php) and, depending on server configuration, escalate into remote code execution by including attacker-controlled content. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Local file inclusion in the Axiomthemes Crafti WordPress theme (versions up to and including 1.12) allows remote unauthenticated attackers to coerce the PHP runtime into including arbitrary local files through improperly validated include/require parameters. Successful exploitation can lead to disclosure of sensitive server-side files, configuration data, and under certain conditions code execution via included content. No public exploit identified at time of analysis, but the issue is catalogued by Patchstack in their WordPress vulnerability database.
Local file inclusion in the UnboundStudio Accordion FAQ WordPress plugin (versions up to and including 2.2.1) allows authenticated remote attackers to include and execute arbitrary PHP files from the server filesystem via improperly controlled include/require statements. The flaw, reported by Patchstack and tagged as LFI/Information Disclosure, can lead to full compromise of the WordPress instance through disclosure of sensitive configuration data (e.g., wp-config.php) and potential code execution if attacker-controlled files are reachable. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in Axiomthemes Confidant WordPress theme (versions up to and including 1.4) allows remote unauthenticated attackers to include arbitrary local PHP files on the server, potentially leading to sensitive information disclosure and code execution. The vulnerability is reported by Patchstack with a CVSS 8.1 (High) rating; no public exploit identified at time of analysis and the CVE is not present in CISA KEV. The high attack complexity (AC:H) suggests exploitation requires specific conditions to be met, despite the network-reachable, no-auth attack surface.
Server-side request forgery in DedeCMS 5.7.88 allows low-privileged authenticated remote attackers to make the server issue arbitrary HTTP requests by manipulating the base64-decoded Link argument in /plus/download.php?open=1. Exploitation enables internal network probing, potential access to cloud metadata endpoints (e.g., AWS IMDSv1), and limited confidentiality, integrity, and availability impact (C:L/I:L/A:L per CVSS). Publicly available exploit code exists (CVSS temporal E:P; description confirms exploit publication), though no confirmed active exploitation or CISA KEV listing has been identified at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 exposes database contents and integrity to authenticated low-privilege remote attackers via the unsanitized `ID` parameter in `/manage_payment.php`. The CVSS vector (PR:L) confirms exploitation requires a valid user account, but no elevated privileges are needed beyond basic authentication. A publicly available proof-of-concept exploit exists (GitHub), raising the practical exploitation risk; no vendor-released patch has been identified at time of analysis.
Stored Cross-Site Scripting in the Simple Custom Login Page WordPress plugin (versions ≤ 1.0.3) allows authenticated administrators to inject arbitrary CSS rules into wp-login.php, which is then rendered for every unauthenticated visitor to the login page. The changed scope (S:C in CVSS) is the critical risk amplifier: a single administrator-level compromise or malicious admin can silently overlay phishing UI elements on the WordPress login page, harvesting credentials from any user who subsequently visits. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Local File Inclusion via null byte injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with low-privilege accounts to read arbitrary files from the server by manipulating the `page` parameter in `/index.php`. Publicly available exploit code exists, published as a GitHub writeup demonstrating the null byte (%00) bypass technique. No CISA KEV listing at time of analysis, but the public POC lowers the bar for targeted exploitation against low-security PHP deployments.