Skip to main content

PHP

24727 CVEs product

Monthly

CVE-2026-9607 LOW POC Monitor

SQL injection in itsourcecode Courier Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized 's' parameter in /parcel_list.php. A proof-of-concept exploit is publicly available on GitHub, meaningfully lowering the barrier to exploitation despite the low CVSS 4.0 score of 2.1. No vendor patch has been identified at time of analysis, leaving deployments reliant on compensating controls.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-44177 PHP HIGH PATCH GHSA This Week

Pre-authentication path traversal in Kirby CMS versions 5.3.0 through 5.4.0 lets remote attackers manipulate the user ID used during account lookup to escape the site/accounts directory, enabling inclusion of arbitrary PHP files named index.php (such as plugin entrypoints) and probing for the existence of arbitrary server directories. The flaw is reachable through the unauthenticated authentication API and affects all Kirby sites on these versions regardless of configuration. The vendor rates it high (CVSS 8.8); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal PHP
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-9606 MEDIUM POC This Month

SQL injection in itsourcecode Courier Management System 1.0 lets remote attackers manipulate the 'ID' parameter of /manage_user.php to inject arbitrary SQL into backend database queries. Per the CVSS vector (PR:N) no authentication is required, and publicly available exploit code exists, though the flaw is not listed in CISA KEV and carries only low (C:L/I:L/A:L) per-impact ratings.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9603 MEDIUM POC This Month

Missing authorization in SourceCodester eDoc Doctor Appointment System 1.0 exposes the /admin/delete-session.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to delete arbitrary appointment sessions without any credential or privilege. The CVSS 4.0 vector confirms network-accessible, zero-complexity exploitation with no authentication required (PR:N), though impact is bounded to low integrity and availability degradation with no confidentiality loss. A publicly available exploit script (poc.sh) on GitHub confirms practical exploitability, though the vulnerability is not currently listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9583 LOW POC Monitor

Information exposure via verbose SQL error messages in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables authenticated remote attackers to harvest internal database details by manipulating the /index.php SQL Handler endpoint. The application returns raw SQL error output rather than sanitized application-level messages, leaking schema structure, table names, or query internals. A public proof-of-concept exploit is available on GitHub; this CVE is not listed in the CISA KEV catalog, and the CVSS 4.0 score of 2.1 reflects the low-severity, confidentiality-only impact.

Information Disclosure PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9584 MEDIUM POC This Month

SQL injection in code-projects Project Management System 1.0 allows remote unauthenticated attackers to manipulate database queries through the login handler (chk.php). The flaw stems from unsanitized input being passed into a SQL statement, enabling authentication-context query tampering and data disclosure. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and no active exploitation is confirmed.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9575 MEDIUM POC This Month

SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the admin panel endpoint `/admin/modules/class/index.php?view=view` to remote unauthenticated database manipulation via the unsanitized `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, making this trivially reachable from the network. A public proof-of-concept exploit has been disclosed on GitHub, and SSVC flags this as automatable with partial technical impact - though EPSS at 0.03% (9th percentile) reflects limited observed in-the-wild activity; no public exploit identified at time of analysis reaching KEV status.

PHP SQLi Student Transcript Processing System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-35202 PHP LOW PATCH GHSA Monitor

Resource quota bypass in Pterodactyl Panel prior to 1.12.3 allows authenticated users to exceed their assigned database allocation limits by exploiting a broken concurrency guard in the Client API. The `lockForUpdate()` call in `DatabaseController.php` is a non-terminating Laravel query builder call that never issues an actual SQL lock, making it a no-op that enables parallel requests to simultaneously pass the limit check. No public exploit has been identified at time of analysis; with EPSS at 0.04% (12th percentile) and no KEV listing, real-world exploitation risk is currently low but relevant to multi-tenant hosting deployments.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-9574 MEDIUM POC This Month

SQL injection in itsourcecode Student Transcript Processing System 1.0 allows remote unauthenticated attackers to manipulate backend database queries by supplying crafted values for the studentId or cid parameters in /admin/modules/student/trans.php. The CVSS 4.0 vector (PR:N, AC:L, UI:N) confirms exploitation requires no authentication and no user interaction, and a proof-of-concept is publicly available via a GitHub issue. No public KEV listing exists and EPSS sits at 0.03% (9th percentile), indicating limited threat-actor uptake thus far - likely due to the narrow deployment footprint of this niche educational PHP application.

PHP SQLi Student Transcript Processing System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9573 MEDIUM POC This Month

SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the application to unauthenticated remote database manipulation via the studentId parameter in the admin student view endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no privileges or user interaction are required, and publicly available exploit code exists on GitHub. Despite the remote, unauthenticated attack surface and POC availability, EPSS sits at only 0.03% (9th percentile), indicating limited real-world exploitation uptake at time of analysis; no CISA KEV listing has been issued.

PHP SQLi Student Transcript Processing System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-45247 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). Despite a low EPSS score (0.10%), KEV listing and CVSS 9.3 indicate this is a high-priority patch for any Magento 2 store running the module.

PHP Adobe Deserialization RCE Full Page Cache Warmer For Magento 2
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
Threat
4.9
CVE-2026-48133 HIGH This Week

Unauthenticated information disclosure in Check Point Quantum Security Gateway allows remote attackers to read internal files on the appliance when the Identity Awareness blade is configured with Browser-Based Authentication. The flaw maps to CWE-98 (PHP file inclusion) and carries a CVSS 7.5 with confidentiality-only impact; EPSS is low (0.10%) and there is no public exploit identified at time of analysis, but the unauthenticated network reach against a perimeter gateway makes triage urgent for affected deployments.

PHP Information Disclosure LFI Quantum Security Gateway
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-9542 LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate the `email_id` parameter in `/admin/add_staff.php`, enabling arbitrary SQL query manipulation against the underlying database. The CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - confidentiality, integrity, and availability are each rated Low with no lateral impact to subsequent systems - and EPSS at 0.03% (8th percentile) indicates negligible real-world exploitation probability despite a publicly available proof-of-concept on GitHub. No active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.

PHP SQLi Leave Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-39661 HIGH This Week

Local File Inclusion in Magentech SW Core WordPress plugin (versions through 1.7.18) allows authenticated remote attackers to coerce the application into including arbitrary PHP files via improperly validated filename input. Successful exploitation results in disclosure of sensitive server-side files and potential code execution under the web server context. No public exploit has been identified at time of analysis, and EPSS exploitation probability is low at 0.11%.

PHP Information Disclosure LFI Sw Core
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-9528 MEDIUM POC This Month

SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/delete_judge.php endpoint to remote unauthenticated attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required to reach the vulnerable parameter, and a publicly available proof-of-concept exploit exists on GitHub, corroborated by the CVSS 4.0 exploit maturity modifier E:P. Despite these factors, EPSS sits at 0.03% (9th percentile), indicating no public exploit has yet driven widespread opportunistic scanning; no KEV listing confirms active exploitation in the wild at time of analysis.

PHP SQLi Electronic Judging System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9527 LOW POC Monitor

Reflected cross-site scripting in itsourcecode Electronic Judging System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the `fname` parameter of `/admin/judges.php`, executing arbitrary JavaScript in the context of a victim's browser session. The CVSS 4.0 score of 2.1 reflects the low integrity impact and mandatory user interaction, consistent with a reflected XSS that requires a victim to follow a crafted URL. No public exploit identified at time of analysis as KEV-listed, but a publicly available proof-of-concept exists on GitHub, slightly elevating practical risk despite the EPSS score of 0.03% (10th percentile).

PHP XSS Electronic Judging System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9526 MEDIUM POC This Month

SQL injection in itsourcecode Electronic Judging System 1.0 allows remote unauthenticated attackers to manipulate the `num_id` parameter in `/admin/edit_team.php`, enabling unauthorized database read, write, and partial availability impact. The CVSS 4.0 vector confirms no authentication or user interaction is required (PR:N/UI:N), and publicly available exploit code exists on GitHub - though EPSS remains very low at 0.03% (9th percentile), suggesting limited real-world exploitation interest consistent with a niche, low-adoption PHP application. The vulnerability is not listed in CISA KEV, but the SSVC framework flags it as automatable, meaning opportunistic scanning tools could exploit it at scale against any internet-exposed deployment.

PHP SQLi Electronic Judging System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9525 MEDIUM POC This Month

SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/edit_judge.php endpoint to unauthenticated remote attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions. A public proof-of-concept exploit has been disclosed on GitHub, though EPSS at 0.03% (9th percentile) reflects the product's limited deployment footprint rather than low technical severity - no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).

PHP SQLi Electronic Judging System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9518 LOW POC Monitor

Stored cross-site scripting in hemant6488's CodeIgniter-StudentManagementSystem allows remote unauthenticated attackers to inject arbitrary JavaScript via the Name argument of the addStudent function in view_students.php. When a victim user views the student listing, the injected script executes in their browser context, enabling session hijacking, credential theft, or defacement. A publicly available proof-of-concept exists via GitHub issue report; however, this vulnerability is not listed in CISA KEV, and EPSS scoring places exploitation probability at 0.03%, indicating low real-world exploitation activity despite POC availability.

PHP XSS Codeigniter Studentmanagementsystem
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9517 MEDIUM POC This Month

Improper access control in hemant6488's CodeIgniter-StudentManagementSystem exposes the student addition endpoint at /index.php/students/addStudentView to unauthenticated remote manipulation, enabling read, write, and partial availability impact on student data without credentials. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required from any network, and a publicly available exploit (GitHub issue #5) has been documented. No vendor patch exists and the maintainer has not responded to the coordinated disclosure, leaving all deployed instances unmitigated.

PHP Authentication Bypass Codeigniter Studentmanagementsystem
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-48687 CRITICAL Act Now

OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped exec() call inside the Juniper router integration plugin, enabling arbitrary shell command execution on the host. The flaw lives in the _log() function of src/juniper_plugin/fastnetmon_juniper.php, where the $msg argument (built from argv[1]-argv[3]: attack IP, direction, power) is concatenated directly into a shell command. Although rated CVSS 9.8, practical exploitation is gated: FastNetMon's C++ core currently feeds IPs through inet_ntoa(), which only yields safe dotted-decimal strings, so injection requires the script to be driven directly or by a third-party orchestrator. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Command Injection PHP Juniper N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-48694 HIGH This Week

Configuration injection in FastNetMon Community Edition through 1.2.9 allows an attacker who controls the attacker IP string passed to the Juniper integration plugin to inject arbitrary Juniper NETCONF set/delete commands, leading to full router compromise. The flaw lives in the PHP-based Juniper plugin where unsanitized argv input is interpolated into NETCONF commands, and although no public exploit identified at time of analysis (EPSS 0.03%), the technical impact is rated total under SSVC and CVSS scores 8.1.

PHP Juniper Command Injection N A
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-48695 HIGH This Week

OS command injection in FastNetMon Community Edition through 1.2.9 lets an authenticated network attacker execute arbitrary shell commands via the MikroTik router integration plugin by influencing argv[] values passed to the unsanitized _log() function. The flaw mirrors a previously disclosed Juniper plugin issue in the same project, and while a public technical write-up exists at lorikeetsecurity.com, no public exploit code or active exploitation has been identified, with EPSS at 0.05% (17th percentile).

PHP Mikrotik Juniper Command Injection N A
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-9485 LOW POC Monitor

Cross-site scripting in SourceCodester Student Grades Management System 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the unvalidated 'Remarks' parameter in students.php, executing arbitrary scripts in the context of a victim's browser session upon passive viewing. A public proof-of-concept exists on GitHub; however, this CVE is not listed in the CISA KEV catalog and the EPSS score of 0.03% (9th percentile) reflects very low real-world exploitation probability. SSVC assessment corroborates this with 'Exploitation: none' and 'Automatable: no,' consistent with the required user-interaction constraint.

PHP XSS Student Grades Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-9484 LOW POC Monitor

Improper authorization in SourceCodester Student Grades Management System 1.0 allows authenticated remote attackers to manipulate the classroom_id parameter within classroom.php to access or modify classroom enrollment data beyond their authorized scope. The vulnerability affects the getClassroomStudents and removeStudentFromClassroom functions, enabling unauthorized listing of enrolled students or removal of students from classrooms the attacker does not administer. A publicly available proof-of-concept exploit exists on GitHub, though EPSS places exploitation probability at just 0.04% (13th percentile), and the vulnerability is not currently listed in the CISA KEV catalog.

PHP Authentication Bypass Student Grades Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9483 LOW POC Monitor

Improper authorization in SourceCodester Student Grades Management System 1.0 permits authenticated remote attackers to access or manipulate grade records belonging to other students by tampering with the student_id parameter in grades.php. The flaw (CWE-285) reflects a failure to enforce object-level authorization, allowing a low-privileged user to cross access boundaries to other students' data. A publicly available proof-of-concept exists on GitHub, though EPSS sits at 0.04% (11th percentile) and SSVC classifies exploitation as none, indicating no evidence of active exploitation in the wild despite the POC.

PHP Authentication Bypass Student Grades Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9474 MEDIUM POC This Month

SQL injection in yashpokharna2555 StudentManagementSystem's /studentdel.php endpoint allows remote unauthenticated attackers to manipulate the ID parameter within the confirm_logged_in function, enabling arbitrary SQL query execution against the backend database. All commits up to cb2f558ddf8d19396de0f92abf2d224d46a0a203 of this PHP-based academic application are affected, with no patched release available due to its rolling-release model and vendor non-response. A public exploit exists per GitHub issue #5, and SSVC flags the attack as automatable, though the EPSS score of 0.03% reflects limited real-world scanning activity likely attributable to the application's narrow deployment footprint.

PHP SQLi Studentmanagementsystem
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9471 LOW POC Monitor

Cross-site scripting in yashpokharna2555's StudentManagementSystem (PHP) allows authenticated remote attackers to inject malicious client-side scripts via the FIRST_NAME parameter in /student.php, executing in victim browsers upon record viewing. The CVSS 4.0 score of 2.0 (Low) reflects the requirement for prior authentication (PR:L) and user interaction (UI:P), significantly constraining real-world impact. Publicly available exploit code exists via a GitHub issue report; no vendor patch has been issued and the maintainer has not responded to the disclosure.

PHP XSS Studentmanagementsystem
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-9470 MEDIUM POC This Month

SQL injection in yashpokharna2555's StudentManagementSystem (commit cb2f558) exposes the confirm_logged_in function in student_trans.php to unauthenticated remote attackers who can manipulate FIRST_NAME, Last_Name, and EMAIL parameters to execute arbitrary SQL against the backend database. A public exploit has been disclosed via GitHub issue #3, confirming exploitability requires minimal skill; however, EPSS at 0.03% (9th percentile) indicates very low observed real-world exploitation activity, likely reflecting the narrow deployment footprint of this niche open-source PHP project rather than any technical barrier. No patch is available at time of analysis, as the maintainer has not responded to the coordinated disclosure.

PHP SQLi Studentmanagementsystem
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9469 MEDIUM POC This Month

SQL injection in the PHP-based yashpokharna2555/StudentManagementSystem exposes the /success.php endpoint to remote unauthenticated database attacks via the unsanitized 'User' argument. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position. A publicly available exploit exists via a GitHub issue report; the project maintainer has been notified but has not responded, and no patch has been released. Despite POC availability, EPSS sits at 0.03% (9th percentile), reflecting the niche, low-adoption nature of this project rather than a reduced technical severity.

PHP SQLi Studentmanagementsystem
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2018-25374 HIGH POC This Week

Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2018-25372 HIGH POC This Week

MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25370 MEDIUM POC This Month

Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2018-25364 HIGH POC This Week

Twitter-Clone 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the name parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25363 MEDIUM POC This Month

Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP
NVD Exploit-DB GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2018-25362 HIGH POC This Week

Twitter-Clone 1 contains a SQL injection vulnerability in follow.php that allows attackers to manipulate database queries by injecting SQL code through the userid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-9451 LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows remote low-privileged attackers to manipulate the `ID` parameter in `/process/applyleaveprocess.php`, enabling unauthorized database read and write operations with partial impact across confidentiality, integrity, and availability. A publicly available proof-of-concept exploit exists on GitHub, though no confirmed active exploitation (CISA KEV) has been recorded. EPSS at 0.03% (8th percentile) and an SSVC assessment of 'not automatable' indicate low broad exploitation likelihood, though the accessible POC meaningfully lowers the barrier for targeted manual attacks against organizations running this application.

PHP SQLi Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9450 LOW POC Monitor

SQL injection in the /psubmit.php endpoint of code-projects Employee Management System 1.0 enables authenticated remote attackers to manipulate the pid parameter and inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been released on GitHub, reducing the skill barrier for exploitation against unpatched deployments. Despite a low CVSS 4.0 base score of 2.1 reflecting partial impact scope and low-privilege requirements, the combination of network accessibility and public PoC warrants prompt remediation for any internet-facing instance; no public exploit identified meets CISA KEV criteria, and no vendor-released patch has been confirmed at time of analysis.

PHP SQLi Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9449 LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 exposes the /changepassemp.php password-change endpoint to database manipulation by authenticated low-privilege users over the network. The CVSS 4.0 score of 2.1 reflects limited, non-cascading impact - partial confidentiality, integrity, and availability degradation confined to the vulnerable component with no downstream system scope change. A publicly available proof-of-concept exploit exists on GitHub, though the EPSS score of 0.03% (8th percentile) and SSVC 'automatable: no' classification indicate this is unlikely to see widespread opportunistic exploitation; no public exploit identified at time of analysis corroborating active KEV-level campaigns.

PHP SQLi Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9448 LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `id` parameter in `/applyleave.php`. The attack requires victim interaction (UI:P per CVSS 4.0), meaning a victim must visit or be socially engineered into clicking a crafted URL. Publicly available exploit code exists on GitHub (no public exploit identified at time of analysis for widespread KEV-confirmed exploitation), though EPSS at 0.03% (10th percentile) signals negligible observed exploitation activity at scale.

PHP XSS Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9447 MEDIUM POC This Month

SQL injection in SourceCodester Simple POS and Inventory System 1.0 exposes the application to unauthenticated remote data extraction and manipulation via the Name parameter in /user/search.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and a publicly available proof-of-concept exploit (GitHub gist) lowers the bar for exploitation. No active exploitation has been confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) indicates limited real-world exploitation activity at time of analysis despite the public POC.

PHP SQLi Simple Pos And Inventory System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9446 LOW POC Monitor

SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows remote authenticated administrators to manipulate database queries via the ID parameter in /admin/edit_customer.php. The vulnerability is tagged CWE-89 and carries a CVSS 4.0 base score of 2.0, reflecting the high privilege requirement that significantly limits the attacker pool to those with existing admin access. Publicly available exploit code exists (hosted on GitHub Gist), though EPSS remains very low at 0.03% (8th percentile), and no CISA KEV listing is present - indicating no confirmed widespread exploitation at time of analysis.

PHP SQLi Simple Pos And Inventory System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-9445 LOW POC Monitor

Unrestricted file upload in SourceCodester Simple POS and Inventory System 1.0 allows authenticated remote attackers to upload arbitrary files through the image argument of /admin/addproduct.php, potentially enabling web shell deployment and remote code execution. A publicly available proof-of-concept exploit exists (GitHub gist), and SSVC confirms exploitation: poc status. Despite the severe nature of CWE-434 unrestricted upload flaws, EPSS sits at 0.04% (11th percentile) and CISA has not added this to KEV, indicating limited observed exploitation in the wild at time of analysis.

PHP File Upload Simple Pos And Inventory System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9444 LOW POC Monitor

SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows a remote, high-privileged (admin-level) attacker to manipulate database queries via the unsanitized 'ID' GET parameter in /admin/deleteproduct.php. Successful exploitation yields partial read, write, and availability impact on the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though no confirmed active exploitation (KEV) has been observed, and the EPSS score of 0.03% reflects minimal real-world exploitation pressure.

PHP SQLi Simple Pos And Inventory System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-9438 LOW POC Monitor

Resource injection in yashpokharna2555's StudentManagementSystem allows low-privileged remote attackers to manipulate the ID parameter in courseDel.php to control which course records are deleted or affected, resulting in unauthorized data integrity and availability impact. The flaw affects the specific git commit cb2f558ddf8d19396de0f92abf2d224d46a0a203 and exploit code is publicly available via a GitHub issue. No patch has been released, and the project maintainer has not responded to the disclosure.

PHP Information Disclosure Studentmanagementsystem
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9421 MEDIUM This Month

Unrestricted file upload in KLiK SocialMediaWebsite 1.0 exposes the application to unauthenticated remote exploitation via the `uniqid` function in `upload.inc.php`. The File Handler component fails to validate uploaded file types (CWE-434), allowing an attacker to upload PHP webshells or other executable files without any authentication - confirmed by the CVSS 4.0 vector PR:N/UI:N. Exploit code has been publicly disclosed (CVSS E:P, referenced via VulDB), though EPSS remains low at 0.04% and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

PHP File Upload Klik Socialmediawebsite
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9419 LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the `ID` parameter of `/empproject.php`. A publicly available proof-of-concept exploit exists on GitHub, lowering the barrier to exploitation, though user interaction is required to trigger the payload. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.03% places this in the bottom 10th percentile of exploitation likelihood, consistent with the low CVSS 4.0 score of 2.1.

PHP XSS Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9418 LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts into victim browsers via the unsanitized 'ID' parameter in /changepassemp.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting mass exploitation, but a publicly available proof-of-concept exploit exists on GitHub. No patch has been identified from the vendor; EPSS of 0.03% (10th percentile) indicates low observed exploitation probability, and this CVE is not listed in the CISA KEV catalog.

PHP XSS Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9417 LOW POC Monitor

Cross-site scripting in code-projects Employee Management System 1.0 allows remote, unauthenticated attackers to inject malicious scripts via the ID parameter of /myprofileup.php, requiring only passive user interaction to execute. A publicly available proof-of-concept exploit exists on GitHub, though EPSS at 0.03% (10th percentile) and SSVC's 'not automatable' rating indicate minimal observed real-world exploitation activity. The vulnerability is limited to partial integrity impact on the vulnerable system with no confidentiality or availability impact, consistent with the CVSS 4.0 score of 2.1.

PHP XSS Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9416 LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject and execute malicious JavaScript in a victim's browser by manipulating the `id` parameter of `/myprofile.php`. Exploitation requires passive user interaction (UI:P) - the victim must load a crafted URL - which constrains automated attack chains. A public proof-of-concept is confirmed available on GitHub, though the EPSS score of 0.03% (10th percentile) indicates minimal real-world exploitation activity; the vulnerability is not listed in CISA KEV.

PHP XSS Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9415 LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject and execute malicious scripts in a victim's browser via the ID parameter of /eloginwel.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting automatable mass exploitation, though a publicly available proof-of-concept lowers the technical bar for targeted attacks. No vendor patch has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability despite POC availability.

PHP XSS Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9414 LOW POC Monitor

Stored cross-site scripting in SourceCodester Indian Invoicing System versions 0.x and 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the `customer_name` parameter in `/Invoicing/add_order.php`, which is persisted to the database and executed in the browsers of users who subsequently view the rendered invoice template. A public proof-of-concept exploit is available on GitHub (gist by c4ttr4ck), though EPSS sits at only 0.03% (9th percentile) and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation. Impact is limited to partial integrity on the vulnerable system with no confidentiality or availability consequences, consistent with the CVSS 4.0 score of 2.0.

PHP XSS Indian Invoicing System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-9413 LOW POC Monitor

Reflected cross-site scripting (XSS) in SourceCodester Indian Invoicing System 1.0 allows unauthenticated remote attackers to inject and execute malicious scripts in a victim's browser by manipulating the `msg` parameter in `/Invoicing/category.php`. A proof-of-concept exploit is publicly available on GitHub. Despite the public POC, EPSS stands at just 0.03% (10th percentile) and the vulnerability is absent from CISA KEV, reflecting the narrow deployment footprint of this niche PHP invoicing application and the user-interaction requirement that limits automated exploitation.

PHP XSS Indian Invoicing System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9411 LOW POC Monitor

SQL injection in SourceCodester Indian Invoicing System 1.0 allows a remote, low-privileged authenticated attacker to manipulate database queries through the customer_name and category parameters in /Invoicing/IGST_Invoice.php. The vulnerability yields partial confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though the application is a niche, open-source invoicing tool with limited deployment footprint and no confirmed active exploitation in the wild.

PHP SQLi Indian Invoicing System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-48832 LOW PATCH Monitor

Open redirect in SPIP's ecrire subsystem allows authenticated remote attackers with low privileges to redirect victims to arbitrary external URLs via the action/cookie.php endpoint, affecting all SPIP versions prior to 4.4.15. The CVSS score of 3.5 (Low) is consistent with EPSS at 0.03% (7th percentile) and SSVC's determination of no exploitation and partial technical impact, making this a low-urgency but patchable flaw. No public exploit identified at time of analysis, and CISA KEV does not list this vulnerability.

PHP Open Redirect Spip
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-9383 MEDIUM POC This Month

SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin login endpoint at /intrams/admin/login.php to unauthenticated remote attackers who can manipulate the Username parameter to alter backend SQL query logic. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction, and publicly available exploit code (E:P) further lowers the barrier to entry. Although EPSS sits at 0.03% (9th percentile) indicating low observed exploitation activity, no vendor patch has been identified at time of analysis, leaving all known deployments of version 1.0 without an official remediation path.

PHP SQLi Electronic Judging System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9377 LOW POC Monitor

Cross-site scripting in SourceCodester SUP Online Shopping 1.0 is exploitable via the productName parameter in /admin/productedit.php, where unsanitized input is rendered back to the browser without proper encoding. An attacker already holding high-privilege admin credentials can inject a JavaScript payload that executes when another user interacts with the affected admin page. Publicly available exploit code exists per a referenced GitHub issue, though EPSS at 0.03% (9th percentile) and absence from CISA KEV indicate negligible active exploitation interest at time of analysis.

PHP XSS Sup Online Shopping
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-9364 MEDIUM POC This Month

SQL injection in Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate database queries through the social_linked parameter in /admin/adminHome.php. The vulnerability has publicly available exploit code and a CVSS score of 7.3, indicating high severity with the ability to impact confidentiality, integrity, and availability of the application.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9356 MEDIUM POC This Month

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 enables remote unauthenticated attackers to manipulate database queries through the ID parameter in /admin/patients/manage_history.php. Public exploit code exists (GitHub), though not listed in CISA KEV. The vulnerability carries moderate risk with CVSS 7.3 reflecting potential for data theft and manipulation of patient records.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9355 MEDIUM POC This Month

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows remote attackers to compromise patient data without authentication via manipulated ID parameter in /classes/Master.php?f=save_patient_history. The vulnerability has publicly available exploit code (GitHub) and enables unauthorized database access with potential to read, modify, or delete patient records. CVSS 7.3 indicates moderate severity with no exploitation prerequisites.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9342 LOW POC Monitor

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows authenticated attackers to extract, modify, or delete database records via the ID parameter in /admin/patients/view_history.php. The vulnerability requires low-privilege authenticated access (PR:L) but has low attack complexity (AC:L) and can be exploited remotely. Publicly available exploit code exists on GitHub (referenced in VulDB entry), enabling immediate weaponization by threat actors. EPSS data not available, and the vulnerability is not currently listed in CISA KEV, indicating exploitation may be limited or targeted rather than widespread. The CVSS 6.3 (Medium) rating reflects partial impact across confidentiality, integrity, and availability (C:L/I:L/A:L).

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2018-25357 PHP CRITICAL POC PATCH GHSA Act Now

Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection PHP RCE
NVD Exploit-DB GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2018-25352 HIGH POC This Week

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi WordPress
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2018-25350 CRITICAL POC Act Now

userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2018-25349 MEDIUM POC This Month

userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2018-25343 MEDIUM POC This Month

Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF
NVD Exploit-DB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2018-25342 HIGH POC This Week

Smartshop 1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'searched' parameter in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25341 HIGH POC This Week

Smartshop 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25340 HIGH POC This Week

Smartshop 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-9302 LOW POC Monitor

Remote code injection in vps-inventory-monitoring allows authenticated attackers to execute arbitrary PHP code through the VpsTest console command. The vulnerability exists in the eval() function within VpsTest.php, exploitable by manipulating the 'vf' parameter with low attack complexity. Publicly available exploit code exists (GitHub POC published), and the maintainer has not responded to early disclosure attempts. CVSS 6.3 reflects moderate impact across confidentiality, integrity, and availability, with EPSS data unavailable but risk elevated by confirmed POC and unresponsive vendor.

PHP Code Injection RCE
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-46670 PHP CRITICAL POC PATCH GHSA Act Now

Unauthenticated SQL injection in YesWiki's Bazar form-import path allows any remote visitor to inject arbitrary SQL into an INSERT statement and exfiltrate the entire database, including yeswiki_users.password hashes. Affects YesWiki 4.6.1, 4.6.2, and the doryphore-dev branch prior to 4.6.4. Publicly available exploit code exists (a working Python PoC is published in the GHSA advisory), though no public exploit identified in CISA KEV at time of analysis.

PHP Python SQLi Docker
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-7615 MEDIUM This Month

Cross-Site Request Forgery in the Widget Context WordPress plugin (all versions ≤ 1.3.3) allows unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table by forging a POST request to /wp-admin/widgets.php. The root cause is missing or incorrect nonce validation in the save_widget_context_settings function, confirmed by Wordfence and corroborated by source code references at WidgetContext.php lines 91, 282, and 311. Exploitation requires social engineering a logged-in administrator into clicking an attacker-controlled link; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

WordPress PHP CSRF Widget Context
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46640 PHP HIGH PATCH GHSA This Week

Arbitrary PHP code execution in Twig templating engine versions 3.15.0 through 3.25.x allows attackers who control template source to inject raw PHP into the compiled template via the `_self.(<string>)` dynamic-attribute macro-reference path, fully bypassing the SandboxExtension. The flaw executes injected code at template-load time, before any SecurityPolicy check runs, rendering even a globally-enabled empty allowlist sandbox ineffective. No public exploit identified at time of analysis, but the vendor advisory describes the bypass mechanism in enough detail that PoC development is straightforward.

PHP Code Injection RCE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-46639 PHP HIGH PATCH GHSA This Week

Sandbox escape in Twig 3.24.0 through 3.25.x lets an attacker with write access to a sandboxed template read arbitrary public properties and invoke any public getter on objects exposed to the template, bypassing the SandboxExtension's SecurityPolicy allowlists. The flaw exists because the object-destructuring compiler hardcodes the $sandboxed flag to false when emitting CoreExtension::getAttribute() calls, so policy checks never run for destructuring expressions whenever the {% do %} tag is permitted. No public exploit identified at time of analysis, but the issue was responsibly disclosed with vendor-confirmed root cause and an upstream patch.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-46635 PHP MEDIUM PATCH GHSA This Month

Twig's sandbox security policy is bypassed via the `column` filter when processing arrays of PHP objects, allowing an untrusted template author to read any public or magic property of any object reachable in the render context - completely circumventing the `SecurityPolicy`'s `allowedProperties` restrictions. All twig/twig versions prior to 3.26.0 are affected when sandbox mode is active and untrusted authors have `column` in their `allowedFilters`. This is a structural variant of CVE-2024-51755 that the prior ArrayAccess-focused fix left uncovered; no public exploit has been identified at time of analysis, and the fix is confirmed in Twig 3.26.0.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-46633 PHP HIGH PATCH GHSA This Week

PHP code injection in Twig template engine versions before 3.26.0 allows attackers controlling template names in `{% use %}` tags to break out of compiled cache file string literals and execute arbitrary PHP code. The flaw bypasses the Twig sandbox entirely because `SecurityPolicy` unconditionally permits `{% use %}` regardless of `allowedTags` configuration. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-7p85-w9px-jpjp) discloses the full exploitation primitive.

PHP Code Injection RCE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-8428 PHP HIGH PATCH GHSA This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator's browser into triggering a core CMS upgrade to an attacker-chosen version. The dashboard's do_update() controller emits a CSRF token in the rendered POST form but never calls $this->token->validate('do_update'), leaving the update workflow effectively unauthenticated against forged cross-origin requests. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP CSRF
NVD
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-8426 PHP HIGH PATCH GHSA This Week

Remote code execution in Concrete CMS 9.5.0 and earlier is achievable through a CSRF flaw in the /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID> endpoint, which fails to validate anti-CSRF tokens. An attacker who controls a marketplace package matching an item ID already installed on the victim site can overwrite package PHP files and trigger the upgrade() method via a single navigation by a privileged admin, resulting in code execution as the web server user. No public exploit identified at time of analysis, though the vendor (Concrete CMS security team) has acknowledged and rated the issue at CVSS 4.0 7.5.

PHP CSRF RCE
NVD
CVSS 4.0
7.5
EPSS
0.1%
CVE-2026-8421 PHP HIGH PATCH GHSA This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator with canInstallPackages permission into installing an attacker-controlled package, resulting in remote code execution as the web server user. The flaw resides in the install_package() method of the dashboard's extend/install.php controller, which lacks CSRF token validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP CSRF RCE
NVD
CVSS 4.0
7.5
EPSS
0.1%
CVE-2026-8350 PHP HIGH PATCH GHSA This Week

Privilege escalation in Concrete CMS 9.5.0 and earlier allows authenticated users with access to the bulk user assignment dashboard to add arbitrary accounts to the Administrators group and remove existing admins, effectively hijacking site control. The flaw stems from missing authorization checks in bulk_user_assignment.php and was disclosed with a vendor-assigned CVSS v4.0 score of 7.5. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

PHP Authentication Bypass Privilege Escalation
NVD
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-8197 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in Concrete CMS 9.5.0 and earlier allows a high-privileged admin to inject arbitrary HTML/JavaScript into the OAuth authorize template via the integration name field. The flaw arises because the integration name is wrapped in <strong> tags by PHP string interpolation before being passed to the t() translation helper, causing the resulting raw HTML to be rendered when end users view the OAuth consent screen. No public exploit identified at time of analysis, but a rogue or compromised admin could potentially harvest OAuth login submissions from victims.

PHP XSS
NVD
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-8140 PHP HIGH PATCH GHSA This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce authenticated administrators into downloading arbitrary marketplace packages to the server's DIR_PACKAGES directory by luring them to a crafted page that triggers the unprotected /dashboard/extend/install/download/<remoteId> GET endpoint. The vendor assigned CVSS 4.0 of 7.5 reflecting high impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

PHP CSRF
NVD
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-7879 PHP MEDIUM PATCH This Month

Unauthorized file download in Concrete CMS 9.5.0 and below exposes permission-restricted files via a broken authorization check in the file download controller. The submit_password() method in download_file.php processes file access without enforcing the view_file permission gate, producing two exploitable paths: any unauthenticated network actor can retrieve files that carry no password protection, and any actor who possesses a file's password can retrieve that file regardless of whether their account holds view_file permission. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

PHP Authentication Bypass Concrete Cms
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-46643 PHP HIGH PATCH GHSA This Week

Command injection in KnpLabs Snappy PHP library (versions <= 1.7.0) allows attackers to execute arbitrary OS commands when the wkhtmltopdf/wkhtmltoimage binary path is attacker-influenced. An inverted is_executable() check around escapeshellarg() renders the safe branch dead code, causing the binary path to be concatenated unescaped into the shell command. Publicly available exploit code exists (vendor-published PoC in the advisory), but no public exploit identified at time of analysis in CISA KEV.

PHP Command Injection
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-46683 PHP MEDIUM PATCH GHSA This Month

Server-Side Request Forgery (SSRF) and local file read in KnpLabs Snappy (composer package knplabs/knp-snappy <= 1.6.0) allows remote attackers to exfiltrate sensitive server files by injecting a file:// URI into the xsl-style-sheet PDF generation option. When applications pass unsanitized user input directly to the Snappy library's generate() method, wkhtmltopdf processes attacker-controlled URIs including file:// scheme paths, enabling reads of files such as /etc/passwd. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV, but the attack pattern is straightforward and exploitability is high in vulnerable deployments where PHP runs as root outside a container.

PHP SSRF
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-8417 PHP HIGH PATCH GHSA This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator into triggering arbitrary package upgrades by luring them to a malicious page that issues a single GET to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() handler only checks the canInstallPackages() permission and omits CSRF token validation on this state-changing route, so a cross-site navigation is sufficient to invoke upgradeCoreData() and the package controller's upgrade() routine. No public exploit identified at time of analysis and no CISA KEV listing; EPSS not provided.

PHP CSRF
NVD VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-8135 PHP HIGH PATCH GHSA This Week

Remote code execution in Concrete CMS versions 5.0 through 9.5.0 allows a high-privileged administrator to bypass the platform's `_fromCIF` deserialization guard by submitting malicious payloads through the REST API instead of standard form POST requests. The flaw resides in the ExpressEntryList block controller (CWE-502) and stores a serialized PHP gadget in the `filterFields` database column, which is unmarshalled when another administrator subsequently views or edits the block, leading to full server takeover. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Deserialization PHP RCE
NVD VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-8134 PHP CRITICAL PATCH GHSA Act Now

Authenticated remote code execution in Concrete CMS 9.5.0 and earlier allows an administrator with composer form editing privileges to chain a path traversal flaw in the ptComposerFormLayoutSetControlCustomTemplate field with the platform's permissive file uploader to execute arbitrary PHP on the server. The vendor scored this 9.4 (CVSS v4.0) reflecting high confidentiality, integrity, and availability impact across both the vulnerable component and downstream subsequent systems. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

LFI PHP Path Traversal RCE
NVD VulDB
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-48249 HIGH PATCH This Week

Missing TLS certificate verification in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept and tamper with outbound HTTPS traffic from the mobile (RouteMate) login flow, exposing API keys and session-bearing data. The flaw stems from rm/incs/mobile_login.inc.php disabling CURLOPT_SSL_VERIFYPEER and omitting CURLOPT_SSL_VERIFYHOST. No public exploit identified at time of analysis, and the issue is one of 88 security fixes shipped in the v3.44.2 release.

Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48248 HIGH PATCH This Week

Man-in-the-middle interception of authentication traffic in Open ISES Tickets before 3.44.2 is possible because the application's login flow in incs/login.inc.php disables TLS certificate verification on outbound HTTPS requests. Network-positioned attackers can present forged certificates to capture or modify API keys and session-bearing data exchanged during login. No public exploit identified at time of analysis, though the fix is bundled into a broader critical security release that also addresses 69 XSS and 19 SQL injection issues.

Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Courier Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized 's' parameter in /parcel_list.php. A proof-of-concept exploit is publicly available on GitHub, meaningfully lowering the barrier to exploitation despite the low CVSS 4.0 score of 2.1. No vendor patch has been identified at time of analysis, leaving deployments reliant on compensating controls.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Pre-authentication path traversal in Kirby CMS versions 5.3.0 through 5.4.0 lets remote attackers manipulate the user ID used during account lookup to escape the site/accounts directory, enabling inclusion of arbitrary PHP files named index.php (such as plugin entrypoints) and probing for the existence of arbitrary server directories. The flaw is reachable through the unauthenticated authentication API and affects all Kirby sites on these versions regardless of configuration. The vendor rates it high (CVSS 8.8); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal PHP
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Courier Management System 1.0 lets remote attackers manipulate the 'ID' parameter of /manage_user.php to inject arbitrary SQL into backend database queries. Per the CVSS vector (PR:N) no authentication is required, and publicly available exploit code exists, though the flaw is not listed in CISA KEV and carries only low (C:L/I:L/A:L) per-impact ratings.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Missing authorization in SourceCodester eDoc Doctor Appointment System 1.0 exposes the /admin/delete-session.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to delete arbitrary appointment sessions without any credential or privilege. The CVSS 4.0 vector confirms network-accessible, zero-complexity exploitation with no authentication required (PR:N), though impact is bounded to low integrity and availability degradation with no confidentiality loss. A publicly available exploit script (poc.sh) on GitHub confirms practical exploitability, though the vulnerability is not currently listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Information exposure via verbose SQL error messages in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables authenticated remote attackers to harvest internal database details by manipulating the /index.php SQL Handler endpoint. The application returns raw SQL error output rather than sanitized application-level messages, leaking schema structure, table names, or query internals. A public proof-of-concept exploit is available on GitHub; this CVE is not listed in the CISA KEV catalog, and the CVSS 4.0 score of 2.1 reflects the low-severity, confidentiality-only impact.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Project Management System 1.0 allows remote unauthenticated attackers to manipulate database queries through the login handler (chk.php). The flaw stems from unsanitized input being passed into a SQL statement, enabling authentication-context query tampering and data disclosure. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and no active exploitation is confirmed.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the admin panel endpoint `/admin/modules/class/index.php?view=view` to remote unauthenticated database manipulation via the unsanitized `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, making this trivially reachable from the network. A public proof-of-concept exploit has been disclosed on GitHub, and SSVC flags this as automatable with partial technical impact - though EPSS at 0.03% (9th percentile) reflects limited observed in-the-wild activity; no public exploit identified at time of analysis reaching KEV status.

PHP SQLi Student Transcript Processing System
NVD VulDB GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Resource quota bypass in Pterodactyl Panel prior to 1.12.3 allows authenticated users to exceed their assigned database allocation limits by exploiting a broken concurrency guard in the Client API. The `lockForUpdate()` call in `DatabaseController.php` is a non-terminating Laravel query builder call that never issues an actual SQL lock, making it a no-op that enables parallel requests to simultaneously pass the limit check. No public exploit has been identified at time of analysis; with EPSS at 0.04% (12th percentile) and no KEV listing, real-world exploitation risk is currently low but relevant to multi-tenant hosting deployments.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Student Transcript Processing System 1.0 allows remote unauthenticated attackers to manipulate backend database queries by supplying crafted values for the studentId or cid parameters in /admin/modules/student/trans.php. The CVSS 4.0 vector (PR:N, AC:L, UI:N) confirms exploitation requires no authentication and no user interaction, and a proof-of-concept is publicly available via a GitHub issue. No public KEV listing exists and EPSS sits at 0.03% (9th percentile), indicating limited threat-actor uptake thus far - likely due to the narrow deployment footprint of this niche educational PHP application.

PHP SQLi Student Transcript Processing System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the application to unauthenticated remote database manipulation via the studentId parameter in the admin student view endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no privileges or user interaction are required, and publicly available exploit code exists on GitHub. Despite the remote, unauthenticated attack surface and POC availability, EPSS sits at only 0.03% (9th percentile), indicating limited real-world exploitation uptake at time of analysis; no CISA KEV listing has been issued.

PHP SQLi Student Transcript Processing System
NVD VulDB GitHub
EPSS 0% 4.9 CVSS 9.3
CRITICAL POC KEV PATCH THREAT Act Now

Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). Despite a low EPSS score (0.10%), KEV listing and CVSS 9.3 indicate this is a high-priority patch for any Magento 2 store running the module.

PHP Adobe Deserialization +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated information disclosure in Check Point Quantum Security Gateway allows remote attackers to read internal files on the appliance when the Identity Awareness blade is configured with Browser-Based Authentication. The flaw maps to CWE-98 (PHP file inclusion) and carries a CVSS 7.5 with confidentiality-only impact; EPSS is low (0.10%) and there is no public exploit identified at time of analysis, but the unauthenticated network reach against a perimeter gateway makes triage urgent for affected deployments.

PHP Information Disclosure LFI +1
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate the `email_id` parameter in `/admin/add_staff.php`, enabling arbitrary SQL query manipulation against the underlying database. The CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - confidentiality, integrity, and availability are each rated Low with no lateral impact to subsequent systems - and EPSS at 0.03% (8th percentile) indicates negligible real-world exploitation probability despite a publicly available proof-of-concept on GitHub. No active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.

PHP SQLi Leave Management System
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in Magentech SW Core WordPress plugin (versions through 1.7.18) allows authenticated remote attackers to coerce the application into including arbitrary PHP files via improperly validated filename input. Successful exploitation results in disclosure of sensitive server-side files and potential code execution under the web server context. No public exploit has been identified at time of analysis, and EPSS exploitation probability is low at 0.11%.

PHP Information Disclosure LFI +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/delete_judge.php endpoint to remote unauthenticated attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required to reach the vulnerable parameter, and a publicly available proof-of-concept exploit exists on GitHub, corroborated by the CVSS 4.0 exploit maturity modifier E:P. Despite these factors, EPSS sits at 0.03% (9th percentile), indicating no public exploit has yet driven widespread opportunistic scanning; no KEV listing confirms active exploitation in the wild at time of analysis.

PHP SQLi Electronic Judging System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in itsourcecode Electronic Judging System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the `fname` parameter of `/admin/judges.php`, executing arbitrary JavaScript in the context of a victim's browser session. The CVSS 4.0 score of 2.1 reflects the low integrity impact and mandatory user interaction, consistent with a reflected XSS that requires a victim to follow a crafted URL. No public exploit identified at time of analysis as KEV-listed, but a publicly available proof-of-concept exists on GitHub, slightly elevating practical risk despite the EPSS score of 0.03% (10th percentile).

PHP XSS Electronic Judging System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Electronic Judging System 1.0 allows remote unauthenticated attackers to manipulate the `num_id` parameter in `/admin/edit_team.php`, enabling unauthorized database read, write, and partial availability impact. The CVSS 4.0 vector confirms no authentication or user interaction is required (PR:N/UI:N), and publicly available exploit code exists on GitHub - though EPSS remains very low at 0.03% (9th percentile), suggesting limited real-world exploitation interest consistent with a niche, low-adoption PHP application. The vulnerability is not listed in CISA KEV, but the SSVC framework flags it as automatable, meaning opportunistic scanning tools could exploit it at scale against any internet-exposed deployment.

PHP SQLi Electronic Judging System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/edit_judge.php endpoint to unauthenticated remote attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions. A public proof-of-concept exploit has been disclosed on GitHub, though EPSS at 0.03% (9th percentile) reflects the product's limited deployment footprint rather than low technical severity - no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).

PHP SQLi Electronic Judging System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Stored cross-site scripting in hemant6488's CodeIgniter-StudentManagementSystem allows remote unauthenticated attackers to inject arbitrary JavaScript via the Name argument of the addStudent function in view_students.php. When a victim user views the student listing, the injected script executes in their browser context, enabling session hijacking, credential theft, or defacement. A publicly available proof-of-concept exists via GitHub issue report; however, this vulnerability is not listed in CISA KEV, and EPSS scoring places exploitation probability at 0.03%, indicating low real-world exploitation activity despite POC availability.

PHP XSS Codeigniter Studentmanagementsystem
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper access control in hemant6488's CodeIgniter-StudentManagementSystem exposes the student addition endpoint at /index.php/students/addStudentView to unauthenticated remote manipulation, enabling read, write, and partial availability impact on student data without credentials. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required from any network, and a publicly available exploit (GitHub issue #5) has been documented. No vendor patch exists and the maintainer has not responded to the coordinated disclosure, leaving all deployed instances unmitigated.

PHP Authentication Bypass Codeigniter Studentmanagementsystem
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped exec() call inside the Juniper router integration plugin, enabling arbitrary shell command execution on the host. The flaw lives in the _log() function of src/juniper_plugin/fastnetmon_juniper.php, where the $msg argument (built from argv[1]-argv[3]: attack IP, direction, power) is concatenated directly into a shell command. Although rated CVSS 9.8, practical exploitation is gated: FastNetMon's C++ core currently feeds IPs through inet_ntoa(), which only yields safe dotted-decimal strings, so injection requires the script to be driven directly or by a third-party orchestrator. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Command Injection PHP Juniper +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Configuration injection in FastNetMon Community Edition through 1.2.9 allows an attacker who controls the attacker IP string passed to the Juniper integration plugin to inject arbitrary Juniper NETCONF set/delete commands, leading to full router compromise. The flaw lives in the PHP-based Juniper plugin where unsanitized argv input is interpolated into NETCONF commands, and although no public exploit identified at time of analysis (EPSS 0.03%), the technical impact is rated total under SSVC and CVSS scores 8.1.

PHP Juniper Command Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

OS command injection in FastNetMon Community Edition through 1.2.9 lets an authenticated network attacker execute arbitrary shell commands via the MikroTik router integration plugin by influencing argv[] values passed to the unsanitized _log() function. The flaw mirrors a previously disclosed Juniper plugin issue in the same project, and while a public technical write-up exists at lorikeetsecurity.com, no public exploit code or active exploitation has been identified, with EPSS at 0.05% (17th percentile).

PHP Mikrotik Juniper +2
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in SourceCodester Student Grades Management System 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the unvalidated 'Remarks' parameter in students.php, executing arbitrary scripts in the context of a victim's browser session upon passive viewing. A public proof-of-concept exists on GitHub; however, this CVE is not listed in the CISA KEV catalog and the EPSS score of 0.03% (9th percentile) reflects very low real-world exploitation probability. SSVC assessment corroborates this with 'Exploitation: none' and 'Automatable: no,' consistent with the required user-interaction constraint.

PHP XSS Student Grades Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in SourceCodester Student Grades Management System 1.0 allows authenticated remote attackers to manipulate the classroom_id parameter within classroom.php to access or modify classroom enrollment data beyond their authorized scope. The vulnerability affects the getClassroomStudents and removeStudentFromClassroom functions, enabling unauthorized listing of enrolled students or removal of students from classrooms the attacker does not administer. A publicly available proof-of-concept exploit exists on GitHub, though EPSS places exploitation probability at just 0.04% (13th percentile), and the vulnerability is not currently listed in the CISA KEV catalog.

PHP Authentication Bypass Student Grades Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in SourceCodester Student Grades Management System 1.0 permits authenticated remote attackers to access or manipulate grade records belonging to other students by tampering with the student_id parameter in grades.php. The flaw (CWE-285) reflects a failure to enforce object-level authorization, allowing a low-privileged user to cross access boundaries to other students' data. A publicly available proof-of-concept exists on GitHub, though EPSS sits at 0.04% (11th percentile) and SSVC classifies exploitation as none, indicating no evidence of active exploitation in the wild despite the POC.

PHP Authentication Bypass Student Grades Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in yashpokharna2555 StudentManagementSystem's /studentdel.php endpoint allows remote unauthenticated attackers to manipulate the ID parameter within the confirm_logged_in function, enabling arbitrary SQL query execution against the backend database. All commits up to cb2f558ddf8d19396de0f92abf2d224d46a0a203 of this PHP-based academic application are affected, with no patched release available due to its rolling-release model and vendor non-response. A public exploit exists per GitHub issue #5, and SSVC flags the attack as automatable, though the EPSS score of 0.03% reflects limited real-world scanning activity likely attributable to the application's narrow deployment footprint.

PHP SQLi Studentmanagementsystem
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in yashpokharna2555's StudentManagementSystem (PHP) allows authenticated remote attackers to inject malicious client-side scripts via the FIRST_NAME parameter in /student.php, executing in victim browsers upon record viewing. The CVSS 4.0 score of 2.0 (Low) reflects the requirement for prior authentication (PR:L) and user interaction (UI:P), significantly constraining real-world impact. Publicly available exploit code exists via a GitHub issue report; no vendor patch has been issued and the maintainer has not responded to the disclosure.

PHP XSS Studentmanagementsystem
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in yashpokharna2555's StudentManagementSystem (commit cb2f558) exposes the confirm_logged_in function in student_trans.php to unauthenticated remote attackers who can manipulate FIRST_NAME, Last_Name, and EMAIL parameters to execute arbitrary SQL against the backend database. A public exploit has been disclosed via GitHub issue #3, confirming exploitability requires minimal skill; however, EPSS at 0.03% (9th percentile) indicates very low observed real-world exploitation activity, likely reflecting the narrow deployment footprint of this niche open-source PHP project rather than any technical barrier. No patch is available at time of analysis, as the maintainer has not responded to the coordinated disclosure.

PHP SQLi Studentmanagementsystem
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the PHP-based yashpokharna2555/StudentManagementSystem exposes the /success.php endpoint to remote unauthenticated database attacks via the unsanitized 'User' argument. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position. A publicly available exploit exists via a GitHub issue report; the project maintainer has been notified but has not responded, and no patch has been released. Despite POC availability, EPSS sits at 0.03% (9th percentile), reflecting the niche, low-adoption nature of this project rather than a reduced technical severity.

PHP SQLi Studentmanagementsystem
NVD VulDB GitHub
EPSS 1% CVSS 8.7
HIGH POC This Week

Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Twitter-Clone 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the name parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Twitter-Clone 1 contains a SQL injection vulnerability in follow.php that allows attackers to manipulate database queries by injecting SQL code through the userid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows remote low-privileged attackers to manipulate the `ID` parameter in `/process/applyleaveprocess.php`, enabling unauthorized database read and write operations with partial impact across confidentiality, integrity, and availability. A publicly available proof-of-concept exploit exists on GitHub, though no confirmed active exploitation (CISA KEV) has been recorded. EPSS at 0.03% (8th percentile) and an SSVC assessment of 'not automatable' indicate low broad exploitation likelihood, though the accessible POC meaningfully lowers the barrier for targeted manual attacks against organizations running this application.

PHP SQLi Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in the /psubmit.php endpoint of code-projects Employee Management System 1.0 enables authenticated remote attackers to manipulate the pid parameter and inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been released on GitHub, reducing the skill barrier for exploitation against unpatched deployments. Despite a low CVSS 4.0 base score of 2.1 reflecting partial impact scope and low-privilege requirements, the combination of network accessibility and public PoC warrants prompt remediation for any internet-facing instance; no public exploit identified meets CISA KEV criteria, and no vendor-released patch has been confirmed at time of analysis.

PHP SQLi Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 exposes the /changepassemp.php password-change endpoint to database manipulation by authenticated low-privilege users over the network. The CVSS 4.0 score of 2.1 reflects limited, non-cascading impact - partial confidentiality, integrity, and availability degradation confined to the vulnerable component with no downstream system scope change. A publicly available proof-of-concept exploit exists on GitHub, though the EPSS score of 0.03% (8th percentile) and SSVC 'automatable: no' classification indicate this is unlikely to see widespread opportunistic exploitation; no public exploit identified at time of analysis corroborating active KEV-level campaigns.

PHP SQLi Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `id` parameter in `/applyleave.php`. The attack requires victim interaction (UI:P per CVSS 4.0), meaning a victim must visit or be socially engineered into clicking a crafted URL. Publicly available exploit code exists on GitHub (no public exploit identified at time of analysis for widespread KEV-confirmed exploitation), though EPSS at 0.03% (10th percentile) signals negligible observed exploitation activity at scale.

PHP XSS Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Simple POS and Inventory System 1.0 exposes the application to unauthenticated remote data extraction and manipulation via the Name parameter in /user/search.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and a publicly available proof-of-concept exploit (GitHub gist) lowers the bar for exploitation. No active exploitation has been confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) indicates limited real-world exploitation activity at time of analysis despite the public POC.

PHP SQLi Simple Pos And Inventory System
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows remote authenticated administrators to manipulate database queries via the ID parameter in /admin/edit_customer.php. The vulnerability is tagged CWE-89 and carries a CVSS 4.0 base score of 2.0, reflecting the high privilege requirement that significantly limits the attacker pool to those with existing admin access. Publicly available exploit code exists (hosted on GitHub Gist), though EPSS remains very low at 0.03% (8th percentile), and no CISA KEV listing is present - indicating no confirmed widespread exploitation at time of analysis.

PHP SQLi Simple Pos And Inventory System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in SourceCodester Simple POS and Inventory System 1.0 allows authenticated remote attackers to upload arbitrary files through the image argument of /admin/addproduct.php, potentially enabling web shell deployment and remote code execution. A publicly available proof-of-concept exploit exists (GitHub gist), and SSVC confirms exploitation: poc status. Despite the severe nature of CWE-434 unrestricted upload flaws, EPSS sits at 0.04% (11th percentile) and CISA has not added this to KEV, indicating limited observed exploitation in the wild at time of analysis.

PHP File Upload Simple Pos And Inventory System
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows a remote, high-privileged (admin-level) attacker to manipulate database queries via the unsanitized 'ID' GET parameter in /admin/deleteproduct.php. Successful exploitation yields partial read, write, and availability impact on the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though no confirmed active exploitation (KEV) has been observed, and the EPSS score of 0.03% reflects minimal real-world exploitation pressure.

PHP SQLi Simple Pos And Inventory System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Resource injection in yashpokharna2555's StudentManagementSystem allows low-privileged remote attackers to manipulate the ID parameter in courseDel.php to control which course records are deleted or affected, resulting in unauthorized data integrity and availability impact. The flaw affects the specific git commit cb2f558ddf8d19396de0f92abf2d224d46a0a203 and exploit code is publicly available via a GitHub issue. No patch has been released, and the project maintainer has not responded to the disclosure.

PHP Information Disclosure Studentmanagementsystem
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Unrestricted file upload in KLiK SocialMediaWebsite 1.0 exposes the application to unauthenticated remote exploitation via the `uniqid` function in `upload.inc.php`. The File Handler component fails to validate uploaded file types (CWE-434), allowing an attacker to upload PHP webshells or other executable files without any authentication - confirmed by the CVSS 4.0 vector PR:N/UI:N. Exploit code has been publicly disclosed (CVSS E:P, referenced via VulDB), though EPSS remains low at 0.04% and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

PHP File Upload Klik Socialmediawebsite
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the `ID` parameter of `/empproject.php`. A publicly available proof-of-concept exploit exists on GitHub, lowering the barrier to exploitation, though user interaction is required to trigger the payload. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.03% places this in the bottom 10th percentile of exploitation likelihood, consistent with the low CVSS 4.0 score of 2.1.

PHP XSS Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts into victim browsers via the unsanitized 'ID' parameter in /changepassemp.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting mass exploitation, but a publicly available proof-of-concept exploit exists on GitHub. No patch has been identified from the vendor; EPSS of 0.03% (10th percentile) indicates low observed exploitation probability, and this CVE is not listed in the CISA KEV catalog.

PHP XSS Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in code-projects Employee Management System 1.0 allows remote, unauthenticated attackers to inject malicious scripts via the ID parameter of /myprofileup.php, requiring only passive user interaction to execute. A publicly available proof-of-concept exploit exists on GitHub, though EPSS at 0.03% (10th percentile) and SSVC's 'not automatable' rating indicate minimal observed real-world exploitation activity. The vulnerability is limited to partial integrity impact on the vulnerable system with no confidentiality or availability impact, consistent with the CVSS 4.0 score of 2.1.

PHP XSS Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject and execute malicious JavaScript in a victim's browser by manipulating the `id` parameter of `/myprofile.php`. Exploitation requires passive user interaction (UI:P) - the victim must load a crafted URL - which constrains automated attack chains. A public proof-of-concept is confirmed available on GitHub, though the EPSS score of 0.03% (10th percentile) indicates minimal real-world exploitation activity; the vulnerability is not listed in CISA KEV.

PHP XSS Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject and execute malicious scripts in a victim's browser via the ID parameter of /eloginwel.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting automatable mass exploitation, though a publicly available proof-of-concept lowers the technical bar for targeted attacks. No vendor patch has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability despite POC availability.

PHP XSS Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting in SourceCodester Indian Invoicing System versions 0.x and 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the `customer_name` parameter in `/Invoicing/add_order.php`, which is persisted to the database and executed in the browsers of users who subsequently view the rendered invoice template. A public proof-of-concept exploit is available on GitHub (gist by c4ttr4ck), though EPSS sits at only 0.03% (9th percentile) and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation. Impact is limited to partial integrity on the vulnerable system with no confidentiality or availability consequences, consistent with the CVSS 4.0 score of 2.0.

PHP XSS Indian Invoicing System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting (XSS) in SourceCodester Indian Invoicing System 1.0 allows unauthenticated remote attackers to inject and execute malicious scripts in a victim's browser by manipulating the `msg` parameter in `/Invoicing/category.php`. A proof-of-concept exploit is publicly available on GitHub. Despite the public POC, EPSS stands at just 0.03% (10th percentile) and the vulnerability is absent from CISA KEV, reflecting the narrow deployment footprint of this niche PHP invoicing application and the user-interaction requirement that limits automated exploitation.

PHP XSS Indian Invoicing System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Indian Invoicing System 1.0 allows a remote, low-privileged authenticated attacker to manipulate database queries through the customer_name and category parameters in /Invoicing/IGST_Invoice.php. The vulnerability yields partial confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though the application is a niche, open-source invoicing tool with limited deployment footprint and no confirmed active exploitation in the wild.

PHP SQLi Indian Invoicing System
NVD VulDB GitHub
EPSS 0% CVSS 3.5
LOW PATCH Monitor

Open redirect in SPIP's ecrire subsystem allows authenticated remote attackers with low privileges to redirect victims to arbitrary external URLs via the action/cookie.php endpoint, affecting all SPIP versions prior to 4.4.15. The CVSS score of 3.5 (Low) is consistent with EPSS at 0.03% (7th percentile) and SSVC's determination of no exploitation and partial technical impact, making this a low-urgency but patchable flaw. No public exploit identified at time of analysis, and CISA KEV does not list this vulnerability.

PHP Open Redirect Spip
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin login endpoint at /intrams/admin/login.php to unauthenticated remote attackers who can manipulate the Username parameter to alter backend SQL query logic. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction, and publicly available exploit code (E:P) further lowers the barrier to entry. Although EPSS sits at 0.03% (9th percentile) indicating low observed exploitation activity, no vendor patch has been identified at time of analysis, leaving all known deployments of version 1.0 without an official remediation path.

PHP SQLi Electronic Judging System
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Cross-site scripting in SourceCodester SUP Online Shopping 1.0 is exploitable via the productName parameter in /admin/productedit.php, where unsanitized input is rendered back to the browser without proper encoding. An attacker already holding high-privilege admin credentials can inject a JavaScript payload that executes when another user interacts with the affected admin page. Publicly available exploit code exists per a referenced GitHub issue, though EPSS at 0.03% (9th percentile) and absence from CISA KEV indicate negligible active exploitation interest at time of analysis.

PHP XSS Sup Online Shopping
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate database queries through the social_linked parameter in /admin/adminHome.php. The vulnerability has publicly available exploit code and a CVSS score of 7.3, indicating high severity with the ability to impact confidentiality, integrity, and availability of the application.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 enables remote unauthenticated attackers to manipulate database queries through the ID parameter in /admin/patients/manage_history.php. Public exploit code exists (GitHub), though not listed in CISA KEV. The vulnerability carries moderate risk with CVSS 7.3 reflecting potential for data theft and manipulation of patient records.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows remote attackers to compromise patient data without authentication via manipulated ID parameter in /classes/Master.php?f=save_patient_history. The vulnerability has publicly available exploit code (GitHub) and enables unauthorized database access with potential to read, modify, or delete patient records. CVSS 7.3 indicates moderate severity with no exploitation prerequisites.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows authenticated attackers to extract, modify, or delete database records via the ID parameter in /admin/patients/view_history.php. The vulnerability requires low-privilege authenticated access (PR:L) but has low attack complexity (AC:L) and can be exploited remotely. Publicly available exploit code exists on GitHub (referenced in VulDB entry), enabling immediate weaponization by threat actors. EPSS data not available, and the vulnerability is not currently listed in CISA KEV, indicating exploitation may be limited or targeted rather than widespread. The CVSS 6.3 (Medium) rating reflects partial impact across confidentiality, integrity, and availability (C:L/I:L/A:L).

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection PHP RCE
NVD Exploit-DB GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi WordPress
NVD Exploit-DB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF
NVD Exploit-DB GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Smartshop 1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'searched' parameter in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Smartshop 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Smartshop 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Remote code injection in vps-inventory-monitoring allows authenticated attackers to execute arbitrary PHP code through the VpsTest console command. The vulnerability exists in the eval() function within VpsTest.php, exploitable by manipulating the 'vf' parameter with low attack complexity. Publicly available exploit code exists (GitHub POC published), and the maintainer has not responded to early disclosure attempts. CVSS 6.3 reflects moderate impact across confidentiality, integrity, and availability, with EPSS data unavailable but risk elevated by confirmed POC and unresponsive vendor.

PHP Code Injection RCE
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unauthenticated SQL injection in YesWiki's Bazar form-import path allows any remote visitor to inject arbitrary SQL into an INSERT statement and exfiltrate the entire database, including yeswiki_users.password hashes. Affects YesWiki 4.6.1, 4.6.2, and the doryphore-dev branch prior to 4.6.4. Publicly available exploit code exists (a working Python PoC is published in the GHSA advisory), though no public exploit identified in CISA KEV at time of analysis.

PHP Python SQLi +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Widget Context WordPress plugin (all versions ≤ 1.3.3) allows unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table by forging a POST request to /wp-admin/widgets.php. The root cause is missing or incorrect nonce validation in the save_widget_context_settings function, confirmed by Wordfence and corroborated by source code references at WidgetContext.php lines 91, 282, and 311. Exploitation requires social engineering a logged-in administrator into clicking an attacker-controlled link; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

WordPress PHP CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Arbitrary PHP code execution in Twig templating engine versions 3.15.0 through 3.25.x allows attackers who control template source to inject raw PHP into the compiled template via the `_self.(<string>)` dynamic-attribute macro-reference path, fully bypassing the SandboxExtension. The flaw executes injected code at template-load time, before any SecurityPolicy check runs, rendering even a globally-enabled empty allowlist sandbox ineffective. No public exploit identified at time of analysis, but the vendor advisory describes the bypass mechanism in enough detail that PoC development is straightforward.

PHP Code Injection RCE
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sandbox escape in Twig 3.24.0 through 3.25.x lets an attacker with write access to a sandboxed template read arbitrary public properties and invoke any public getter on objects exposed to the template, bypassing the SandboxExtension's SecurityPolicy allowlists. The flaw exists because the object-destructuring compiler hardcodes the $sandboxed flag to false when emitting CoreExtension::getAttribute() calls, so policy checks never run for destructuring expressions whenever the {% do %} tag is permitted. No public exploit identified at time of analysis, but the issue was responsibly disclosed with vendor-confirmed root cause and an upstream patch.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Twig's sandbox security policy is bypassed via the `column` filter when processing arrays of PHP objects, allowing an untrusted template author to read any public or magic property of any object reachable in the render context - completely circumventing the `SecurityPolicy`'s `allowedProperties` restrictions. All twig/twig versions prior to 3.26.0 are affected when sandbox mode is active and untrusted authors have `column` in their `allowedFilters`. This is a structural variant of CVE-2024-51755 that the prior ArrayAccess-focused fix left uncovered; no public exploit has been identified at time of analysis, and the fix is confirmed in Twig 3.26.0.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

PHP code injection in Twig template engine versions before 3.26.0 allows attackers controlling template names in `{% use %}` tags to break out of compiled cache file string literals and execute arbitrary PHP code. The flaw bypasses the Twig sandbox entirely because `SecurityPolicy` unconditionally permits `{% use %}` regardless of `allowedTags` configuration. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-7p85-w9px-jpjp) discloses the full exploitation primitive.

PHP Code Injection RCE
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator's browser into triggering a core CMS upgrade to an attacker-chosen version. The dashboard's do_update() controller emits a CSRF token in the rendered POST form but never calls $this->token->validate('do_update'), leaving the update workflow effectively unauthenticated against forged cross-origin requests. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP CSRF
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Concrete CMS 9.5.0 and earlier is achievable through a CSRF flaw in the /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID> endpoint, which fails to validate anti-CSRF tokens. An attacker who controls a marketplace package matching an item ID already installed on the victim site can overwrite package PHP files and trigger the upgrade() method via a single navigation by a privileged admin, resulting in code execution as the web server user. No public exploit identified at time of analysis, though the vendor (Concrete CMS security team) has acknowledged and rated the issue at CVSS 4.0 7.5.

PHP CSRF RCE
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator with canInstallPackages permission into installing an attacker-controlled package, resulting in remote code execution as the web server user. The flaw resides in the install_package() method of the dashboard's extend/install.php controller, which lacks CSRF token validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP CSRF RCE
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Concrete CMS 9.5.0 and earlier allows authenticated users with access to the bulk user assignment dashboard to add arbitrary accounts to the Administrators group and remove existing admins, effectively hijacking site control. The flaw stems from missing authorization checks in bulk_user_assignment.php and was disclosed with a vendor-assigned CVSS v4.0 score of 7.5. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

PHP Authentication Bypass Privilege Escalation
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored cross-site scripting in Concrete CMS 9.5.0 and earlier allows a high-privileged admin to inject arbitrary HTML/JavaScript into the OAuth authorize template via the integration name field. The flaw arises because the integration name is wrapped in <strong> tags by PHP string interpolation before being passed to the t() translation helper, causing the resulting raw HTML to be rendered when end users view the OAuth consent screen. No public exploit identified at time of analysis, but a rogue or compromised admin could potentially harvest OAuth login submissions from victims.

PHP XSS
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce authenticated administrators into downloading arbitrary marketplace packages to the server's DIR_PACKAGES directory by luring them to a crafted page that triggers the unprotected /dashboard/extend/install/download/<remoteId> GET endpoint. The vendor assigned CVSS 4.0 of 7.5 reflecting high impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

PHP CSRF
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthorized file download in Concrete CMS 9.5.0 and below exposes permission-restricted files via a broken authorization check in the file download controller. The submit_password() method in download_file.php processes file access without enforcing the view_file permission gate, producing two exploitable paths: any unauthenticated network actor can retrieve files that carry no password protection, and any actor who possesses a file's password can retrieve that file regardless of whether their account holds view_file permission. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

PHP Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Command injection in KnpLabs Snappy PHP library (versions <= 1.7.0) allows attackers to execute arbitrary OS commands when the wkhtmltopdf/wkhtmltoimage binary path is attacker-influenced. An inverted is_executable() check around escapeshellarg() renders the safe branch dead code, causing the binary path to be concatenated unescaped into the shell command. Publicly available exploit code exists (vendor-published PoC in the advisory), but no public exploit identified at time of analysis in CISA KEV.

PHP Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) and local file read in KnpLabs Snappy (composer package knplabs/knp-snappy <= 1.6.0) allows remote attackers to exfiltrate sensitive server files by injecting a file:// URI into the xsl-style-sheet PDF generation option. When applications pass unsanitized user input directly to the Snappy library's generate() method, wkhtmltopdf processes attacker-controlled URIs including file:// scheme paths, enabling reads of files such as /etc/passwd. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV, but the attack pattern is straightforward and exploitability is high in vulnerable deployments where PHP runs as root outside a container.

PHP SSRF
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator into triggering arbitrary package upgrades by luring them to a malicious page that issues a single GET to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() handler only checks the canInstallPackages() permission and omits CSRF token validation on this state-changing route, so a cross-site navigation is sufficient to invoke upgradeCoreData() and the package controller's upgrade() routine. No public exploit identified at time of analysis and no CISA KEV listing; EPSS not provided.

PHP CSRF
NVD VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Remote code execution in Concrete CMS versions 5.0 through 9.5.0 allows a high-privileged administrator to bypass the platform's `_fromCIF` deserialization guard by submitting malicious payloads through the REST API instead of standard form POST requests. The flaw resides in the ExpressEntryList block controller (CWE-502) and stores a serialized PHP gadget in the `filterFields` database column, which is unmarshalled when another administrator subsequently views or edits the block, leading to full server takeover. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Deserialization PHP RCE
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Authenticated remote code execution in Concrete CMS 9.5.0 and earlier allows an administrator with composer form editing privileges to chain a path traversal flaw in the ptComposerFormLayoutSetControlCustomTemplate field with the platform's permissive file uploader to execute arbitrary PHP on the server. The vendor scored this 9.4 (CVSS v4.0) reflecting high confidentiality, integrity, and availability impact across both the vulnerable component and downstream subsequent systems. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

LFI PHP Path Traversal +1
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Missing TLS certificate verification in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept and tamper with outbound HTTPS traffic from the mobile (RouteMate) login flow, exposing API keys and session-bearing data. The flaw stems from rm/incs/mobile_login.inc.php disabling CURLOPT_SSL_VERIFYPEER and omitting CURLOPT_SSL_VERIFYHOST. No public exploit identified at time of analysis, and the issue is one of 88 security fixes shipped in the v3.44.2 release.

Information Disclosure PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Man-in-the-middle interception of authentication traffic in Open ISES Tickets before 3.44.2 is possible because the application's login flow in incs/login.inc.php disables TLS certificate verification on outbound HTTPS requests. Network-positioned attackers can present forged certificates to capture or modify API keys and session-bearing data exchanged during login. No public exploit identified at time of analysis, though the fix is bundled into a broader critical security release that also addresses 69 XSS and 19 SQL injection issues.

Information Disclosure PHP
NVD GitHub VulDB
Prev Page 13 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy