Skip to main content

PHP

24727 CVEs product

Monthly

CVE-2026-10568 LOW POC Monitor

SQL injection in itsourcecode Fees Management System 1.0 exposes database contents and integrity to authenticated low-privilege remote attackers via the unsanitized `ID` parameter in `/manage_payment.php`. The CVSS vector (PR:L) confirms exploitation requires a valid user account, but no elevated privileges are needed beyond basic authentication. A publicly available proof-of-concept exploit exists (GitHub), raising the practical exploitation risk; no vendor-released patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10100 MEDIUM This Month

Stored Cross-Site Scripting in the Simple Custom Login Page WordPress plugin (versions ≤ 1.0.3) allows authenticated administrators to inject arbitrary CSS rules into wp-login.php, which is then rendered for every unauthenticated visitor to the login page. The changed scope (S:C in CVSS) is the critical risk amplifier: a single administrator-level compromise or malicious admin can silently overlay phishing UI elements on the WordPress login page, harvesting credentials from any user who subsequently visits. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

XSS PHP WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-10559 LOW POC Monitor

Local File Inclusion via null byte injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with low-privilege accounts to read arbitrary files from the server by manipulating the `page` parameter in `/index.php`. Publicly available exploit code exists, published as a GitHub writeup demonstrating the null byte (%00) bypass technique. No CISA KEV listing at time of analysis, but the public POC lowers the bar for targeted exploitation against low-security PHP deployments.

Information Disclosure PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10558 LOW POC Monitor

File inclusion in SourceCodester Pizzafy Ecommerce System 1.0 exposes the admin panel to path traversal attacks via the `page` parameter in `/admin/index.php`, enabling an authenticated remote attacker to include arbitrary server-side files. Successful exploitation yields low-impact confidentiality, integrity, and availability compromise consistent with the CVSS C:L/I:L/A:L rating. A public exploit writeup (POC) exists on GitHub, significantly lowering the skill threshold for exploitation; however, no active exploitation has been confirmed via CISA KEV at time of analysis.

Information Disclosure PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10302 LOW Monitor

SQL injection in itsourcecode Fees Management System 1.0 exposes authenticated low-privileged users a pathway to manipulate database content via the `id` parameter in `/manage_fee.php`. The vulnerability allows remote attackers with valid application credentials to read, modify, or partially disrupt database records. Publicly available exploit code exists (CVSS 4.0 E:P modifier confirmed), though no active exploitation has been confirmed by CISA KEV. The overall severity is low (CVSS 4.0: 2.1), reflecting limited scope and confidentiality impact.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10301 LOW Monitor

Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser by manipulating the `page` argument of index.php. The vulnerability requires passive user interaction - a victim must follow a crafted URL - limiting its scalability, but publicly available exploit code lowers the barrier to abuse. No KEV listing exists; this is a low-severity finding corroborated by a CVSS 4.0 score of 2.1 and an exploit-modified (E:P) supplemental metric.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10299 LOW POC Monitor

Insecure Direct Object Reference (IDOR) in code-projects Online Hospital Management System 1.0 allows a high-privileged remote attacker to manipulate the `delid` parameter in `viewdoctortimings.php`, resulting in unauthorized modification or deletion of doctor timing records beyond the attacker's intended access scope. The CVSS 4.0 score of 2.0 reflects the high privilege prerequisite (PR:H), low integrity impact (VI:L), and low availability impact (VA:L) to the vulnerable component. No public exploit identified at time of analysis as active exploitation - however, publicly available exploit code exists, documented in a GitHub proof-of-concept writeup.

Information Disclosure PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-10297 LOW POC Monitor

SQL injection in itsourcecode Fees Management System 1.0 exposes the /manage_course.php endpoint to database manipulation via an unsanitized ID parameter, reachable by any low-privileged authenticated user over the network. The CVSS 6.3 medium score reflects limited impact scope (C:L/I:L/A:L), but the availability of public proof-of-concept exploit code materially elevates operational risk for internet-facing deployments. No public exploit identified at time of analysis maps to CISA KEV; however, the E:P CVSS modifier confirms exploit code is circulating.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10296 LOW POC Monitor

SQL injection in itsourcecode Fees Management System 1.0 exposes the /ajax.php endpoint to database manipulation via the Username parameter, allowing authenticated remote attackers with low-privilege credentials to read, modify, or corrupt application data. The CVSS vector (AV:N/AC:L/PR:L) confirms this is network-exploitable at low complexity with a low-privilege account requirement. A publicly available proof-of-concept exploit exists (confirmed by CVSS temporal modifier E:P and a GitHub disclosure), though no active exploitation has been confirmed by CISA KEV at the time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-49491 HIGH POC This Week

Unauthenticated SQL injection in Pixa Bank 2.0 allows remote attackers to exfiltrate database contents by submitting UNION-based payloads in the 'rib' parameter of the agence-ajax.php endpoint. Publicly available exploit code exists (Packet Storm) and the issue was disclosed by VulnCheck, making opportunistic exploitation likely against any internet-exposed instance. No public exploit identified at time of analysis as actively exploited in the wild (not on CISA KEV), but the trivial attack complexity and existing PoC elevate practical risk.

PHP Information Disclosure SQLi
NVD
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25434 HIGH POC This Week

WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25433 HIGH POC This Week

Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Information Disclosure
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25430 HIGH POC This Week

Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2018-25429 HIGH POC This Week

Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2018-25428 HIGH POC This Week

Paroiciel 11.20 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-10290 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the `tour` GET parameter in `tour.php` to inject arbitrary SQL into backend database queries. Publicly available exploit code exists (hosted on GitHub), enabling low-skilled attackers to extract or modify database contents, though no CISA KEV listing or EPSS signal indicates widespread active exploitation at this time.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10289 LOW POC Monitor

Cross-site scripting in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to inject and execute arbitrary JavaScript by manipulating the name, email, people, or number parameters submitted to /ht/tour.php. The POC repository title ('Stored-XSS') strongly suggests this is a persistent (stored) XSS variant, meaning injected payloads survive in the application and execute in the browsers of subsequent users who view the affected reservation data - not merely the attacker's own session. Publicly available exploit code exists; this CVE has not been added to the CISA KEV catalog at time of analysis.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10288 MEDIUM POC This Month

Authentication bypass in code-projects Hotel and Tourism Reservation System 1.0 allows remote attackers to defeat admin login by manipulating the Password argument processed by the password_verify function in /admin/login.php. The flaw is reachable over the network without prior authentication, and publicly available exploit code exists, increasing the likelihood of opportunistic abuse against exposed deployments.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-10287 MEDIUM POC This Month

Server-side request forgery in SourceCodester SEO Meta Tag Extractor 1.0 allows remote unauthenticated attackers to coerce the application into making arbitrary outbound HTTP requests by manipulating the 'url' parameter passed to the get_headers() function in /index.php. Publicly available exploit code exists per VulDB, increasing the likelihood of opportunistic abuse against exposed instances, though no active exploitation has been confirmed via CISA KEV.

PHP SSRF
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10286 LOW POC Monitor

SQL injection in CodeAstro Payroll System 1.0 allows remote authenticated attackers with low-privilege credentials to manipulate database queries via the emp_id parameter in /home_employee.php. Exploitation can result in unauthorized read access to confidential payroll records, limited data manipulation, and potential availability impact against the underlying database. Publicly available exploit code exists (referenced via GitHub), elevating real-world risk beyond the moderate CVSS score of 6.3; no public patch is available at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10285 MEDIUM This Month

Improper authorization in DevaslanPHP project-management (all versions through 2.0.0-beta1) allows any low-privileged authenticated attacker to remotely invoke the KanbanScrumHelper::recordUpdated function in the Ticket Handler component without adequate permission checks, resulting in unauthorized modification of ticket and kanban board records (integrity impact) and limited disruption of availability. The vendor was notified via GitHub issue #141 but had not responded at time of disclosure, meaning no patch is available. No public exploit code has been identified and the CVE does not appear in CISA KEV.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-10284 MEDIUM This Month

Improper authorization in DevaslanPHP project-management up to 2.0.0-beta1 allows authenticated remote attackers to edit or delete ticket comments they do not own by exploiting missing ownership validation in the Livewire Handler component. The CVSS vector (PR:L, AV:N, AC:L) confirms the attack is network-accessible and requires only a low-privilege account with no user interaction. No vendor patch exists - the maintainer has not responded to the responsible disclosure submitted via GitHub issue - and no public exploit or CISA KEV listing has been identified at time of analysis.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-10282 MEDIUM PATCH This Month

Insecure Direct Object Reference in Bottelet DaybydayCRM up to version 2.2.1 allows any authenticated user to view or download arbitrary documents belonging to other users by enumerating the external_id URL parameter in DocumentsController. The missing authorization check in both the view() and download() methods means a low-privilege employee or contractor can exfiltrate documents linked to any Task, Project, Lead, or Client within the CRM. No public exploit identified at time of analysis and no CISA KEV listing, but the attack is trivially executable by any authenticated user given low complexity (AC:L, AT:N) and no user interaction required (UI:N).

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-10273 MEDIUM POC PATCH This Month

OS command injection in PHP Censor through 2.1.6 allows remote attackers to execute arbitrary shell commands by submitting a crafted commitId value to the webhook endpoint handled by src/Model/Build/GitBuild.php. The unsanitized commitId (and branch name) is interpolated into shell command strings passed to git log and clone operations, and publicly available exploit code exists per VulDB. No CISA KEV listing or EPSS score is provided, so exploitation appears opportunistic rather than confirmed active in the wild.

Command Injection PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
1.0%
CVE-2026-10272 MEDIUM POC This Month

Improper authorization in a4m4's Student-Management-System allows unauthenticated remote attackers to manipulate the `sid` parameter in `admin/deleteform.php` to delete student records without any credentials. All commits up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0 are affected, and a proof-of-concept exploit has been publicly disclosed via the project's GitHub issue tracker. No patch is available; the maintainer has not responded to the responsible disclosure report, leaving all deployed instances exposed with no official remediation path.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10265 LOW Monitor

SQL injection in itsourcecode Content Management System 1.0 allows authenticated remote attackers to manipulate database queries via the topic_id parameter in /admin/edit_topic.php. The CVSS 4.0 vector (PR:L) confirms a low-privileged authenticated account is sufficient to trigger the injection, which yields limited but real confidentiality, integrity, and availability impact against the underlying database component. Publicly available exploit code exists (E:P), though no active exploitation has been confirmed by CISA KEV.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10263 MEDIUM This Month

SQL injection in SourceCodester Computer Repair Shop Management System 1.0 exposes the admin product management endpoint to unauthenticated remote attackers who can manipulate the 'ID' parameter in /admin/products/manage_product.php to execute arbitrary SQL statements. The CVSS 4.0 vector confirms no privileges or user interaction are required (PR:N, UI:N, AV:N), and a proof-of-concept exploit has been publicly disclosed (E:P), lowering the bar for exploitation. Impact is assessed as low-to-moderate across confidentiality, integrity, and availability on the vulnerable system, with no lateral scope change to subsequent systems.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10262 MEDIUM This Month

Unauthenticated SQL injection in code-projects Real State Services 1.0 exposes the login endpoint to remote database manipulation. The Username parameter passed to /loginuser.php is unsanitized and directly interpolated into SQL queries (CWE-74), enabling unauthenticated remote attackers to extract data, bypass authentication, or alter database contents. Exploit code has been publicly disclosed via a GitHub issue report, elevating practical risk despite the moderate CVSS 4.0 score of 5.5.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10261 MEDIUM This Month

SQL injection in CodeAstro Online Job Portal 1.0 exposes the /users/application_status.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to inject arbitrary SQL into backend database queries, resulting in partial confidentiality, integrity, and availability impact. A proof-of-concept exploit has been published (CVSS 4.0 E:P confirmed), lowering the barrier to exploitation significantly despite the medium overall score. No public KEV listing exists, meaning active widespread exploitation is not confirmed at time of analysis, but the combination of a public POC and zero authentication requirements makes this a credible near-term risk for any internet-exposed deployment.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10260 MEDIUM This Month

SQL injection in CodeAstro Online Job Portal 1.0 exposes the `/admin/jobs-admins/delete-jobs.php` endpoint to remote database manipulation via an unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication, no complexity, and no user interaction are required to exploit this flaw from the network, though the admin panel context of the vulnerable endpoint warrants verification of actual auth enforcement. Publicly available exploit code exists (E:P), elevating practical risk above what the medium CVSS score of 5.5 alone might suggest.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10258 LOW POC Monitor

SQL injection in itsourcecode Content Management System 1.0 allows remote authenticated attackers to manipulate the backend database via the topic_id parameter in /admin/add_sub_topic.php. The CVSS vector (PR:L) confirms exploitation requires low-privilege authentication, limiting opportunistic attack surface but not eliminating risk in multi-tenant or shared-admin environments. Publicly available exploit code exists, elevating practical risk above what the moderate CVSS score of 6.3 alone suggests.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10257 LOW POC Monitor

SQL injection in itsourcecode Content Management System 1.0 exposes the admin-facing endpoint /admin/update_ss_img.php to database manipulation via the unsanitized topic_id parameter. Low-privilege authenticated attackers can exploit this remotely with no user interaction required, achieving partial read, write, and availability impact against the underlying database. A public exploit is available (CVSS temporal E:P; GitHub PoC linked in references), elevating practical risk despite the moderate 6.3 base score. No active exploitation confirmed via CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10256 LOW POC Monitor

SQL injection in itsourcecode Content Management System 1.0 exposes the database to read, modify, and partial denial-of-service via a crafted comment submission. The vulnerable endpoint /save_comment.php fails to sanitize the Name parameter before incorporating it into SQL queries, allowing an authenticated low-privilege attacker to manipulate database logic directly. A publicly available proof-of-concept exploit exists (GitHub issue linked in VulDB entry), elevating real-world risk despite the absence of a CISA KEV listing.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10255 MEDIUM POC This Month

Unauthenticated remote information disclosure in SourceCodester Pharmacy Sales and Inventory System 1.0 allows network-based attackers to bypass access controls and read sensitive sales statement data via the sell_statement function in application/controllers/ShowForm.php. The CVSS vector confirms PR:N (no authentication required) with low access complexity, and a proof-of-concept exploit has been publicly disclosed via GitHub. No KEV listing at time of analysis, but the combination of unauthenticated network access and available exploit code elevates practical risk beyond the moderate CVSS 5.3 score alone.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10253 MEDIUM POC This Month

SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_payment.php to execute arbitrary database queries. Publicly available exploit code exists, increasing the likelihood of opportunistic attacks against exposed deployments. The flaw was reported by VulDB and impacts a PHP-based rental management application commonly deployed by small operators and educational projects.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10252 MEDIUM POC This Month

SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_tenant.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub issue tracker and indexed by VulDB), making opportunistic exploitation feasible against any internet-exposed instance. The vulnerability impacts a PHP-based property management application typically deployed by small landlords or as a learning/demonstration project.

SQLi PHP Online House Rental System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10251 MEDIUM POC This Month

SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter of the /ajax.php?action=login endpoint to inject arbitrary SQL. Publicly available exploit code exists (VulDB-referenced PoC on GitHub), increasing the practical risk despite the application's limited deployment footprint. No CISA KEV listing is present, so this represents publicly available exploit code without confirmed active exploitation.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10250 MEDIUM POC This Month

SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'hospital' parameter in /admin/campsdetails.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the practical risk despite the application being a relatively niche PHP-based healthcare management product. No CISA KEV listing or EPSS score is provided in the source intelligence, so widespread automated exploitation is not confirmed.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10249 MEDIUM POC This Month

SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter on /admin/viewrequest.php to inject arbitrary SQL into backend database queries. Publicly available exploit code exists per VulDB, raising the practical risk despite the moderate CVSS 7.3 score. No CISA KEV listing or EPSS data was provided, so widespread automated exploitation cannot be confirmed at this time.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-40548 MEDIUM This Month

Unrestricted file upload in SOPlanning's backup import functionality (versions 1.55 and below) allows an authenticated high-privilege attacker to smuggle a malicious PHP script inside a crafted ZIP archive alongside a legitimate user.csv file, bypassing extension validation entirely. This vulnerability is materially escalated when chained with CVE-2026-40547 (Path Traversal in the same product), which redirects extraction to a web-accessible directory, converting an upload flaw into full server-side remote code execution. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the exploitation chain is technically straightforward once administrative credentials are held.

File Upload PHP Path Traversal
NVD
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-10242 LOW Monitor

SQL injection in itsourcecode Content Management System 1.0 exposes the /instructions.php endpoint to database manipulation via the unsanitized topic_id parameter. Low-privileged remote attackers can read, modify, or delete data within the application's database scope. A public proof-of-concept exploit has been published (VulDB submission 823558 / GitHub issue), lowering the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects limited blast radius due to low-impact CIA triad ratings and the low-privilege prerequisite.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10236 MEDIUM This Month

Unauthenticated remote attackers can create privileged administrator accounts in SourceCodester Water Billing Management System 1.0 by sending crafted requests to the User Management endpoint, bypassing all authorization controls. The researcher-published reference - titled 'Unauthenticated Admin Creation in PHP System' - confirms the practical impact exceeds the moderate CVSS score: full administrative takeover of the application is achievable without credentials. Publicly available exploit code exists (CVSS E:P), and no vendor patch has been identified at time of analysis.

Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10235 LOW POC Monitor

SQL injection in CodeAstro Ingredients Stock Management System 1.0 exposes authenticated remote attackers a direct path to database manipulation through the unsanitized `txt_search_category` parameter in `/Ingredients-Stock/stock_manager.php`. The CVSS vector (PR:L) confirms that low-privilege authentication is required, partially limiting exposure, but a publicly available proof-of-concept on GitHub significantly lowers the exploitation barrier. No confirmed active exploitation (CISA KEV) has been reported; however, the combination of low complexity, network accessibility, and public exploit code makes this a realistic threat against any internet-facing deployment where attacker credential acquisition is feasible.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10228 LOW POC Monitor

Reflected or stored cross-site scripting (XSS) in raisulislamg4's student_management_system_by_php allows authenticated remote attackers to inject malicious scripts via the Message argument in admission_form_check.php. The vulnerability requires a victim to interact with a crafted link or page, triggering script execution in the context of another user's browser session. A public exploit exists per the GitHub issue report; however, the vendor has not responded to disclosure and no patch has been released.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-10227 MEDIUM POC This Month

SQL injection in raisulislamg4's PHP-based Student Management System allows remote unauthenticated attackers to manipulate the 'role' parameter in add_user_check.php to inject arbitrary SQL queries. Publicly available exploit code exists per VulDB disclosure, and the project (a rolling-release GitHub repository) has not responded to the reporter's issue, leaving deployments unpatched. CVSS 7.3 with low complexity and no privileges required makes this an attractive low-effort target despite the limited deployment footprint of this open-source educational project.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10226 MEDIUM POC This Month

SQL injection in raisulislamg4's Student Management System (PHP) allows remote unauthenticated attackers to manipulate database queries via the user_id, course_id, teacher_id, student_id, or application_id parameters in delete.php. Publicly available exploit code exists, and the project operates on a rolling release model with no formal versioning, complicating patch tracking. The maintainer has been notified but has not responded, leaving deployments exposed.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10225 MEDIUM POC This Month

SQL injection in raisulislamg4's PHP-based Student Management System allows remote unauthenticated attackers to manipulate the Username parameter in login_check.php to inject arbitrary SQL. Publicly available exploit code exists per the GitHub issue tracker, and the project follows a rolling-release model with no fixed version available. The vendor was notified early but has not responded, leaving deployments unpatched.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10215 PHP LOW POC PATCH Monitor

Horizontal privilege escalation in Dolibarr ERP CRM through version 23.0.1 permits any authenticated low-privilege user to read other users' leave request records via the Leave Request REST API, with a publicly available proof-of-concept confirming exploitability. The flaw in `checkUserAccessToObject` within `api_holidays.class.php` (CWE-285, Improper Authorization) arises because the access control helper receives only an integer object ID rather than the full object, causing ownership validation to fail silently and return another user's confidential HR data. No active exploitation is confirmed in CISA KEV, but the public POC and low attack complexity make this a realistic insider or multi-tenant threat requiring prompt patching.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10209 LOW POC Monitor

SQL injection in code-projects Online Hospital Management System 1.0 exposes backend database contents via the `editid` parameter in `appointmentdetail.php`. A low-privilege authenticated attacker can remotely manipulate SQL queries to read, modify, or corrupt patient and appointment records. A proof-of-concept exploit is publicly available per the GitHub reference, raising the likelihood of opportunistic exploitation against internet-facing deployments of this PHP application.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10208 MEDIUM POC This Month

SQL injection in code-projects Online Hospital Management System 1.php enables remote unauthenticated attackers to manipulate the Username parameter sent to the login_user function in login_1.php, allowing arbitrary SQL query execution against the backend database. Publicly available exploit code exists (published on GitHub by researcher Mi0uno), increasing the likelihood of opportunistic exploitation, though the CVE is not listed in CISA KEV and EPSS data is not provided. Per CVSS, exploitation requires no authentication or user interaction and impacts confidentiality, integrity, and availability at a low level (CVSS 7.3).

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10186 MEDIUM This Month

SQL injection in code-projects Online Hospital Management System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `editid` parameter in /patient.php, potentially exposing or modifying patient records. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-authentication, network-accessible exploitation with no special conditions, and a public proof-of-concept has been disclosed via GitHub. While the CVSS 5.5 score reflects limited per-component impact (Low confidentiality, integrity, and availability), the absence of any access barrier combined with POC availability makes this an actionable risk for any exposed deployment.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10185 MEDIUM This Month

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive medical data to unauthenticated remote attackers through the ID parameter of the /classes/Users.php?f=save endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote access requiring no credentials or user interaction, and a publicly available proof-of-concept exploit (E:P) further elevates real-world risk beyond the moderate 5.5 base score. No vendor-released patch has been identified, leaving all known deployments of version 1.0 exposed to data exfiltration and manipulation of patient health records.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10184 MEDIUM This Month

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /classes/Users.php?f=delete, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. While CVSS impact scores are rated Low across confidentiality, integrity, and availability, the unauthenticated network accessibility combined with a live POC elevates the practical deployment risk for any internet-exposed instance.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-49489 HIGH POC This Week

SQL injection in OpenCATS through 0.9.7.4 allows authenticated users to extract arbitrary database contents by injecting malicious SQL into the sortDirection parameter of ajax/getDataGridPager.php. Publicly available exploit code exists (Exploit-DB 52579, Packet Storm), and the issue was disclosed via a GitHub Security Advisory coordinated with VulnCheck. The CVSS 4.0 base score of 8.4 reflects high confidentiality impact with a subsequent-system scope change, though exploitation requires a valid low-privileged account.

PHP Information Disclosure SQLi
NVD GitHub Exploit-DB VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-10178 MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /Administrator/PHP/AdminEditAlbum.php to inject arbitrary SQL queries. Publicly available exploit code exists (disclosed via VulDB submission 819912 and a GitHub issue), though there is no CISA KEV listing and no EPSS data provided to gauge exploitation probability. The vulnerability carries a CVSS 7.3 score reflecting low complexity and no authentication requirement, but only partial CIA impact.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10172 LOW POC Monitor

Unrestricted file upload in Bdtask Multi-Store Inventory Management System 1.0 enables authenticated remote attackers to upload arbitrary file types - including PHP webshells - through the Component Module's Upload function, leading to potential remote code execution on the host server. The vulnerability resides in application/modules/dashboard/controllers/Module.php where the Upload function performs insufficient file type validation. A public proof-of-concept exploit has been released on GitHub, elevating the practical risk beyond the moderate CVSS 6.3 score. No vendor patch has been identified at time of analysis.

File Upload PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10171 LOW POC Monitor

SQL injection in code-projects Online Music Site 1.0 exposes the administrator backend endpoint /Administrator/PHP/AdminUpdateAlbum.php to database manipulation via an unsanitized ID parameter. Exploitation requires high-privilege (administrator) credentials per CVSS PR:H, meaning only authenticated admins - or attackers who have already compromised an admin account - can trigger the flaw. A public proof-of-concept has been disclosed via GitHub, but no CISA KEV listing exists, and no public exploitation activity has been confirmed at this time.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-10170 LOW POC Monitor

SQL injection in code-projects Visitor Management System 1.0 exposes the `/vms/php/phone_0.php` endpoint to database manipulation via the unsanitized `phone` parameter, exploitable by authenticated remote attackers. A publicly available exploit chain on GitHub (by Xmyronn) explicitly demonstrates escalation from this SQL injection to remote code execution, elevating the real-world severity beyond the CVSS 6.3 base score. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), but the published RCE chain makes this a meaningful risk for any internet-exposed deployment.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10169 LOW POC Monitor

Weak password recovery in the BrinaryBrains School Student Management System (OUSL-GROUP-BrinaryBrains) exposes its Forgot Password endpoint to remote manipulation of the email argument, enabling attackers to abuse the flawed recovery mechanism and achieve limited unauthorized account integrity impact. The CVSS 4.0 score of 2.9 reflects high attack complexity (AC:H), constraining real-world exploitability despite publicly available exploit code (E:P). No active exploitation has been confirmed via CISA KEV, and the vendor has not responded to the coordinated disclosure as of the time of reporting.

Information Disclosure PHP
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-10168 LOW POC Monitor

Resource injection in the OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated remote attackers to manipulate the param1 argument in the marks function of Parents.php, improperly controlling resource identifiers to access unauthorized academic records. The CVSS 4.0 score is 2.1, reflecting low-privilege authentication requirements (PR:L) and limited scope impact; a publicly available proof-of-concept exploit has been disclosed via a GitHub issue. No vendor patch exists - the project uses continuous delivery rolling releases and has not responded to the responsible disclosure report.

Information Disclosure PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10167 MEDIUM POC This Month

Authentication bypass in OUSL-GROUP-BrinaryBrains School Student Management System allows unauthenticated remote attackers to manipulate the 'role' argument in the sign_auth_cookie function, forging or escalating authentication cookies without valid credentials. All commits up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 are affected, publicly available exploit code exists (confirmed by CVSS E:P and a public GitHub issue), and no patch is available as the project has not responded to disclosure. Despite a moderate CVSS 4.0 score of 5.5, the combination of zero-barrier remote exploitation and absent vendor remediation represents material unmitigated risk for any organization running this system.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-10155 LOW Monitor

SQL injection in Bdtask Multi-Store Inventory Management System 1.0 exposes backend database contents through the Accounts Report Handler's date-range search functionality. The vulnerability resides in the accounts_report_search function (Accounts.php), where the dtpToDate argument is passed to a SQL query without sanitization, allowing an authenticated high-privileged user to read, modify, or partially disrupt database data. Publicly available exploit code exists (CVSS 4.0 E:P), though the high-privilege prerequisite significantly limits the realistic attacker population; the vulnerability is not listed in CISA KEV.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-10154 MEDIUM PATCH This Month

Insecure Direct Object Reference in Dolibarr ERP CRM 23.0.0-23.0.2 allows any authenticated low-privilege user to read another user's messaging records by manipulating the `id` parameter in `htdocs/user/messaging.php`. The commit diff confirms the endpoint performed zero ownership or permission validation before serving messaging data - any valid session could enumerate other users' messages by cycling numeric IDs. No public exploit code has been identified and this CVE does not appear in CISA KEV, but the vulnerability is trivially exploitable given its low complexity and minimal authentication barrier.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2018-25425 HIGH POC This Week

Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25424 HIGH POC This Week

Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2018-25422 HIGH POC This Week

MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25421 HIGH POC This Week

Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2018-25420 HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25419 HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25418 HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25417 HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25416 HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25415 HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25414 HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25413 HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25412 CRITICAL POC Act Now

Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Authentication Bypass File Upload
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2018-25411 HIGH POC This Week

MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25410 HIGH POC This Week

SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2018-25409 HIGH POC This Week

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2018-25408 HIGH POC This Week

The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2018-25407 HIGH POC This Week

eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25406 HIGH POC This Week

eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25405 HIGH POC This Week

eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-10110 MEDIUM POC This Month

SQL injection in code-projects Student Details Management System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized `roll` parameter in /index.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction required, and a public proof-of-concept exploit is hosted on GitHub, materially lowering the barrier to exploitation. Impact is rated as partial across confidentiality, integrity, and availability (VC:L/VI:L/VA:L), though SQL injection primitives often enable escalation beyond the initial access implied by the base score.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-47233 PHP MEDIUM PATCH GHSA This Month

Permanent inventory field deletion in Admidio (composer/admidio/admidio <= 5.0.9) is reachable by any authenticated low-privilege user due to a missing authorization gate in the `field_delete` mode of `modules/inventory.php`. Deleting a field cascades to all stored item data (`adm_inventory_item_data`) and field options (`adm_inventory_field_options`) for that field with no in-product undo path - recovery requires a database restore. This is an incomplete fix: commit d37ca6b (2026-04-12) added `isAdministratorInventory()` to the sibling `item_delete` handler but left `field_delete` and at least five other state-changing handlers ungated. A working proof-of-concept is published in the GitHub advisory; no public exploit frameworks or CISA KEV listing have been identified at time of analysis.

PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47234 PHP MEDIUM PATCH GHSA This Month

Plaintext credential exposure in Admidio v5.0.9 and earlier causes session IDs and persistent auto-login cookie values to be written to application logs whenever debug logging is enabled. Both the ADMIDIO_*_SESSION_ID and the long-lived ADMIDIO_*_AUTO_LOGIN_ID tokens are recorded verbatim by Session::setCookie() and Session::start(), effectively turning the log sink into a recoverable credential store. Any actor with read access to log files, log backups, or external log aggregation pipelines can extract and replay these tokens to hijack active sessions or gain persistent account access. Publicly available exploit code exists as documented in GitHub advisory GHSA-mch8-wf3h-6x88; this CVE is not currently listed in CISA KEV.

Information Disclosure PHP CSRF Python
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-47232 PHP MEDIUM PATCH GHSA This Month

Missing CSRF protection on the PKCS#12 private key export endpoint in Admidio v5.0.9 allows a network-based attacker to force an authenticated administrator's browser to trigger an unauthorized SSO private key export. The SecurityUtils::validateCsrfToken() call in modules/sso/keys.php was commented out on the 'export' case, permitting forged cross-site POST requests to invoke KeyService::exportToPkcs12() without a valid form token. While same-origin policy prevents the attacker from reading the streamed .p12 response directly, a working proof-of-concept is publicly documented in the GitHub security advisory and a vendor-confirmed fix is available in version 5.0.10.

OpenSSL Ubuntu CSRF Python PHP
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47231 PHP HIGH PATCH GHSA This Week

Insecure direct object reference in Admidio's documents module allows any user with upload rights on a single folder to exfiltrate files from private folders they cannot read. The `move_save` handler in `modules/documents-files.php` validates the actor's upload right against a URL-supplied `folder_uuid` rather than the file's actual parent folder, letting a low-privileged member relocate restricted files into an attacker-controlled folder and download them. No public exploit identified at time of analysis, but a detailed PoC with verified code paths is included in the GHSA-x628-457g-2pw9 advisory.

PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47230 PHP MEDIUM PATCH GHSA This Month

Cross-folder file rename and description tampering in Admidio's document management module allows any authenticated uploader to modify files in folders they cannot write to. The vulnerability affects Admidio <= 5.0.9 (composer package admidio/admidio): a low-privilege user holding upload rights on a single folder can rename files and overwrite descriptions in any other folder they can view, breaking integrity for all readers of those folders. Publicly available exploit code exists per the GitHub Security Advisory; no KEV listing at time of analysis.

XSS PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47229 PHP MEDIUM PATCH GHSA This Month

Cross-site request forgery in Admidio's SSO module allows a network-adjacent attacker to disable or silently re-enable any configured SAML or OIDC authentication client by tricking an authenticated administrator into loading a malicious page. The `enable` action in `modules/sso/clients.php` accepts its `enabled` parameter via GET and applies the state change with no CSRF token validation, while every other state-changing branch in the same file enforces `SecurityUtils::validateCsrfToken()`. A working proof-of-concept is included in the vendor's GitHub security advisory (GHSA-xg76-5qj2-2hhv); no KEV listing was identified at time of analysis.

PHP CSRF
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Fees Management System 1.0 exposes database contents and integrity to authenticated low-privilege remote attackers via the unsanitized `ID` parameter in `/manage_payment.php`. The CVSS vector (PR:L) confirms exploitation requires a valid user account, but no elevated privileges are needed beyond basic authentication. A publicly available proof-of-concept exploit exists (GitHub), raising the practical exploitation risk; no vendor-released patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Simple Custom Login Page WordPress plugin (versions ≤ 1.0.3) allows authenticated administrators to inject arbitrary CSS rules into wp-login.php, which is then rendered for every unauthenticated visitor to the login page. The changed scope (S:C in CVSS) is the critical risk amplifier: a single administrator-level compromise or malicious admin can silently overlay phishing UI elements on the WordPress login page, harvesting credentials from any user who subsequently visits. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

XSS PHP WordPress
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Local File Inclusion via null byte injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with low-privilege accounts to read arbitrary files from the server by manipulating the `page` parameter in `/index.php`. Publicly available exploit code exists, published as a GitHub writeup demonstrating the null byte (%00) bypass technique. No CISA KEV listing at time of analysis, but the public POC lowers the bar for targeted exploitation against low-security PHP deployments.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

File inclusion in SourceCodester Pizzafy Ecommerce System 1.0 exposes the admin panel to path traversal attacks via the `page` parameter in `/admin/index.php`, enabling an authenticated remote attacker to include arbitrary server-side files. Successful exploitation yields low-impact confidentiality, integrity, and availability compromise consistent with the CVSS C:L/I:L/A:L rating. A public exploit writeup (POC) exists on GitHub, significantly lowering the skill threshold for exploitation; however, no active exploitation has been confirmed via CISA KEV at time of analysis.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode Fees Management System 1.0 exposes authenticated low-privileged users a pathway to manipulate database content via the `id` parameter in `/manage_fee.php`. The vulnerability allows remote attackers with valid application credentials to read, modify, or partially disrupt database records. Publicly available exploit code exists (CVSS 4.0 E:P modifier confirmed), though no active exploitation has been confirmed by CISA KEV. The overall severity is low (CVSS 4.0: 2.1), reflecting limited scope and confidentiality impact.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser by manipulating the `page` argument of index.php. The vulnerability requires passive user interaction - a victim must follow a crafted URL - limiting its scalability, but publicly available exploit code lowers the barrier to abuse. No KEV listing exists; this is a low-severity finding corroborated by a CVSS 4.0 score of 2.1 and an exploit-modified (E:P) supplemental metric.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Insecure Direct Object Reference (IDOR) in code-projects Online Hospital Management System 1.0 allows a high-privileged remote attacker to manipulate the `delid` parameter in `viewdoctortimings.php`, resulting in unauthorized modification or deletion of doctor timing records beyond the attacker's intended access scope. The CVSS 4.0 score of 2.0 reflects the high privilege prerequisite (PR:H), low integrity impact (VI:L), and low availability impact (VA:L) to the vulnerable component. No public exploit identified at time of analysis as active exploitation - however, publicly available exploit code exists, documented in a GitHub proof-of-concept writeup.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Fees Management System 1.0 exposes the /manage_course.php endpoint to database manipulation via an unsanitized ID parameter, reachable by any low-privileged authenticated user over the network. The CVSS 6.3 medium score reflects limited impact scope (C:L/I:L/A:L), but the availability of public proof-of-concept exploit code materially elevates operational risk for internet-facing deployments. No public exploit identified at time of analysis maps to CISA KEV; however, the E:P CVSS modifier confirms exploit code is circulating.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Fees Management System 1.0 exposes the /ajax.php endpoint to database manipulation via the Username parameter, allowing authenticated remote attackers with low-privilege credentials to read, modify, or corrupt application data. The CVSS vector (AV:N/AC:L/PR:L) confirms this is network-exploitable at low complexity with a low-privilege account requirement. A publicly available proof-of-concept exploit exists (confirmed by CVSS temporal modifier E:P and a GitHub disclosure), though no active exploitation has been confirmed by CISA KEV at the time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Unauthenticated SQL injection in Pixa Bank 2.0 allows remote attackers to exfiltrate database contents by submitting UNION-based payloads in the 'rib' parameter of the agence-ajax.php endpoint. Publicly available exploit code exists (Packet Storm) and the issue was disclosed by VulnCheck, making opportunistic exploitation likely against any internet-exposed instance. No public exploit identified at time of analysis as actively exploited in the wild (not on CISA KEV), but the trivial attack complexity and existing PoC elevate practical risk.

PHP Information Disclosure SQLi
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi PHP
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Information Disclosure
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Paroiciel 11.20 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the `tour` GET parameter in `tour.php` to inject arbitrary SQL into backend database queries. Publicly available exploit code exists (hosted on GitHub), enabling low-skilled attackers to extract or modify database contents, though no CISA KEV listing or EPSS signal indicates widespread active exploitation at this time.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to inject and execute arbitrary JavaScript by manipulating the name, email, people, or number parameters submitted to /ht/tour.php. The POC repository title ('Stored-XSS') strongly suggests this is a persistent (stored) XSS variant, meaning injected payloads survive in the application and execute in the browsers of subsequent users who view the affected reservation data - not merely the attacker's own session. Publicly available exploit code exists; this CVE has not been added to the CISA KEV catalog at time of analysis.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Authentication bypass in code-projects Hotel and Tourism Reservation System 1.0 allows remote attackers to defeat admin login by manipulating the Password argument processed by the password_verify function in /admin/login.php. The flaw is reachable over the network without prior authentication, and publicly available exploit code exists, increasing the likelihood of opportunistic abuse against exposed deployments.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery in SourceCodester SEO Meta Tag Extractor 1.0 allows remote unauthenticated attackers to coerce the application into making arbitrary outbound HTTP requests by manipulating the 'url' parameter passed to the get_headers() function in /index.php. Publicly available exploit code exists per VulDB, increasing the likelihood of opportunistic abuse against exposed instances, though no active exploitation has been confirmed via CISA KEV.

PHP SSRF
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Payroll System 1.0 allows remote authenticated attackers with low-privilege credentials to manipulate database queries via the emp_id parameter in /home_employee.php. Exploitation can result in unauthorized read access to confidential payroll records, limited data manipulation, and potential availability impact against the underlying database. Publicly available exploit code exists (referenced via GitHub), elevating real-world risk beyond the moderate CVSS score of 6.3; no public patch is available at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper authorization in DevaslanPHP project-management (all versions through 2.0.0-beta1) allows any low-privileged authenticated attacker to remotely invoke the KanbanScrumHelper::recordUpdated function in the Ticket Handler component without adequate permission checks, resulting in unauthorized modification of ticket and kanban board records (integrity impact) and limited disruption of availability. The vendor was notified via GitHub issue #141 but had not responded at time of disclosure, meaning no patch is available. No public exploit code has been identified and the CVE does not appear in CISA KEV.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper authorization in DevaslanPHP project-management up to 2.0.0-beta1 allows authenticated remote attackers to edit or delete ticket comments they do not own by exploiting missing ownership validation in the Livewire Handler component. The CVSS vector (PR:L, AV:N, AC:L) confirms the attack is network-accessible and requires only a low-privilege account with no user interaction. No vendor patch exists - the maintainer has not responded to the responsible disclosure submitted via GitHub issue - and no public exploit or CISA KEV listing has been identified at time of analysis.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insecure Direct Object Reference in Bottelet DaybydayCRM up to version 2.2.1 allows any authenticated user to view or download arbitrary documents belonging to other users by enumerating the external_id URL parameter in DocumentsController. The missing authorization check in both the view() and download() methods means a low-privilege employee or contractor can exfiltrate documents linked to any Task, Project, Lead, or Client within the CRM. No public exploit identified at time of analysis and no CISA KEV listing, but the attack is trivially executable by any authenticated user given low complexity (AC:L, AT:N) and no user interaction required (UI:N).

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

OS command injection in PHP Censor through 2.1.6 allows remote attackers to execute arbitrary shell commands by submitting a crafted commitId value to the webhook endpoint handled by src/Model/Build/GitBuild.php. The unsanitized commitId (and branch name) is interpolated into shell command strings passed to git log and clone operations, and publicly available exploit code exists per VulDB. No CISA KEV listing or EPSS score is provided, so exploitation appears opportunistic rather than confirmed active in the wild.

Command Injection PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper authorization in a4m4's Student-Management-System allows unauthenticated remote attackers to manipulate the `sid` parameter in `admin/deleteform.php` to delete student records without any credentials. All commits up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0 are affected, and a proof-of-concept exploit has been publicly disclosed via the project's GitHub issue tracker. No patch is available; the maintainer has not responded to the responsible disclosure report, leaving all deployed instances exposed with no official remediation path.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode Content Management System 1.0 allows authenticated remote attackers to manipulate database queries via the topic_id parameter in /admin/edit_topic.php. The CVSS 4.0 vector (PR:L) confirms a low-privileged authenticated account is sufficient to trigger the injection, which yields limited but real confidentiality, integrity, and availability impact against the underlying database component. Publicly available exploit code exists (E:P), though no active exploitation has been confirmed by CISA KEV.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Computer Repair Shop Management System 1.0 exposes the admin product management endpoint to unauthenticated remote attackers who can manipulate the 'ID' parameter in /admin/products/manage_product.php to execute arbitrary SQL statements. The CVSS 4.0 vector confirms no privileges or user interaction are required (PR:N, UI:N, AV:N), and a proof-of-concept exploit has been publicly disclosed (E:P), lowering the bar for exploitation. Impact is assessed as low-to-moderate across confidentiality, integrity, and availability on the vulnerable system, with no lateral scope change to subsequent systems.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unauthenticated SQL injection in code-projects Real State Services 1.0 exposes the login endpoint to remote database manipulation. The Username parameter passed to /loginuser.php is unsanitized and directly interpolated into SQL queries (CWE-74), enabling unauthenticated remote attackers to extract data, bypass authentication, or alter database contents. Exploit code has been publicly disclosed via a GitHub issue report, elevating practical risk despite the moderate CVSS 4.0 score of 5.5.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in CodeAstro Online Job Portal 1.0 exposes the /users/application_status.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to inject arbitrary SQL into backend database queries, resulting in partial confidentiality, integrity, and availability impact. A proof-of-concept exploit has been published (CVSS 4.0 E:P confirmed), lowering the barrier to exploitation significantly despite the medium overall score. No public KEV listing exists, meaning active widespread exploitation is not confirmed at time of analysis, but the combination of a public POC and zero authentication requirements makes this a credible near-term risk for any internet-exposed deployment.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in CodeAstro Online Job Portal 1.0 exposes the `/admin/jobs-admins/delete-jobs.php` endpoint to remote database manipulation via an unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication, no complexity, and no user interaction are required to exploit this flaw from the network, though the admin panel context of the vulnerable endpoint warrants verification of actual auth enforcement. Publicly available exploit code exists (E:P), elevating practical risk above what the medium CVSS score of 5.5 alone might suggest.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Content Management System 1.0 allows remote authenticated attackers to manipulate the backend database via the topic_id parameter in /admin/add_sub_topic.php. The CVSS vector (PR:L) confirms exploitation requires low-privilege authentication, limiting opportunistic attack surface but not eliminating risk in multi-tenant or shared-admin environments. Publicly available exploit code exists, elevating practical risk above what the moderate CVSS score of 6.3 alone suggests.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Content Management System 1.0 exposes the admin-facing endpoint /admin/update_ss_img.php to database manipulation via the unsanitized topic_id parameter. Low-privilege authenticated attackers can exploit this remotely with no user interaction required, achieving partial read, write, and availability impact against the underlying database. A public exploit is available (CVSS temporal E:P; GitHub PoC linked in references), elevating practical risk despite the moderate 6.3 base score. No active exploitation confirmed via CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Content Management System 1.0 exposes the database to read, modify, and partial denial-of-service via a crafted comment submission. The vulnerable endpoint /save_comment.php fails to sanitize the Name parameter before incorporating it into SQL queries, allowing an authenticated low-privilege attacker to manipulate database logic directly. A publicly available proof-of-concept exploit exists (GitHub issue linked in VulDB entry), elevating real-world risk despite the absence of a CISA KEV listing.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated remote information disclosure in SourceCodester Pharmacy Sales and Inventory System 1.0 allows network-based attackers to bypass access controls and read sensitive sales statement data via the sell_statement function in application/controllers/ShowForm.php. The CVSS vector confirms PR:N (no authentication required) with low access complexity, and a proof-of-concept exploit has been publicly disclosed via GitHub. No KEV listing at time of analysis, but the combination of unauthenticated network access and available exploit code elevates practical risk beyond the moderate CVSS 5.3 score alone.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_payment.php to execute arbitrary database queries. Publicly available exploit code exists, increasing the likelihood of opportunistic attacks against exposed deployments. The flaw was reported by VulDB and impacts a PHP-based rental management application commonly deployed by small operators and educational projects.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_tenant.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub issue tracker and indexed by VulDB), making opportunistic exploitation feasible against any internet-exposed instance. The vulnerability impacts a PHP-based property management application typically deployed by small landlords or as a learning/demonstration project.

SQLi PHP Online House Rental System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter of the /ajax.php?action=login endpoint to inject arbitrary SQL. Publicly available exploit code exists (VulDB-referenced PoC on GitHub), increasing the practical risk despite the application's limited deployment footprint. No CISA KEV listing is present, so this represents publicly available exploit code without confirmed active exploitation.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'hospital' parameter in /admin/campsdetails.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the practical risk despite the application being a relatively niche PHP-based healthcare management product. No CISA KEV listing or EPSS score is provided in the source intelligence, so widespread automated exploitation is not confirmed.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter on /admin/viewrequest.php to inject arbitrary SQL into backend database queries. Publicly available exploit code exists per VulDB, raising the practical risk despite the moderate CVSS 7.3 score. No CISA KEV listing or EPSS data was provided, so widespread automated exploitation cannot be confirmed at this time.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Unrestricted file upload in SOPlanning's backup import functionality (versions 1.55 and below) allows an authenticated high-privilege attacker to smuggle a malicious PHP script inside a crafted ZIP archive alongside a legitimate user.csv file, bypassing extension validation entirely. This vulnerability is materially escalated when chained with CVE-2026-40547 (Path Traversal in the same product), which redirects extraction to a web-accessible directory, converting an upload flaw into full server-side remote code execution. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the exploitation chain is technically straightforward once administrative credentials are held.

File Upload PHP Path Traversal
NVD
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode Content Management System 1.0 exposes the /instructions.php endpoint to database manipulation via the unsanitized topic_id parameter. Low-privileged remote attackers can read, modify, or delete data within the application's database scope. A public proof-of-concept exploit has been published (VulDB submission 823558 / GitHub issue), lowering the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects limited blast radius due to low-impact CIA triad ratings and the low-privilege prerequisite.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unauthenticated remote attackers can create privileged administrator accounts in SourceCodester Water Billing Management System 1.0 by sending crafted requests to the User Management endpoint, bypassing all authorization controls. The researcher-published reference - titled 'Unauthenticated Admin Creation in PHP System' - confirms the practical impact exceeds the moderate CVSS score: full administrative takeover of the application is achievable without credentials. Publicly available exploit code exists (CVSS E:P), and no vendor patch has been identified at time of analysis.

Information Disclosure PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Ingredients Stock Management System 1.0 exposes authenticated remote attackers a direct path to database manipulation through the unsanitized `txt_search_category` parameter in `/Ingredients-Stock/stock_manager.php`. The CVSS vector (PR:L) confirms that low-privilege authentication is required, partially limiting exposure, but a publicly available proof-of-concept on GitHub significantly lowers the exploitation barrier. No confirmed active exploitation (CISA KEV) has been reported; however, the combination of low complexity, network accessibility, and public exploit code makes this a realistic threat against any internet-facing deployment where attacker credential acquisition is feasible.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Reflected or stored cross-site scripting (XSS) in raisulislamg4's student_management_system_by_php allows authenticated remote attackers to inject malicious scripts via the Message argument in admission_form_check.php. The vulnerability requires a victim to interact with a crafted link or page, triggering script execution in the context of another user's browser session. A public exploit exists per the GitHub issue report; however, the vendor has not responded to disclosure and no patch has been released.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in raisulislamg4's PHP-based Student Management System allows remote unauthenticated attackers to manipulate the 'role' parameter in add_user_check.php to inject arbitrary SQL queries. Publicly available exploit code exists per VulDB disclosure, and the project (a rolling-release GitHub repository) has not responded to the reporter's issue, leaving deployments unpatched. CVSS 7.3 with low complexity and no privileges required makes this an attractive low-effort target despite the limited deployment footprint of this open-source educational project.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in raisulislamg4's Student Management System (PHP) allows remote unauthenticated attackers to manipulate database queries via the user_id, course_id, teacher_id, student_id, or application_id parameters in delete.php. Publicly available exploit code exists, and the project operates on a rolling release model with no formal versioning, complicating patch tracking. The maintainer has been notified but has not responded, leaving deployments exposed.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in raisulislamg4's PHP-based Student Management System allows remote unauthenticated attackers to manipulate the Username parameter in login_check.php to inject arbitrary SQL. Publicly available exploit code exists per the GitHub issue tracker, and the project follows a rolling-release model with no fixed version available. The vendor was notified early but has not responded, leaving deployments unpatched.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Horizontal privilege escalation in Dolibarr ERP CRM through version 23.0.1 permits any authenticated low-privilege user to read other users' leave request records via the Leave Request REST API, with a publicly available proof-of-concept confirming exploitability. The flaw in `checkUserAccessToObject` within `api_holidays.class.php` (CWE-285, Improper Authorization) arises because the access control helper receives only an integer object ID rather than the full object, causing ownership validation to fail silently and return another user's confidential HR data. No active exploitation is confirmed in CISA KEV, but the public POC and low attack complexity make this a realistic insider or multi-tenant threat requiring prompt patching.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Online Hospital Management System 1.0 exposes backend database contents via the `editid` parameter in `appointmentdetail.php`. A low-privilege authenticated attacker can remotely manipulate SQL queries to read, modify, or corrupt patient and appointment records. A proof-of-concept exploit is publicly available per the GitHub reference, raising the likelihood of opportunistic exploitation against internet-facing deployments of this PHP application.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Hospital Management System 1.php enables remote unauthenticated attackers to manipulate the Username parameter sent to the login_user function in login_1.php, allowing arbitrary SQL query execution against the backend database. Publicly available exploit code exists (published on GitHub by researcher Mi0uno), increasing the likelihood of opportunistic exploitation, though the CVE is not listed in CISA KEV and EPSS data is not provided. Per CVSS, exploitation requires no authentication or user interaction and impacts confidentiality, integrity, and availability at a low level (CVSS 7.3).

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Online Hospital Management System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `editid` parameter in /patient.php, potentially exposing or modifying patient records. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-authentication, network-accessible exploitation with no special conditions, and a public proof-of-concept has been disclosed via GitHub. While the CVSS 5.5 score reflects limited per-component impact (Low confidentiality, integrity, and availability), the absence of any access barrier combined with POC availability makes this an actionable risk for any exposed deployment.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive medical data to unauthenticated remote attackers through the ID parameter of the /classes/Users.php?f=save endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote access requiring no credentials or user interaction, and a publicly available proof-of-concept exploit (E:P) further elevates real-world risk beyond the moderate 5.5 base score. No vendor-released patch has been identified, leaving all known deployments of version 1.0 exposed to data exfiltration and manipulation of patient health records.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /classes/Users.php?f=delete, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. While CVSS impact scores are rated Low across confidentiality, integrity, and availability, the unauthenticated network accessibility combined with a live POC elevates the practical deployment risk for any internet-exposed instance.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH POC This Week

SQL injection in OpenCATS through 0.9.7.4 allows authenticated users to extract arbitrary database contents by injecting malicious SQL into the sortDirection parameter of ajax/getDataGridPager.php. Publicly available exploit code exists (Exploit-DB 52579, Packet Storm), and the issue was disclosed via a GitHub Security Advisory coordinated with VulnCheck. The CVSS 4.0 base score of 8.4 reflects high confidentiality impact with a subsequent-system scope change, though exploitation requires a valid low-privileged account.

PHP Information Disclosure SQLi
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /Administrator/PHP/AdminEditAlbum.php to inject arbitrary SQL queries. Publicly available exploit code exists (disclosed via VulDB submission 819912 and a GitHub issue), though there is no CISA KEV listing and no EPSS data provided to gauge exploitation probability. The vulnerability carries a CVSS 7.3 score reflecting low complexity and no authentication requirement, but only partial CIA impact.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in Bdtask Multi-Store Inventory Management System 1.0 enables authenticated remote attackers to upload arbitrary file types - including PHP webshells - through the Component Module's Upload function, leading to potential remote code execution on the host server. The vulnerability resides in application/modules/dashboard/controllers/Module.php where the Upload function performs insufficient file type validation. A public proof-of-concept exploit has been released on GitHub, elevating the practical risk beyond the moderate CVSS 6.3 score. No vendor patch has been identified at time of analysis.

File Upload PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in code-projects Online Music Site 1.0 exposes the administrator backend endpoint /Administrator/PHP/AdminUpdateAlbum.php to database manipulation via an unsanitized ID parameter. Exploitation requires high-privilege (administrator) credentials per CVSS PR:H, meaning only authenticated admins - or attackers who have already compromised an admin account - can trigger the flaw. A public proof-of-concept has been disclosed via GitHub, but no CISA KEV listing exists, and no public exploitation activity has been confirmed at this time.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Visitor Management System 1.0 exposes the `/vms/php/phone_0.php` endpoint to database manipulation via the unsanitized `phone` parameter, exploitable by authenticated remote attackers. A publicly available exploit chain on GitHub (by Xmyronn) explicitly demonstrates escalation from this SQL injection to remote code execution, elevating the real-world severity beyond the CVSS 6.3 base score. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), but the published RCE chain makes this a meaningful risk for any internet-exposed deployment.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Weak password recovery in the BrinaryBrains School Student Management System (OUSL-GROUP-BrinaryBrains) exposes its Forgot Password endpoint to remote manipulation of the email argument, enabling attackers to abuse the flawed recovery mechanism and achieve limited unauthorized account integrity impact. The CVSS 4.0 score of 2.9 reflects high attack complexity (AC:H), constraining real-world exploitability despite publicly available exploit code (E:P). No active exploitation has been confirmed via CISA KEV, and the vendor has not responded to the coordinated disclosure as of the time of reporting.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Resource injection in the OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated remote attackers to manipulate the param1 argument in the marks function of Parents.php, improperly controlling resource identifiers to access unauthorized academic records. The CVSS 4.0 score is 2.1, reflecting low-privilege authentication requirements (PR:L) and limited scope impact; a publicly available proof-of-concept exploit has been disclosed via a GitHub issue. No vendor patch exists - the project uses continuous delivery rolling releases and has not responded to the responsible disclosure report.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Authentication bypass in OUSL-GROUP-BrinaryBrains School Student Management System allows unauthenticated remote attackers to manipulate the 'role' argument in the sign_auth_cookie function, forging or escalating authentication cookies without valid credentials. All commits up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 are affected, publicly available exploit code exists (confirmed by CVSS E:P and a public GitHub issue), and no patch is available as the project has not responded to disclosure. Despite a moderate CVSS 4.0 score of 5.5, the combination of zero-barrier remote exploitation and absent vendor remediation represents material unmitigated risk for any organization running this system.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in Bdtask Multi-Store Inventory Management System 1.0 exposes backend database contents through the Accounts Report Handler's date-range search functionality. The vulnerability resides in the accounts_report_search function (Accounts.php), where the dtpToDate argument is passed to a SQL query without sanitization, allowing an authenticated high-privileged user to read, modify, or partially disrupt database data. Publicly available exploit code exists (CVSS 4.0 E:P), though the high-privilege prerequisite significantly limits the realistic attacker population; the vulnerability is not listed in CISA KEV.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insecure Direct Object Reference in Dolibarr ERP CRM 23.0.0-23.0.2 allows any authenticated low-privilege user to read another user's messaging records by manipulating the `id` parameter in `htdocs/user/messaging.php`. The commit diff confirms the endpoint performed zero ownership or permission validation before serving messaging data - any valid session could enumerate other users' messages by cycling numeric IDs. No public exploit code has been identified and this CVE does not appear in CISA KEV, but the vulnerability is trivially exploitable given its low complexity and minimal authentication barrier.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Authentication Bypass +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Student Details Management System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized `roll` parameter in /index.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction required, and a public proof-of-concept exploit is hosted on GitHub, materially lowering the barrier to exploitation. Impact is rated as partial across confidentiality, integrity, and availability (VC:L/VI:L/VA:L), though SQL injection primitives often enable escalation beyond the initial access implied by the base score.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Permanent inventory field deletion in Admidio (composer/admidio/admidio <= 5.0.9) is reachable by any authenticated low-privilege user due to a missing authorization gate in the `field_delete` mode of `modules/inventory.php`. Deleting a field cascades to all stored item data (`adm_inventory_item_data`) and field options (`adm_inventory_field_options`) for that field with no in-product undo path - recovery requires a database restore. This is an incomplete fix: commit d37ca6b (2026-04-12) added `isAdministratorInventory()` to the sibling `item_delete` handler but left `field_delete` and at least five other state-changing handlers ungated. A working proof-of-concept is published in the GitHub advisory; no public exploit frameworks or CISA KEV listing have been identified at time of analysis.

PHP CSRF Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Plaintext credential exposure in Admidio v5.0.9 and earlier causes session IDs and persistent auto-login cookie values to be written to application logs whenever debug logging is enabled. Both the ADMIDIO_*_SESSION_ID and the long-lived ADMIDIO_*_AUTO_LOGIN_ID tokens are recorded verbatim by Session::setCookie() and Session::start(), effectively turning the log sink into a recoverable credential store. Any actor with read access to log files, log backups, or external log aggregation pipelines can extract and replay these tokens to hijack active sessions or gain persistent account access. Publicly available exploit code exists as documented in GitHub advisory GHSA-mch8-wf3h-6x88; this CVE is not currently listed in CISA KEV.

Information Disclosure PHP CSRF +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Missing CSRF protection on the PKCS#12 private key export endpoint in Admidio v5.0.9 allows a network-based attacker to force an authenticated administrator's browser to trigger an unauthorized SSO private key export. The SecurityUtils::validateCsrfToken() call in modules/sso/keys.php was commented out on the 'export' case, permitting forged cross-site POST requests to invoke KeyService::exportToPkcs12() without a valid form token. While same-origin policy prevents the attacker from reading the streamed .p12 response directly, a working proof-of-concept is publicly documented in the GitHub security advisory and a vendor-confirmed fix is available in version 5.0.10.

OpenSSL Ubuntu CSRF +2
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Insecure direct object reference in Admidio's documents module allows any user with upload rights on a single folder to exfiltrate files from private folders they cannot read. The `move_save` handler in `modules/documents-files.php` validates the actor's upload right against a URL-supplied `folder_uuid` rather than the file's actual parent folder, letting a low-privileged member relocate restricted files into an attacker-controlled folder and download them. No public exploit identified at time of analysis, but a detailed PoC with verified code paths is included in the GHSA-x628-457g-2pw9 advisory.

PHP CSRF Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-folder file rename and description tampering in Admidio's document management module allows any authenticated uploader to modify files in folders they cannot write to. The vulnerability affects Admidio <= 5.0.9 (composer package admidio/admidio): a low-privilege user holding upload rights on a single folder can rename files and overwrite descriptions in any other folder they can view, breaking integrity for all readers of those folders. Publicly available exploit code exists per the GitHub Security Advisory; no KEV listing at time of analysis.

XSS PHP CSRF +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site request forgery in Admidio's SSO module allows a network-adjacent attacker to disable or silently re-enable any configured SAML or OIDC authentication client by tricking an authenticated administrator into loading a malicious page. The `enable` action in `modules/sso/clients.php` accepts its `enabled` parameter via GET and applies the state change with no CSRF token validation, while every other state-changing branch in the same file enforces `SecurityUtils::validateCsrfToken()`. A working proof-of-concept is included in the vendor's GitHub security advisory (GHSA-xg76-5qj2-2hhv); no KEV listing was identified at time of analysis.

PHP CSRF
NVD GitHub
Prev Page 11 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy