PHP
Monthly
SQL injection in itsourcecode Fees Management System 1.0 exposes database contents and integrity to authenticated low-privilege remote attackers via the unsanitized `ID` parameter in `/manage_payment.php`. The CVSS vector (PR:L) confirms exploitation requires a valid user account, but no elevated privileges are needed beyond basic authentication. A publicly available proof-of-concept exploit exists (GitHub), raising the practical exploitation risk; no vendor-released patch has been identified at time of analysis.
Stored Cross-Site Scripting in the Simple Custom Login Page WordPress plugin (versions ≤ 1.0.3) allows authenticated administrators to inject arbitrary CSS rules into wp-login.php, which is then rendered for every unauthenticated visitor to the login page. The changed scope (S:C in CVSS) is the critical risk amplifier: a single administrator-level compromise or malicious admin can silently overlay phishing UI elements on the WordPress login page, harvesting credentials from any user who subsequently visits. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Local File Inclusion via null byte injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with low-privilege accounts to read arbitrary files from the server by manipulating the `page` parameter in `/index.php`. Publicly available exploit code exists, published as a GitHub writeup demonstrating the null byte (%00) bypass technique. No CISA KEV listing at time of analysis, but the public POC lowers the bar for targeted exploitation against low-security PHP deployments.
File inclusion in SourceCodester Pizzafy Ecommerce System 1.0 exposes the admin panel to path traversal attacks via the `page` parameter in `/admin/index.php`, enabling an authenticated remote attacker to include arbitrary server-side files. Successful exploitation yields low-impact confidentiality, integrity, and availability compromise consistent with the CVSS C:L/I:L/A:L rating. A public exploit writeup (POC) exists on GitHub, significantly lowering the skill threshold for exploitation; however, no active exploitation has been confirmed via CISA KEV at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 exposes authenticated low-privileged users a pathway to manipulate database content via the `id` parameter in `/manage_fee.php`. The vulnerability allows remote attackers with valid application credentials to read, modify, or partially disrupt database records. Publicly available exploit code exists (CVSS 4.0 E:P modifier confirmed), though no active exploitation has been confirmed by CISA KEV. The overall severity is low (CVSS 4.0: 2.1), reflecting limited scope and confidentiality impact.
Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser by manipulating the `page` argument of index.php. The vulnerability requires passive user interaction - a victim must follow a crafted URL - limiting its scalability, but publicly available exploit code lowers the barrier to abuse. No KEV listing exists; this is a low-severity finding corroborated by a CVSS 4.0 score of 2.1 and an exploit-modified (E:P) supplemental metric.
Insecure Direct Object Reference (IDOR) in code-projects Online Hospital Management System 1.0 allows a high-privileged remote attacker to manipulate the `delid` parameter in `viewdoctortimings.php`, resulting in unauthorized modification or deletion of doctor timing records beyond the attacker's intended access scope. The CVSS 4.0 score of 2.0 reflects the high privilege prerequisite (PR:H), low integrity impact (VI:L), and low availability impact (VA:L) to the vulnerable component. No public exploit identified at time of analysis as active exploitation - however, publicly available exploit code exists, documented in a GitHub proof-of-concept writeup.
SQL injection in itsourcecode Fees Management System 1.0 exposes the /manage_course.php endpoint to database manipulation via an unsanitized ID parameter, reachable by any low-privileged authenticated user over the network. The CVSS 6.3 medium score reflects limited impact scope (C:L/I:L/A:L), but the availability of public proof-of-concept exploit code materially elevates operational risk for internet-facing deployments. No public exploit identified at time of analysis maps to CISA KEV; however, the E:P CVSS modifier confirms exploit code is circulating.
SQL injection in itsourcecode Fees Management System 1.0 exposes the /ajax.php endpoint to database manipulation via the Username parameter, allowing authenticated remote attackers with low-privilege credentials to read, modify, or corrupt application data. The CVSS vector (AV:N/AC:L/PR:L) confirms this is network-exploitable at low complexity with a low-privilege account requirement. A publicly available proof-of-concept exploit exists (confirmed by CVSS temporal modifier E:P and a GitHub disclosure), though no active exploitation has been confirmed by CISA KEV at the time of analysis.
Unauthenticated SQL injection in Pixa Bank 2.0 allows remote attackers to exfiltrate database contents by submitting UNION-based payloads in the 'rib' parameter of the agence-ajax.php endpoint. Publicly available exploit code exists (Packet Storm) and the issue was disclosed by VulnCheck, making opportunistic exploitation likely against any internet-exposed instance. No public exploit identified at time of analysis as actively exploited in the wild (not on CISA KEV), but the trivial attack complexity and existing PoC elevate practical risk.
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the `tour` GET parameter in `tour.php` to inject arbitrary SQL into backend database queries. Publicly available exploit code exists (hosted on GitHub), enabling low-skilled attackers to extract or modify database contents, though no CISA KEV listing or EPSS signal indicates widespread active exploitation at this time.
Cross-site scripting in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to inject and execute arbitrary JavaScript by manipulating the name, email, people, or number parameters submitted to /ht/tour.php. The POC repository title ('Stored-XSS') strongly suggests this is a persistent (stored) XSS variant, meaning injected payloads survive in the application and execute in the browsers of subsequent users who view the affected reservation data - not merely the attacker's own session. Publicly available exploit code exists; this CVE has not been added to the CISA KEV catalog at time of analysis.
Authentication bypass in code-projects Hotel and Tourism Reservation System 1.0 allows remote attackers to defeat admin login by manipulating the Password argument processed by the password_verify function in /admin/login.php. The flaw is reachable over the network without prior authentication, and publicly available exploit code exists, increasing the likelihood of opportunistic abuse against exposed deployments.
Server-side request forgery in SourceCodester SEO Meta Tag Extractor 1.0 allows remote unauthenticated attackers to coerce the application into making arbitrary outbound HTTP requests by manipulating the 'url' parameter passed to the get_headers() function in /index.php. Publicly available exploit code exists per VulDB, increasing the likelihood of opportunistic abuse against exposed instances, though no active exploitation has been confirmed via CISA KEV.
SQL injection in CodeAstro Payroll System 1.0 allows remote authenticated attackers with low-privilege credentials to manipulate database queries via the emp_id parameter in /home_employee.php. Exploitation can result in unauthorized read access to confidential payroll records, limited data manipulation, and potential availability impact against the underlying database. Publicly available exploit code exists (referenced via GitHub), elevating real-world risk beyond the moderate CVSS score of 6.3; no public patch is available at time of analysis.
Improper authorization in DevaslanPHP project-management (all versions through 2.0.0-beta1) allows any low-privileged authenticated attacker to remotely invoke the KanbanScrumHelper::recordUpdated function in the Ticket Handler component without adequate permission checks, resulting in unauthorized modification of ticket and kanban board records (integrity impact) and limited disruption of availability. The vendor was notified via GitHub issue #141 but had not responded at time of disclosure, meaning no patch is available. No public exploit code has been identified and the CVE does not appear in CISA KEV.
Improper authorization in DevaslanPHP project-management up to 2.0.0-beta1 allows authenticated remote attackers to edit or delete ticket comments they do not own by exploiting missing ownership validation in the Livewire Handler component. The CVSS vector (PR:L, AV:N, AC:L) confirms the attack is network-accessible and requires only a low-privilege account with no user interaction. No vendor patch exists - the maintainer has not responded to the responsible disclosure submitted via GitHub issue - and no public exploit or CISA KEV listing has been identified at time of analysis.
Insecure Direct Object Reference in Bottelet DaybydayCRM up to version 2.2.1 allows any authenticated user to view or download arbitrary documents belonging to other users by enumerating the external_id URL parameter in DocumentsController. The missing authorization check in both the view() and download() methods means a low-privilege employee or contractor can exfiltrate documents linked to any Task, Project, Lead, or Client within the CRM. No public exploit identified at time of analysis and no CISA KEV listing, but the attack is trivially executable by any authenticated user given low complexity (AC:L, AT:N) and no user interaction required (UI:N).
OS command injection in PHP Censor through 2.1.6 allows remote attackers to execute arbitrary shell commands by submitting a crafted commitId value to the webhook endpoint handled by src/Model/Build/GitBuild.php. The unsanitized commitId (and branch name) is interpolated into shell command strings passed to git log and clone operations, and publicly available exploit code exists per VulDB. No CISA KEV listing or EPSS score is provided, so exploitation appears opportunistic rather than confirmed active in the wild.
Improper authorization in a4m4's Student-Management-System allows unauthenticated remote attackers to manipulate the `sid` parameter in `admin/deleteform.php` to delete student records without any credentials. All commits up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0 are affected, and a proof-of-concept exploit has been publicly disclosed via the project's GitHub issue tracker. No patch is available; the maintainer has not responded to the responsible disclosure report, leaving all deployed instances exposed with no official remediation path.
SQL injection in itsourcecode Content Management System 1.0 allows authenticated remote attackers to manipulate database queries via the topic_id parameter in /admin/edit_topic.php. The CVSS 4.0 vector (PR:L) confirms a low-privileged authenticated account is sufficient to trigger the injection, which yields limited but real confidentiality, integrity, and availability impact against the underlying database component. Publicly available exploit code exists (E:P), though no active exploitation has been confirmed by CISA KEV.
SQL injection in SourceCodester Computer Repair Shop Management System 1.0 exposes the admin product management endpoint to unauthenticated remote attackers who can manipulate the 'ID' parameter in /admin/products/manage_product.php to execute arbitrary SQL statements. The CVSS 4.0 vector confirms no privileges or user interaction are required (PR:N, UI:N, AV:N), and a proof-of-concept exploit has been publicly disclosed (E:P), lowering the bar for exploitation. Impact is assessed as low-to-moderate across confidentiality, integrity, and availability on the vulnerable system, with no lateral scope change to subsequent systems.
Unauthenticated SQL injection in code-projects Real State Services 1.0 exposes the login endpoint to remote database manipulation. The Username parameter passed to /loginuser.php is unsanitized and directly interpolated into SQL queries (CWE-74), enabling unauthenticated remote attackers to extract data, bypass authentication, or alter database contents. Exploit code has been publicly disclosed via a GitHub issue report, elevating practical risk despite the moderate CVSS 4.0 score of 5.5.
SQL injection in CodeAstro Online Job Portal 1.0 exposes the /users/application_status.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to inject arbitrary SQL into backend database queries, resulting in partial confidentiality, integrity, and availability impact. A proof-of-concept exploit has been published (CVSS 4.0 E:P confirmed), lowering the barrier to exploitation significantly despite the medium overall score. No public KEV listing exists, meaning active widespread exploitation is not confirmed at time of analysis, but the combination of a public POC and zero authentication requirements makes this a credible near-term risk for any internet-exposed deployment.
SQL injection in CodeAstro Online Job Portal 1.0 exposes the `/admin/jobs-admins/delete-jobs.php` endpoint to remote database manipulation via an unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication, no complexity, and no user interaction are required to exploit this flaw from the network, though the admin panel context of the vulnerable endpoint warrants verification of actual auth enforcement. Publicly available exploit code exists (E:P), elevating practical risk above what the medium CVSS score of 5.5 alone might suggest.
SQL injection in itsourcecode Content Management System 1.0 allows remote authenticated attackers to manipulate the backend database via the topic_id parameter in /admin/add_sub_topic.php. The CVSS vector (PR:L) confirms exploitation requires low-privilege authentication, limiting opportunistic attack surface but not eliminating risk in multi-tenant or shared-admin environments. Publicly available exploit code exists, elevating practical risk above what the moderate CVSS score of 6.3 alone suggests.
SQL injection in itsourcecode Content Management System 1.0 exposes the admin-facing endpoint /admin/update_ss_img.php to database manipulation via the unsanitized topic_id parameter. Low-privilege authenticated attackers can exploit this remotely with no user interaction required, achieving partial read, write, and availability impact against the underlying database. A public exploit is available (CVSS temporal E:P; GitHub PoC linked in references), elevating practical risk despite the moderate 6.3 base score. No active exploitation confirmed via CISA KEV at time of analysis.
SQL injection in itsourcecode Content Management System 1.0 exposes the database to read, modify, and partial denial-of-service via a crafted comment submission. The vulnerable endpoint /save_comment.php fails to sanitize the Name parameter before incorporating it into SQL queries, allowing an authenticated low-privilege attacker to manipulate database logic directly. A publicly available proof-of-concept exploit exists (GitHub issue linked in VulDB entry), elevating real-world risk despite the absence of a CISA KEV listing.
Unauthenticated remote information disclosure in SourceCodester Pharmacy Sales and Inventory System 1.0 allows network-based attackers to bypass access controls and read sensitive sales statement data via the sell_statement function in application/controllers/ShowForm.php. The CVSS vector confirms PR:N (no authentication required) with low access complexity, and a proof-of-concept exploit has been publicly disclosed via GitHub. No KEV listing at time of analysis, but the combination of unauthenticated network access and available exploit code elevates practical risk beyond the moderate CVSS 5.3 score alone.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_payment.php to execute arbitrary database queries. Publicly available exploit code exists, increasing the likelihood of opportunistic attacks against exposed deployments. The flaw was reported by VulDB and impacts a PHP-based rental management application commonly deployed by small operators and educational projects.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_tenant.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub issue tracker and indexed by VulDB), making opportunistic exploitation feasible against any internet-exposed instance. The vulnerability impacts a PHP-based property management application typically deployed by small landlords or as a learning/demonstration project.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter of the /ajax.php?action=login endpoint to inject arbitrary SQL. Publicly available exploit code exists (VulDB-referenced PoC on GitHub), increasing the practical risk despite the application's limited deployment footprint. No CISA KEV listing is present, so this represents publicly available exploit code without confirmed active exploitation.
SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'hospital' parameter in /admin/campsdetails.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the practical risk despite the application being a relatively niche PHP-based healthcare management product. No CISA KEV listing or EPSS score is provided in the source intelligence, so widespread automated exploitation is not confirmed.
SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter on /admin/viewrequest.php to inject arbitrary SQL into backend database queries. Publicly available exploit code exists per VulDB, raising the practical risk despite the moderate CVSS 7.3 score. No CISA KEV listing or EPSS data was provided, so widespread automated exploitation cannot be confirmed at this time.
Unrestricted file upload in SOPlanning's backup import functionality (versions 1.55 and below) allows an authenticated high-privilege attacker to smuggle a malicious PHP script inside a crafted ZIP archive alongside a legitimate user.csv file, bypassing extension validation entirely. This vulnerability is materially escalated when chained with CVE-2026-40547 (Path Traversal in the same product), which redirects extraction to a web-accessible directory, converting an upload flaw into full server-side remote code execution. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the exploitation chain is technically straightforward once administrative credentials are held.
SQL injection in itsourcecode Content Management System 1.0 exposes the /instructions.php endpoint to database manipulation via the unsanitized topic_id parameter. Low-privileged remote attackers can read, modify, or delete data within the application's database scope. A public proof-of-concept exploit has been published (VulDB submission 823558 / GitHub issue), lowering the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects limited blast radius due to low-impact CIA triad ratings and the low-privilege prerequisite.
Unauthenticated remote attackers can create privileged administrator accounts in SourceCodester Water Billing Management System 1.0 by sending crafted requests to the User Management endpoint, bypassing all authorization controls. The researcher-published reference - titled 'Unauthenticated Admin Creation in PHP System' - confirms the practical impact exceeds the moderate CVSS score: full administrative takeover of the application is achievable without credentials. Publicly available exploit code exists (CVSS E:P), and no vendor patch has been identified at time of analysis.
SQL injection in CodeAstro Ingredients Stock Management System 1.0 exposes authenticated remote attackers a direct path to database manipulation through the unsanitized `txt_search_category` parameter in `/Ingredients-Stock/stock_manager.php`. The CVSS vector (PR:L) confirms that low-privilege authentication is required, partially limiting exposure, but a publicly available proof-of-concept on GitHub significantly lowers the exploitation barrier. No confirmed active exploitation (CISA KEV) has been reported; however, the combination of low complexity, network accessibility, and public exploit code makes this a realistic threat against any internet-facing deployment where attacker credential acquisition is feasible.
Reflected or stored cross-site scripting (XSS) in raisulislamg4's student_management_system_by_php allows authenticated remote attackers to inject malicious scripts via the Message argument in admission_form_check.php. The vulnerability requires a victim to interact with a crafted link or page, triggering script execution in the context of another user's browser session. A public exploit exists per the GitHub issue report; however, the vendor has not responded to disclosure and no patch has been released.
SQL injection in raisulislamg4's PHP-based Student Management System allows remote unauthenticated attackers to manipulate the 'role' parameter in add_user_check.php to inject arbitrary SQL queries. Publicly available exploit code exists per VulDB disclosure, and the project (a rolling-release GitHub repository) has not responded to the reporter's issue, leaving deployments unpatched. CVSS 7.3 with low complexity and no privileges required makes this an attractive low-effort target despite the limited deployment footprint of this open-source educational project.
SQL injection in raisulislamg4's Student Management System (PHP) allows remote unauthenticated attackers to manipulate database queries via the user_id, course_id, teacher_id, student_id, or application_id parameters in delete.php. Publicly available exploit code exists, and the project operates on a rolling release model with no formal versioning, complicating patch tracking. The maintainer has been notified but has not responded, leaving deployments exposed.
SQL injection in raisulislamg4's PHP-based Student Management System allows remote unauthenticated attackers to manipulate the Username parameter in login_check.php to inject arbitrary SQL. Publicly available exploit code exists per the GitHub issue tracker, and the project follows a rolling-release model with no fixed version available. The vendor was notified early but has not responded, leaving deployments unpatched.
Horizontal privilege escalation in Dolibarr ERP CRM through version 23.0.1 permits any authenticated low-privilege user to read other users' leave request records via the Leave Request REST API, with a publicly available proof-of-concept confirming exploitability. The flaw in `checkUserAccessToObject` within `api_holidays.class.php` (CWE-285, Improper Authorization) arises because the access control helper receives only an integer object ID rather than the full object, causing ownership validation to fail silently and return another user's confidential HR data. No active exploitation is confirmed in CISA KEV, but the public POC and low attack complexity make this a realistic insider or multi-tenant threat requiring prompt patching.
SQL injection in code-projects Online Hospital Management System 1.0 exposes backend database contents via the `editid` parameter in `appointmentdetail.php`. A low-privilege authenticated attacker can remotely manipulate SQL queries to read, modify, or corrupt patient and appointment records. A proof-of-concept exploit is publicly available per the GitHub reference, raising the likelihood of opportunistic exploitation against internet-facing deployments of this PHP application.
SQL injection in code-projects Online Hospital Management System 1.php enables remote unauthenticated attackers to manipulate the Username parameter sent to the login_user function in login_1.php, allowing arbitrary SQL query execution against the backend database. Publicly available exploit code exists (published on GitHub by researcher Mi0uno), increasing the likelihood of opportunistic exploitation, though the CVE is not listed in CISA KEV and EPSS data is not provided. Per CVSS, exploitation requires no authentication or user interaction and impacts confidentiality, integrity, and availability at a low level (CVSS 7.3).
SQL injection in code-projects Online Hospital Management System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `editid` parameter in /patient.php, potentially exposing or modifying patient records. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-authentication, network-accessible exploitation with no special conditions, and a public proof-of-concept has been disclosed via GitHub. While the CVSS 5.5 score reflects limited per-component impact (Low confidentiality, integrity, and availability), the absence of any access barrier combined with POC availability makes this an actionable risk for any exposed deployment.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive medical data to unauthenticated remote attackers through the ID parameter of the /classes/Users.php?f=save endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote access requiring no credentials or user interaction, and a publicly available proof-of-concept exploit (E:P) further elevates real-world risk beyond the moderate 5.5 base score. No vendor-released patch has been identified, leaving all known deployments of version 1.0 exposed to data exfiltration and manipulation of patient health records.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /classes/Users.php?f=delete, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. While CVSS impact scores are rated Low across confidentiality, integrity, and availability, the unauthenticated network accessibility combined with a live POC elevates the practical deployment risk for any internet-exposed instance.
SQL injection in OpenCATS through 0.9.7.4 allows authenticated users to extract arbitrary database contents by injecting malicious SQL into the sortDirection parameter of ajax/getDataGridPager.php. Publicly available exploit code exists (Exploit-DB 52579, Packet Storm), and the issue was disclosed via a GitHub Security Advisory coordinated with VulnCheck. The CVSS 4.0 base score of 8.4 reflects high confidentiality impact with a subsequent-system scope change, though exploitation requires a valid low-privileged account.
SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /Administrator/PHP/AdminEditAlbum.php to inject arbitrary SQL queries. Publicly available exploit code exists (disclosed via VulDB submission 819912 and a GitHub issue), though there is no CISA KEV listing and no EPSS data provided to gauge exploitation probability. The vulnerability carries a CVSS 7.3 score reflecting low complexity and no authentication requirement, but only partial CIA impact.
Unrestricted file upload in Bdtask Multi-Store Inventory Management System 1.0 enables authenticated remote attackers to upload arbitrary file types - including PHP webshells - through the Component Module's Upload function, leading to potential remote code execution on the host server. The vulnerability resides in application/modules/dashboard/controllers/Module.php where the Upload function performs insufficient file type validation. A public proof-of-concept exploit has been released on GitHub, elevating the practical risk beyond the moderate CVSS 6.3 score. No vendor patch has been identified at time of analysis.
SQL injection in code-projects Online Music Site 1.0 exposes the administrator backend endpoint /Administrator/PHP/AdminUpdateAlbum.php to database manipulation via an unsanitized ID parameter. Exploitation requires high-privilege (administrator) credentials per CVSS PR:H, meaning only authenticated admins - or attackers who have already compromised an admin account - can trigger the flaw. A public proof-of-concept has been disclosed via GitHub, but no CISA KEV listing exists, and no public exploitation activity has been confirmed at this time.
SQL injection in code-projects Visitor Management System 1.0 exposes the `/vms/php/phone_0.php` endpoint to database manipulation via the unsanitized `phone` parameter, exploitable by authenticated remote attackers. A publicly available exploit chain on GitHub (by Xmyronn) explicitly demonstrates escalation from this SQL injection to remote code execution, elevating the real-world severity beyond the CVSS 6.3 base score. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), but the published RCE chain makes this a meaningful risk for any internet-exposed deployment.
Weak password recovery in the BrinaryBrains School Student Management System (OUSL-GROUP-BrinaryBrains) exposes its Forgot Password endpoint to remote manipulation of the email argument, enabling attackers to abuse the flawed recovery mechanism and achieve limited unauthorized account integrity impact. The CVSS 4.0 score of 2.9 reflects high attack complexity (AC:H), constraining real-world exploitability despite publicly available exploit code (E:P). No active exploitation has been confirmed via CISA KEV, and the vendor has not responded to the coordinated disclosure as of the time of reporting.
Resource injection in the OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated remote attackers to manipulate the param1 argument in the marks function of Parents.php, improperly controlling resource identifiers to access unauthorized academic records. The CVSS 4.0 score is 2.1, reflecting low-privilege authentication requirements (PR:L) and limited scope impact; a publicly available proof-of-concept exploit has been disclosed via a GitHub issue. No vendor patch exists - the project uses continuous delivery rolling releases and has not responded to the responsible disclosure report.
Authentication bypass in OUSL-GROUP-BrinaryBrains School Student Management System allows unauthenticated remote attackers to manipulate the 'role' argument in the sign_auth_cookie function, forging or escalating authentication cookies without valid credentials. All commits up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 are affected, publicly available exploit code exists (confirmed by CVSS E:P and a public GitHub issue), and no patch is available as the project has not responded to disclosure. Despite a moderate CVSS 4.0 score of 5.5, the combination of zero-barrier remote exploitation and absent vendor remediation represents material unmitigated risk for any organization running this system.
SQL injection in Bdtask Multi-Store Inventory Management System 1.0 exposes backend database contents through the Accounts Report Handler's date-range search functionality. The vulnerability resides in the accounts_report_search function (Accounts.php), where the dtpToDate argument is passed to a SQL query without sanitization, allowing an authenticated high-privileged user to read, modify, or partially disrupt database data. Publicly available exploit code exists (CVSS 4.0 E:P), though the high-privilege prerequisite significantly limits the realistic attacker population; the vulnerability is not listed in CISA KEV.
Insecure Direct Object Reference in Dolibarr ERP CRM 23.0.0-23.0.2 allows any authenticated low-privilege user to read another user's messaging records by manipulating the `id` parameter in `htdocs/user/messaging.php`. The commit diff confirms the endpoint performed zero ownership or permission validation before serving messaging data - any valid session could enumerate other users' messages by cycling numeric IDs. No public exploit code has been identified and this CVE does not appear in CISA KEV, but the vulnerability is trivially exploitable given its low complexity and minimal authentication barrier.
Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in code-projects Student Details Management System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized `roll` parameter in /index.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction required, and a public proof-of-concept exploit is hosted on GitHub, materially lowering the barrier to exploitation. Impact is rated as partial across confidentiality, integrity, and availability (VC:L/VI:L/VA:L), though SQL injection primitives often enable escalation beyond the initial access implied by the base score.
Permanent inventory field deletion in Admidio (composer/admidio/admidio <= 5.0.9) is reachable by any authenticated low-privilege user due to a missing authorization gate in the `field_delete` mode of `modules/inventory.php`. Deleting a field cascades to all stored item data (`adm_inventory_item_data`) and field options (`adm_inventory_field_options`) for that field with no in-product undo path - recovery requires a database restore. This is an incomplete fix: commit d37ca6b (2026-04-12) added `isAdministratorInventory()` to the sibling `item_delete` handler but left `field_delete` and at least five other state-changing handlers ungated. A working proof-of-concept is published in the GitHub advisory; no public exploit frameworks or CISA KEV listing have been identified at time of analysis.
Plaintext credential exposure in Admidio v5.0.9 and earlier causes session IDs and persistent auto-login cookie values to be written to application logs whenever debug logging is enabled. Both the ADMIDIO_*_SESSION_ID and the long-lived ADMIDIO_*_AUTO_LOGIN_ID tokens are recorded verbatim by Session::setCookie() and Session::start(), effectively turning the log sink into a recoverable credential store. Any actor with read access to log files, log backups, or external log aggregation pipelines can extract and replay these tokens to hijack active sessions or gain persistent account access. Publicly available exploit code exists as documented in GitHub advisory GHSA-mch8-wf3h-6x88; this CVE is not currently listed in CISA KEV.
Missing CSRF protection on the PKCS#12 private key export endpoint in Admidio v5.0.9 allows a network-based attacker to force an authenticated administrator's browser to trigger an unauthorized SSO private key export. The SecurityUtils::validateCsrfToken() call in modules/sso/keys.php was commented out on the 'export' case, permitting forged cross-site POST requests to invoke KeyService::exportToPkcs12() without a valid form token. While same-origin policy prevents the attacker from reading the streamed .p12 response directly, a working proof-of-concept is publicly documented in the GitHub security advisory and a vendor-confirmed fix is available in version 5.0.10.
Insecure direct object reference in Admidio's documents module allows any user with upload rights on a single folder to exfiltrate files from private folders they cannot read. The `move_save` handler in `modules/documents-files.php` validates the actor's upload right against a URL-supplied `folder_uuid` rather than the file's actual parent folder, letting a low-privileged member relocate restricted files into an attacker-controlled folder and download them. No public exploit identified at time of analysis, but a detailed PoC with verified code paths is included in the GHSA-x628-457g-2pw9 advisory.
Cross-folder file rename and description tampering in Admidio's document management module allows any authenticated uploader to modify files in folders they cannot write to. The vulnerability affects Admidio <= 5.0.9 (composer package admidio/admidio): a low-privilege user holding upload rights on a single folder can rename files and overwrite descriptions in any other folder they can view, breaking integrity for all readers of those folders. Publicly available exploit code exists per the GitHub Security Advisory; no KEV listing at time of analysis.
Cross-site request forgery in Admidio's SSO module allows a network-adjacent attacker to disable or silently re-enable any configured SAML or OIDC authentication client by tricking an authenticated administrator into loading a malicious page. The `enable` action in `modules/sso/clients.php` accepts its `enabled` parameter via GET and applies the state change with no CSRF token validation, while every other state-changing branch in the same file enforces `SecurityUtils::validateCsrfToken()`. A working proof-of-concept is included in the vendor's GitHub security advisory (GHSA-xg76-5qj2-2hhv); no KEV listing was identified at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 exposes database contents and integrity to authenticated low-privilege remote attackers via the unsanitized `ID` parameter in `/manage_payment.php`. The CVSS vector (PR:L) confirms exploitation requires a valid user account, but no elevated privileges are needed beyond basic authentication. A publicly available proof-of-concept exploit exists (GitHub), raising the practical exploitation risk; no vendor-released patch has been identified at time of analysis.
Stored Cross-Site Scripting in the Simple Custom Login Page WordPress plugin (versions ≤ 1.0.3) allows authenticated administrators to inject arbitrary CSS rules into wp-login.php, which is then rendered for every unauthenticated visitor to the login page. The changed scope (S:C in CVSS) is the critical risk amplifier: a single administrator-level compromise or malicious admin can silently overlay phishing UI elements on the WordPress login page, harvesting credentials from any user who subsequently visits. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Local File Inclusion via null byte injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with low-privilege accounts to read arbitrary files from the server by manipulating the `page` parameter in `/index.php`. Publicly available exploit code exists, published as a GitHub writeup demonstrating the null byte (%00) bypass technique. No CISA KEV listing at time of analysis, but the public POC lowers the bar for targeted exploitation against low-security PHP deployments.
File inclusion in SourceCodester Pizzafy Ecommerce System 1.0 exposes the admin panel to path traversal attacks via the `page` parameter in `/admin/index.php`, enabling an authenticated remote attacker to include arbitrary server-side files. Successful exploitation yields low-impact confidentiality, integrity, and availability compromise consistent with the CVSS C:L/I:L/A:L rating. A public exploit writeup (POC) exists on GitHub, significantly lowering the skill threshold for exploitation; however, no active exploitation has been confirmed via CISA KEV at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 exposes authenticated low-privileged users a pathway to manipulate database content via the `id` parameter in `/manage_fee.php`. The vulnerability allows remote attackers with valid application credentials to read, modify, or partially disrupt database records. Publicly available exploit code exists (CVSS 4.0 E:P modifier confirmed), though no active exploitation has been confirmed by CISA KEV. The overall severity is low (CVSS 4.0: 2.1), reflecting limited scope and confidentiality impact.
Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser by manipulating the `page` argument of index.php. The vulnerability requires passive user interaction - a victim must follow a crafted URL - limiting its scalability, but publicly available exploit code lowers the barrier to abuse. No KEV listing exists; this is a low-severity finding corroborated by a CVSS 4.0 score of 2.1 and an exploit-modified (E:P) supplemental metric.
Insecure Direct Object Reference (IDOR) in code-projects Online Hospital Management System 1.0 allows a high-privileged remote attacker to manipulate the `delid` parameter in `viewdoctortimings.php`, resulting in unauthorized modification or deletion of doctor timing records beyond the attacker's intended access scope. The CVSS 4.0 score of 2.0 reflects the high privilege prerequisite (PR:H), low integrity impact (VI:L), and low availability impact (VA:L) to the vulnerable component. No public exploit identified at time of analysis as active exploitation - however, publicly available exploit code exists, documented in a GitHub proof-of-concept writeup.
SQL injection in itsourcecode Fees Management System 1.0 exposes the /manage_course.php endpoint to database manipulation via an unsanitized ID parameter, reachable by any low-privileged authenticated user over the network. The CVSS 6.3 medium score reflects limited impact scope (C:L/I:L/A:L), but the availability of public proof-of-concept exploit code materially elevates operational risk for internet-facing deployments. No public exploit identified at time of analysis maps to CISA KEV; however, the E:P CVSS modifier confirms exploit code is circulating.
SQL injection in itsourcecode Fees Management System 1.0 exposes the /ajax.php endpoint to database manipulation via the Username parameter, allowing authenticated remote attackers with low-privilege credentials to read, modify, or corrupt application data. The CVSS vector (AV:N/AC:L/PR:L) confirms this is network-exploitable at low complexity with a low-privilege account requirement. A publicly available proof-of-concept exploit exists (confirmed by CVSS temporal modifier E:P and a GitHub disclosure), though no active exploitation has been confirmed by CISA KEV at the time of analysis.
Unauthenticated SQL injection in Pixa Bank 2.0 allows remote attackers to exfiltrate database contents by submitting UNION-based payloads in the 'rib' parameter of the agence-ajax.php endpoint. Publicly available exploit code exists (Packet Storm) and the issue was disclosed by VulnCheck, making opportunistic exploitation likely against any internet-exposed instance. No public exploit identified at time of analysis as actively exploited in the wild (not on CISA KEV), but the trivial attack complexity and existing PoC elevate practical risk.
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the `tour` GET parameter in `tour.php` to inject arbitrary SQL into backend database queries. Publicly available exploit code exists (hosted on GitHub), enabling low-skilled attackers to extract or modify database contents, though no CISA KEV listing or EPSS signal indicates widespread active exploitation at this time.
Cross-site scripting in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to inject and execute arbitrary JavaScript by manipulating the name, email, people, or number parameters submitted to /ht/tour.php. The POC repository title ('Stored-XSS') strongly suggests this is a persistent (stored) XSS variant, meaning injected payloads survive in the application and execute in the browsers of subsequent users who view the affected reservation data - not merely the attacker's own session. Publicly available exploit code exists; this CVE has not been added to the CISA KEV catalog at time of analysis.
Authentication bypass in code-projects Hotel and Tourism Reservation System 1.0 allows remote attackers to defeat admin login by manipulating the Password argument processed by the password_verify function in /admin/login.php. The flaw is reachable over the network without prior authentication, and publicly available exploit code exists, increasing the likelihood of opportunistic abuse against exposed deployments.
Server-side request forgery in SourceCodester SEO Meta Tag Extractor 1.0 allows remote unauthenticated attackers to coerce the application into making arbitrary outbound HTTP requests by manipulating the 'url' parameter passed to the get_headers() function in /index.php. Publicly available exploit code exists per VulDB, increasing the likelihood of opportunistic abuse against exposed instances, though no active exploitation has been confirmed via CISA KEV.
SQL injection in CodeAstro Payroll System 1.0 allows remote authenticated attackers with low-privilege credentials to manipulate database queries via the emp_id parameter in /home_employee.php. Exploitation can result in unauthorized read access to confidential payroll records, limited data manipulation, and potential availability impact against the underlying database. Publicly available exploit code exists (referenced via GitHub), elevating real-world risk beyond the moderate CVSS score of 6.3; no public patch is available at time of analysis.
Improper authorization in DevaslanPHP project-management (all versions through 2.0.0-beta1) allows any low-privileged authenticated attacker to remotely invoke the KanbanScrumHelper::recordUpdated function in the Ticket Handler component without adequate permission checks, resulting in unauthorized modification of ticket and kanban board records (integrity impact) and limited disruption of availability. The vendor was notified via GitHub issue #141 but had not responded at time of disclosure, meaning no patch is available. No public exploit code has been identified and the CVE does not appear in CISA KEV.
Improper authorization in DevaslanPHP project-management up to 2.0.0-beta1 allows authenticated remote attackers to edit or delete ticket comments they do not own by exploiting missing ownership validation in the Livewire Handler component. The CVSS vector (PR:L, AV:N, AC:L) confirms the attack is network-accessible and requires only a low-privilege account with no user interaction. No vendor patch exists - the maintainer has not responded to the responsible disclosure submitted via GitHub issue - and no public exploit or CISA KEV listing has been identified at time of analysis.
Insecure Direct Object Reference in Bottelet DaybydayCRM up to version 2.2.1 allows any authenticated user to view or download arbitrary documents belonging to other users by enumerating the external_id URL parameter in DocumentsController. The missing authorization check in both the view() and download() methods means a low-privilege employee or contractor can exfiltrate documents linked to any Task, Project, Lead, or Client within the CRM. No public exploit identified at time of analysis and no CISA KEV listing, but the attack is trivially executable by any authenticated user given low complexity (AC:L, AT:N) and no user interaction required (UI:N).
OS command injection in PHP Censor through 2.1.6 allows remote attackers to execute arbitrary shell commands by submitting a crafted commitId value to the webhook endpoint handled by src/Model/Build/GitBuild.php. The unsanitized commitId (and branch name) is interpolated into shell command strings passed to git log and clone operations, and publicly available exploit code exists per VulDB. No CISA KEV listing or EPSS score is provided, so exploitation appears opportunistic rather than confirmed active in the wild.
Improper authorization in a4m4's Student-Management-System allows unauthenticated remote attackers to manipulate the `sid` parameter in `admin/deleteform.php` to delete student records without any credentials. All commits up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0 are affected, and a proof-of-concept exploit has been publicly disclosed via the project's GitHub issue tracker. No patch is available; the maintainer has not responded to the responsible disclosure report, leaving all deployed instances exposed with no official remediation path.
SQL injection in itsourcecode Content Management System 1.0 allows authenticated remote attackers to manipulate database queries via the topic_id parameter in /admin/edit_topic.php. The CVSS 4.0 vector (PR:L) confirms a low-privileged authenticated account is sufficient to trigger the injection, which yields limited but real confidentiality, integrity, and availability impact against the underlying database component. Publicly available exploit code exists (E:P), though no active exploitation has been confirmed by CISA KEV.
SQL injection in SourceCodester Computer Repair Shop Management System 1.0 exposes the admin product management endpoint to unauthenticated remote attackers who can manipulate the 'ID' parameter in /admin/products/manage_product.php to execute arbitrary SQL statements. The CVSS 4.0 vector confirms no privileges or user interaction are required (PR:N, UI:N, AV:N), and a proof-of-concept exploit has been publicly disclosed (E:P), lowering the bar for exploitation. Impact is assessed as low-to-moderate across confidentiality, integrity, and availability on the vulnerable system, with no lateral scope change to subsequent systems.
Unauthenticated SQL injection in code-projects Real State Services 1.0 exposes the login endpoint to remote database manipulation. The Username parameter passed to /loginuser.php is unsanitized and directly interpolated into SQL queries (CWE-74), enabling unauthenticated remote attackers to extract data, bypass authentication, or alter database contents. Exploit code has been publicly disclosed via a GitHub issue report, elevating practical risk despite the moderate CVSS 4.0 score of 5.5.
SQL injection in CodeAstro Online Job Portal 1.0 exposes the /users/application_status.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to inject arbitrary SQL into backend database queries, resulting in partial confidentiality, integrity, and availability impact. A proof-of-concept exploit has been published (CVSS 4.0 E:P confirmed), lowering the barrier to exploitation significantly despite the medium overall score. No public KEV listing exists, meaning active widespread exploitation is not confirmed at time of analysis, but the combination of a public POC and zero authentication requirements makes this a credible near-term risk for any internet-exposed deployment.
SQL injection in CodeAstro Online Job Portal 1.0 exposes the `/admin/jobs-admins/delete-jobs.php` endpoint to remote database manipulation via an unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication, no complexity, and no user interaction are required to exploit this flaw from the network, though the admin panel context of the vulnerable endpoint warrants verification of actual auth enforcement. Publicly available exploit code exists (E:P), elevating practical risk above what the medium CVSS score of 5.5 alone might suggest.
SQL injection in itsourcecode Content Management System 1.0 allows remote authenticated attackers to manipulate the backend database via the topic_id parameter in /admin/add_sub_topic.php. The CVSS vector (PR:L) confirms exploitation requires low-privilege authentication, limiting opportunistic attack surface but not eliminating risk in multi-tenant or shared-admin environments. Publicly available exploit code exists, elevating practical risk above what the moderate CVSS score of 6.3 alone suggests.
SQL injection in itsourcecode Content Management System 1.0 exposes the admin-facing endpoint /admin/update_ss_img.php to database manipulation via the unsanitized topic_id parameter. Low-privilege authenticated attackers can exploit this remotely with no user interaction required, achieving partial read, write, and availability impact against the underlying database. A public exploit is available (CVSS temporal E:P; GitHub PoC linked in references), elevating practical risk despite the moderate 6.3 base score. No active exploitation confirmed via CISA KEV at time of analysis.
SQL injection in itsourcecode Content Management System 1.0 exposes the database to read, modify, and partial denial-of-service via a crafted comment submission. The vulnerable endpoint /save_comment.php fails to sanitize the Name parameter before incorporating it into SQL queries, allowing an authenticated low-privilege attacker to manipulate database logic directly. A publicly available proof-of-concept exploit exists (GitHub issue linked in VulDB entry), elevating real-world risk despite the absence of a CISA KEV listing.
Unauthenticated remote information disclosure in SourceCodester Pharmacy Sales and Inventory System 1.0 allows network-based attackers to bypass access controls and read sensitive sales statement data via the sell_statement function in application/controllers/ShowForm.php. The CVSS vector confirms PR:N (no authentication required) with low access complexity, and a proof-of-concept exploit has been publicly disclosed via GitHub. No KEV listing at time of analysis, but the combination of unauthenticated network access and available exploit code elevates practical risk beyond the moderate CVSS 5.3 score alone.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_payment.php to execute arbitrary database queries. Publicly available exploit code exists, increasing the likelihood of opportunistic attacks against exposed deployments. The flaw was reported by VulDB and impacts a PHP-based rental management application commonly deployed by small operators and educational projects.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_tenant.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub issue tracker and indexed by VulDB), making opportunistic exploitation feasible against any internet-exposed instance. The vulnerability impacts a PHP-based property management application typically deployed by small landlords or as a learning/demonstration project.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter of the /ajax.php?action=login endpoint to inject arbitrary SQL. Publicly available exploit code exists (VulDB-referenced PoC on GitHub), increasing the practical risk despite the application's limited deployment footprint. No CISA KEV listing is present, so this represents publicly available exploit code without confirmed active exploitation.
SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'hospital' parameter in /admin/campsdetails.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the practical risk despite the application being a relatively niche PHP-based healthcare management product. No CISA KEV listing or EPSS score is provided in the source intelligence, so widespread automated exploitation is not confirmed.
SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter on /admin/viewrequest.php to inject arbitrary SQL into backend database queries. Publicly available exploit code exists per VulDB, raising the practical risk despite the moderate CVSS 7.3 score. No CISA KEV listing or EPSS data was provided, so widespread automated exploitation cannot be confirmed at this time.
Unrestricted file upload in SOPlanning's backup import functionality (versions 1.55 and below) allows an authenticated high-privilege attacker to smuggle a malicious PHP script inside a crafted ZIP archive alongside a legitimate user.csv file, bypassing extension validation entirely. This vulnerability is materially escalated when chained with CVE-2026-40547 (Path Traversal in the same product), which redirects extraction to a web-accessible directory, converting an upload flaw into full server-side remote code execution. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the exploitation chain is technically straightforward once administrative credentials are held.
SQL injection in itsourcecode Content Management System 1.0 exposes the /instructions.php endpoint to database manipulation via the unsanitized topic_id parameter. Low-privileged remote attackers can read, modify, or delete data within the application's database scope. A public proof-of-concept exploit has been published (VulDB submission 823558 / GitHub issue), lowering the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects limited blast radius due to low-impact CIA triad ratings and the low-privilege prerequisite.
Unauthenticated remote attackers can create privileged administrator accounts in SourceCodester Water Billing Management System 1.0 by sending crafted requests to the User Management endpoint, bypassing all authorization controls. The researcher-published reference - titled 'Unauthenticated Admin Creation in PHP System' - confirms the practical impact exceeds the moderate CVSS score: full administrative takeover of the application is achievable without credentials. Publicly available exploit code exists (CVSS E:P), and no vendor patch has been identified at time of analysis.
SQL injection in CodeAstro Ingredients Stock Management System 1.0 exposes authenticated remote attackers a direct path to database manipulation through the unsanitized `txt_search_category` parameter in `/Ingredients-Stock/stock_manager.php`. The CVSS vector (PR:L) confirms that low-privilege authentication is required, partially limiting exposure, but a publicly available proof-of-concept on GitHub significantly lowers the exploitation barrier. No confirmed active exploitation (CISA KEV) has been reported; however, the combination of low complexity, network accessibility, and public exploit code makes this a realistic threat against any internet-facing deployment where attacker credential acquisition is feasible.
Reflected or stored cross-site scripting (XSS) in raisulislamg4's student_management_system_by_php allows authenticated remote attackers to inject malicious scripts via the Message argument in admission_form_check.php. The vulnerability requires a victim to interact with a crafted link or page, triggering script execution in the context of another user's browser session. A public exploit exists per the GitHub issue report; however, the vendor has not responded to disclosure and no patch has been released.
SQL injection in raisulislamg4's PHP-based Student Management System allows remote unauthenticated attackers to manipulate the 'role' parameter in add_user_check.php to inject arbitrary SQL queries. Publicly available exploit code exists per VulDB disclosure, and the project (a rolling-release GitHub repository) has not responded to the reporter's issue, leaving deployments unpatched. CVSS 7.3 with low complexity and no privileges required makes this an attractive low-effort target despite the limited deployment footprint of this open-source educational project.
SQL injection in raisulislamg4's Student Management System (PHP) allows remote unauthenticated attackers to manipulate database queries via the user_id, course_id, teacher_id, student_id, or application_id parameters in delete.php. Publicly available exploit code exists, and the project operates on a rolling release model with no formal versioning, complicating patch tracking. The maintainer has been notified but has not responded, leaving deployments exposed.
SQL injection in raisulislamg4's PHP-based Student Management System allows remote unauthenticated attackers to manipulate the Username parameter in login_check.php to inject arbitrary SQL. Publicly available exploit code exists per the GitHub issue tracker, and the project follows a rolling-release model with no fixed version available. The vendor was notified early but has not responded, leaving deployments unpatched.
Horizontal privilege escalation in Dolibarr ERP CRM through version 23.0.1 permits any authenticated low-privilege user to read other users' leave request records via the Leave Request REST API, with a publicly available proof-of-concept confirming exploitability. The flaw in `checkUserAccessToObject` within `api_holidays.class.php` (CWE-285, Improper Authorization) arises because the access control helper receives only an integer object ID rather than the full object, causing ownership validation to fail silently and return another user's confidential HR data. No active exploitation is confirmed in CISA KEV, but the public POC and low attack complexity make this a realistic insider or multi-tenant threat requiring prompt patching.
SQL injection in code-projects Online Hospital Management System 1.0 exposes backend database contents via the `editid` parameter in `appointmentdetail.php`. A low-privilege authenticated attacker can remotely manipulate SQL queries to read, modify, or corrupt patient and appointment records. A proof-of-concept exploit is publicly available per the GitHub reference, raising the likelihood of opportunistic exploitation against internet-facing deployments of this PHP application.
SQL injection in code-projects Online Hospital Management System 1.php enables remote unauthenticated attackers to manipulate the Username parameter sent to the login_user function in login_1.php, allowing arbitrary SQL query execution against the backend database. Publicly available exploit code exists (published on GitHub by researcher Mi0uno), increasing the likelihood of opportunistic exploitation, though the CVE is not listed in CISA KEV and EPSS data is not provided. Per CVSS, exploitation requires no authentication or user interaction and impacts confidentiality, integrity, and availability at a low level (CVSS 7.3).
SQL injection in code-projects Online Hospital Management System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `editid` parameter in /patient.php, potentially exposing or modifying patient records. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-authentication, network-accessible exploitation with no special conditions, and a public proof-of-concept has been disclosed via GitHub. While the CVSS 5.5 score reflects limited per-component impact (Low confidentiality, integrity, and availability), the absence of any access barrier combined with POC availability makes this an actionable risk for any exposed deployment.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive medical data to unauthenticated remote attackers through the ID parameter of the /classes/Users.php?f=save endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote access requiring no credentials or user interaction, and a publicly available proof-of-concept exploit (E:P) further elevates real-world risk beyond the moderate 5.5 base score. No vendor-released patch has been identified, leaving all known deployments of version 1.0 exposed to data exfiltration and manipulation of patient health records.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /classes/Users.php?f=delete, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. While CVSS impact scores are rated Low across confidentiality, integrity, and availability, the unauthenticated network accessibility combined with a live POC elevates the practical deployment risk for any internet-exposed instance.
SQL injection in OpenCATS through 0.9.7.4 allows authenticated users to extract arbitrary database contents by injecting malicious SQL into the sortDirection parameter of ajax/getDataGridPager.php. Publicly available exploit code exists (Exploit-DB 52579, Packet Storm), and the issue was disclosed via a GitHub Security Advisory coordinated with VulnCheck. The CVSS 4.0 base score of 8.4 reflects high confidentiality impact with a subsequent-system scope change, though exploitation requires a valid low-privileged account.
SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /Administrator/PHP/AdminEditAlbum.php to inject arbitrary SQL queries. Publicly available exploit code exists (disclosed via VulDB submission 819912 and a GitHub issue), though there is no CISA KEV listing and no EPSS data provided to gauge exploitation probability. The vulnerability carries a CVSS 7.3 score reflecting low complexity and no authentication requirement, but only partial CIA impact.
Unrestricted file upload in Bdtask Multi-Store Inventory Management System 1.0 enables authenticated remote attackers to upload arbitrary file types - including PHP webshells - through the Component Module's Upload function, leading to potential remote code execution on the host server. The vulnerability resides in application/modules/dashboard/controllers/Module.php where the Upload function performs insufficient file type validation. A public proof-of-concept exploit has been released on GitHub, elevating the practical risk beyond the moderate CVSS 6.3 score. No vendor patch has been identified at time of analysis.
SQL injection in code-projects Online Music Site 1.0 exposes the administrator backend endpoint /Administrator/PHP/AdminUpdateAlbum.php to database manipulation via an unsanitized ID parameter. Exploitation requires high-privilege (administrator) credentials per CVSS PR:H, meaning only authenticated admins - or attackers who have already compromised an admin account - can trigger the flaw. A public proof-of-concept has been disclosed via GitHub, but no CISA KEV listing exists, and no public exploitation activity has been confirmed at this time.
SQL injection in code-projects Visitor Management System 1.0 exposes the `/vms/php/phone_0.php` endpoint to database manipulation via the unsanitized `phone` parameter, exploitable by authenticated remote attackers. A publicly available exploit chain on GitHub (by Xmyronn) explicitly demonstrates escalation from this SQL injection to remote code execution, elevating the real-world severity beyond the CVSS 6.3 base score. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), but the published RCE chain makes this a meaningful risk for any internet-exposed deployment.
Weak password recovery in the BrinaryBrains School Student Management System (OUSL-GROUP-BrinaryBrains) exposes its Forgot Password endpoint to remote manipulation of the email argument, enabling attackers to abuse the flawed recovery mechanism and achieve limited unauthorized account integrity impact. The CVSS 4.0 score of 2.9 reflects high attack complexity (AC:H), constraining real-world exploitability despite publicly available exploit code (E:P). No active exploitation has been confirmed via CISA KEV, and the vendor has not responded to the coordinated disclosure as of the time of reporting.
Resource injection in the OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated remote attackers to manipulate the param1 argument in the marks function of Parents.php, improperly controlling resource identifiers to access unauthorized academic records. The CVSS 4.0 score is 2.1, reflecting low-privilege authentication requirements (PR:L) and limited scope impact; a publicly available proof-of-concept exploit has been disclosed via a GitHub issue. No vendor patch exists - the project uses continuous delivery rolling releases and has not responded to the responsible disclosure report.
Authentication bypass in OUSL-GROUP-BrinaryBrains School Student Management System allows unauthenticated remote attackers to manipulate the 'role' argument in the sign_auth_cookie function, forging or escalating authentication cookies without valid credentials. All commits up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 are affected, publicly available exploit code exists (confirmed by CVSS E:P and a public GitHub issue), and no patch is available as the project has not responded to disclosure. Despite a moderate CVSS 4.0 score of 5.5, the combination of zero-barrier remote exploitation and absent vendor remediation represents material unmitigated risk for any organization running this system.
SQL injection in Bdtask Multi-Store Inventory Management System 1.0 exposes backend database contents through the Accounts Report Handler's date-range search functionality. The vulnerability resides in the accounts_report_search function (Accounts.php), where the dtpToDate argument is passed to a SQL query without sanitization, allowing an authenticated high-privileged user to read, modify, or partially disrupt database data. Publicly available exploit code exists (CVSS 4.0 E:P), though the high-privilege prerequisite significantly limits the realistic attacker population; the vulnerability is not listed in CISA KEV.
Insecure Direct Object Reference in Dolibarr ERP CRM 23.0.0-23.0.2 allows any authenticated low-privilege user to read another user's messaging records by manipulating the `id` parameter in `htdocs/user/messaging.php`. The commit diff confirms the endpoint performed zero ownership or permission validation before serving messaging data - any valid session could enumerate other users' messages by cycling numeric IDs. No public exploit code has been identified and this CVE does not appear in CISA KEV, but the vulnerability is trivially exploitable given its low complexity and minimal authentication barrier.
Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in code-projects Student Details Management System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized `roll` parameter in /index.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction required, and a public proof-of-concept exploit is hosted on GitHub, materially lowering the barrier to exploitation. Impact is rated as partial across confidentiality, integrity, and availability (VC:L/VI:L/VA:L), though SQL injection primitives often enable escalation beyond the initial access implied by the base score.
Permanent inventory field deletion in Admidio (composer/admidio/admidio <= 5.0.9) is reachable by any authenticated low-privilege user due to a missing authorization gate in the `field_delete` mode of `modules/inventory.php`. Deleting a field cascades to all stored item data (`adm_inventory_item_data`) and field options (`adm_inventory_field_options`) for that field with no in-product undo path - recovery requires a database restore. This is an incomplete fix: commit d37ca6b (2026-04-12) added `isAdministratorInventory()` to the sibling `item_delete` handler but left `field_delete` and at least five other state-changing handlers ungated. A working proof-of-concept is published in the GitHub advisory; no public exploit frameworks or CISA KEV listing have been identified at time of analysis.
Plaintext credential exposure in Admidio v5.0.9 and earlier causes session IDs and persistent auto-login cookie values to be written to application logs whenever debug logging is enabled. Both the ADMIDIO_*_SESSION_ID and the long-lived ADMIDIO_*_AUTO_LOGIN_ID tokens are recorded verbatim by Session::setCookie() and Session::start(), effectively turning the log sink into a recoverable credential store. Any actor with read access to log files, log backups, or external log aggregation pipelines can extract and replay these tokens to hijack active sessions or gain persistent account access. Publicly available exploit code exists as documented in GitHub advisory GHSA-mch8-wf3h-6x88; this CVE is not currently listed in CISA KEV.
Missing CSRF protection on the PKCS#12 private key export endpoint in Admidio v5.0.9 allows a network-based attacker to force an authenticated administrator's browser to trigger an unauthorized SSO private key export. The SecurityUtils::validateCsrfToken() call in modules/sso/keys.php was commented out on the 'export' case, permitting forged cross-site POST requests to invoke KeyService::exportToPkcs12() without a valid form token. While same-origin policy prevents the attacker from reading the streamed .p12 response directly, a working proof-of-concept is publicly documented in the GitHub security advisory and a vendor-confirmed fix is available in version 5.0.10.
Insecure direct object reference in Admidio's documents module allows any user with upload rights on a single folder to exfiltrate files from private folders they cannot read. The `move_save` handler in `modules/documents-files.php` validates the actor's upload right against a URL-supplied `folder_uuid` rather than the file's actual parent folder, letting a low-privileged member relocate restricted files into an attacker-controlled folder and download them. No public exploit identified at time of analysis, but a detailed PoC with verified code paths is included in the GHSA-x628-457g-2pw9 advisory.
Cross-folder file rename and description tampering in Admidio's document management module allows any authenticated uploader to modify files in folders they cannot write to. The vulnerability affects Admidio <= 5.0.9 (composer package admidio/admidio): a low-privilege user holding upload rights on a single folder can rename files and overwrite descriptions in any other folder they can view, breaking integrity for all readers of those folders. Publicly available exploit code exists per the GitHub Security Advisory; no KEV listing at time of analysis.
Cross-site request forgery in Admidio's SSO module allows a network-adjacent attacker to disable or silently re-enable any configured SAML or OIDC authentication client by tricking an authenticated administrator into loading a malicious page. The `enable` action in `modules/sso/clients.php` accepts its `enabled` parameter via GET and applies the state change with no CSRF token validation, while every other state-changing branch in the same file enforces `SecurityUtils::validateCsrfToken()`. A working proof-of-concept is included in the vendor's GitHub security advisory (GHSA-xg76-5qj2-2hhv); no KEV listing was identified at time of analysis.