Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-39110 HIGH This Week

SQL injection in Apartment Visitors Management System v1.1 allows unauthenticated remote attackers to extract sensitive database contents via the contactno parameter on the password reset page. The vulnerability bypasses authentication controls through crafted input during password recovery operations. EPSS and KEV data not available, but SSVC framework indicates proof-of-concept exists and the vulnerability is automatable with partial technical impact. The CVSS score of 8.2 reflects high confidentiality impact with network-accessible attack surface requiring no user interaction.

PHP SQLi N A
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-39112 MEDIUM This Month

Stored cross-site scripting (XSS) in Apartment Visitors Management System v1.1 allows authenticated attackers to inject malicious JavaScript via the visname parameter in visitors-form.php, which executes when other users view the injected data in manage-newvisitors.php or visitor-detail.php. The vulnerability requires user interaction (victim visiting affected pages) and valid authentication but can escalate privileges, steal session tokens, or perform actions on behalf of administrative users viewing visitor records.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-6573 LOW POC Monitor

Server-side request forgery in PHPEMS 11.0 allows authenticated remote attackers to manipulate the uploadfile parameter in the Instant Exam Creation Handler component, enabling SSRF attacks that can access internal resources or perform unauthorized requests from the server. The vulnerability affects the temppage function in /app/exam/controller/exams.master.php and has public exploit code available, though exploitation requires valid user credentials (PR:L).

PHP SSRF
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6572 LOW POC Monitor

Improper authorization in Collabora KodExplorer up to version 4.52 allows remote unauthenticated attackers to bypass authentication via manipulation of the fileUpload parameter in the /app/controller/share.class.php endpoint, potentially enabling unauthorized file access or modification with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; however, the attack requires high complexity and is described as difficult to execute in practice, limiting real-world exploitation despite public disclosure and vendor non-responsiveness.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-6571 LOW POC Monitor

Kodcloud KodExplorer up to version 4.52 contains an authorization bypass vulnerability in the roleGroupAction function that allows authenticated remote attackers to manipulate the group_role parameter and gain unauthorized access to sensitive information and system modification capabilities. The vulnerability has a CVSS score of 6.3 with public exploit code available, and the vendor has not responded to early disclosure notifications, leaving deployed instances without official patching options.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6570 LOW POC Monitor

Remote authorization bypass in KodCloud KodExplorer up to version 4.52 allows high-privileged authenticated attackers to manipulate the path argument in the initInstall function (/app/controller/systemMember.class.php), resulting in integrity compromise. The exploit code is publicly available, and the vendor has not responded to early disclosure notifications, leaving deployed instances vulnerable without official remediation guidance.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6569 MEDIUM This Month

Improper authentication in kodcloud KodExplorer versions up to 4.52 allows unauthenticated remote attackers to bypass access controls via the fileGet endpoint. The vulnerability resides in the fileGet function within /app/controller/share.class.php, exploitable by manipulating the fileUrl parameter. With CVSS 7.3 and network attack vector requiring no privileges or user interaction, this enables unauthorized file access and potential data manipulation. EPSS score unavailable; no CISA KEV listing indicates no confirmed widespread exploitation. Vendor non-responsive to disclosure attempts.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-6568 MEDIUM POC This Month

Path traversal in kodcloud KodExplorer 4.52 and earlier allows unauthenticated remote attackers to access unauthorized files via the public share handler's path parameter. The vulnerability has publicly available exploit code (EPSS data not provided, not listed in CISA KEV). The vendor did not respond to responsible disclosure, leaving all versions through 4.52 unpatched at time of analysis.

PHP Path Traversal
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-6561 LOW POC Monitor

EyouCMS versions up to 1.7.1 allow high-privileged attackers to upload arbitrary files via manipulation of the filename parameter in the edit_adminlogo function, leading to information disclosure and potential code execution. The vulnerability requires authenticated admin access and is publicly exploitable with proof-of-concept code available on GitHub; the vendor has not responded to disclosure attempts.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-40581 HIGH This Week

Cross-Site Request Forgery (CSRF) in ChurchCRM versions before 7.2.0 allows remote attackers to permanently delete family records and all associated data (notes, pledges, persons, property) through the SelectDelete.php endpoint. The endpoint executes irreversible deletions via unauthenticated GET requests without CSRF token validation, requiring only that an authenticated administrator visit a malicious page. Attackers can weaponize this via phishing emails or malicious websites to trigger silent data destruction. Fixed in version 7.2.0 via PR #8613 and commit 3936162. No KEV listing or public POC identified at time of analysis, though exploitation is trivial given the simplicity of CSRF attacks against GET endpoints.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40484 CRITICAL Act Now

Remote code execution in ChurchCRM <7.2.0 allows authenticated administrators to upload PHP webshells through the database backup restore function, which copies files from archive Images/ directories to web-accessible paths without extension filtering. The vulnerability includes a CSRF bypass enabling forced exploitation through cross-site request forgery. Exploitation requires high privileges (administrator account) but is network-accessible with low complexity (CVSS:3.1/AV:N/AC:L/PR:H). No active exploitation confirmed (not in CISA KEV). Vendor-released fix available in version 7.2.0 via GitHub PR #8610 and commit 68be1d12.

PHP Privilege Escalation CSRF RCE
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-40480 HIGH This Week

Broken object-level authorization in ChurchCRM 7.1.x and earlier allows authenticated users with minimal EditSelf privileges to enumerate and exfiltrate sensitive personal data (names, addresses, phone numbers, emails) of all church members via the unauthenticated GET /api/person/{personId} API endpoint. While legacy UI enforces canEditPerson() checks, the API layer completely omits these authorization controls, enabling horizontal privilege escalation. Fixed in version 7.2.0. CVSS 7.1 (AV:N/AC:L/PR:L) indicates network-accessible exploitation by any low-privileged authenticated user with no technical complexity. EPSS data unavailable; no KEV listing or public POC identified at time of analysis, though the fix commit and GitHub advisory provide full technical details for replication.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-40593 MEDIUM PATCH This Month

Stored cross-site scripting in ChurchCRM UserEditor.php prior to version 7.2.0 allows authenticated administrators to inject malicious HTML and JavaScript into username fields, which then executes in the browsers of other administrators viewing the user editor page. The vulnerability stems from failure to sanitize usernames before rendering them into HTML input value attributes, and exploitation requires administrator-level privileges combined with user interaction (another admin viewing the compromised user's editor). This is a low-CVSS but real privilege-escalation concern within multi-administrator deployments, particularly where administrators may have differing trust levels.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-40301 PHP MEDIUM PATCH This Month

DOMSanitizer before version 1.0.10 fails to sanitize CSS content within SVG <style> elements, allowing attackers to inject url() references and @import rules that trigger unauthorized HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered in a browser. This affects PHP applications using the vulnerable library to sanitize user-supplied SVG content, enabling information disclosure through request metadata and potential CSRF attacks. The vulnerability requires user interaction (rendering the SVG) but affects all downstream users of the sanitized content due to scope change (C:L, S:C).

XSS PHP
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-23500 PHP CRITICAL PATCH GHSA Act Now

Command injection in Dolibarr ERP/CRM versions before 23.0.0 allows authenticated administrators to execute arbitrary operating system commands during ODT-to-PDF template conversion. The vulnerability stems from unsanitized concatenation of the MAIN_ODT_AS_PDF configuration constant into shell commands in odf.php. Exploitation requires administrative privileges (PR:H) but can be executed remotely (AV:N) with low complexity (AC:L), resulting in full system compromise as the web server user. Fixed in version 23.0.0. EPSS data not available; no public exploit identified at time of analysis.

PHP Command Injection RCE
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-40285 HIGH PATCH This Week

SQL injection in WeGIA charitable institution manager allows authenticated users to impersonate arbitrary identities and execute database queries with elevated privileges. The cpf_usuario parameter in dao/memorando/UsuarioDAO.php bypasses session-based identity controls through PHP's extract($_REQUEST) function, enabling any low-privileged authenticated user to query sensitive data or modify database contents as any other user, including administrators. WeGIA versions before 3.6.10 are affected. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L) requiring only valid user credentials.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5718 HIGH POC This Week

Remote code execution in Drag and Drop Multiple File Upload for Contact Form 7 plugin (WordPress) versions ≤1.3.9.6 allows unauthenticated attackers to upload PHP webshells via dual file validation weaknesses. The plugin's custom blacklist configuration overwrites default protections instead of merging, and non-ASCII filenames bypass the wpcf7_antiscript_file_name() sanitizer. CVSS 8.1 with High attack complexity (AV:N/AC:H/PR:N/UI:N). Wordfence reported; patch released in changeset 3508522. No KEV listing or confirmed public exploitation, but proof-of-concept feasible given detailed vulnerable code references (lines 62, 883, 970, 987).

PHP File Upload WordPress RCE
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-3464 HIGH This Week

Path traversal in WP Customer Area plugin through version 8.3.4 enables low-privileged authenticated users (Subscriber-level or higher, as configured by administrators) to read sensitive files like wp-config.php or delete critical WordPress files to achieve remote code execution. Wordfence reported this vulnerability affecting the ajax_attach_file function, which fails to properly validate file paths. CVSS 8.8 reflects network-based exploitation with low complexity, though exploitation requires authentication and administrator-granted plugin access. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

PHP Path Traversal WordPress RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-6497 LOW POC Monitor

Server-side request forgery (SSRF) in TinyFileManager file upload handler (versions up to 2.6) allows authenticated remote attackers to manipulate the uploadurl parameter and forge requests to arbitrary servers. The vulnerability affects the /filemanager.php?p=&ajax=true&type=upload endpoint and has publicly available exploit code; the vendor has not responded to disclosure attempts.

PHP SSRF File Upload
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6496 LOW POC Monitor

Path traversal in prasathmani TinyFileManager up to version 2.6 allows authenticated remote attackers to manipulate the file[] POST parameter in /filemanager.php to read, modify, or delete arbitrary files on the server outside the intended directory scope. CVSS 5.4 reflects the authenticated requirement and lack of confidentiality impact, though integrity and availability are compromised. Public exploit code exists and the vendor has not responded to disclosure, leaving users dependent on manual patching or upgrading.

PHP Path Traversal
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6490 MEDIUM POC This Month

SQL injection in QueryMine SMS admin/deletecourse.php allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in GET requests. Affects all versions up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. Public exploit code exists (GitHub POC available). EPSS data not available. Not listed in CISA KEV. Vendor non-responsive to disclosure. CVSS 7.3 with network attack vector and no authentication required indicates moderate-high severity, but real-world risk depends on deployment exposure of admin interface.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6489 LOW POC Monitor

Unrestricted file upload vulnerability in QueryMine SMS admin panel allows authenticated remote attackers to upload arbitrary files via the image parameter in admin/addteacher.php, potentially enabling remote code execution. Affects all versions up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. Public exploit code exists and the vendor has not responded to disclosure attempts.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6488 LOW POC Monitor

SQL injection in QueryMine SMS admin/editcourse.php parameter handler allows authenticated remote attackers to query or modify the database via a crafted ID parameter, with publicly available exploit code demonstrating the vulnerability. The affected product uses rolling releases with no versioning available, and the vendor has not responded to disclosure attempts. CVSS 5.3 reflects limited scope impact under authenticated access (PR:L), but real-world risk depends on network exposure of the administrative interface.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6487 LOW POC Monitor

Path traversal in Qihui jtbc5 CMS 5.0.3.6 allows authenticated remote attackers to read arbitrary files via a manipulated path parameter in /dev/code/common/diplomat/manage.php. The vulnerability has a published exploit and affects the Code Endpoint component; the vendor has not responded to early disclosure. With CVSS 4.3 and EPSS probability marked as Proof-of-Concept, this represents a moderate confidentiality risk limited to authenticated users.

PHP Path Traversal
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6486 LOW POC PATCH Monitor

Stored cross-site scripting (XSS) in Classroom Bookings up to version 2.17.0 allows authenticated users to inject malicious scripts via the displayname parameter in the User Display Name Handler component, resulting in arbitrary script execution in other users' browsers. The vulnerability requires user interaction (victim must view the affected page) and authenticated access, limiting immediate risk, but publicly available exploit code and vendor confirmation of the issue increase real-world threat. Upgrading to version 2.17.1 resolves the vulnerability.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6441 MEDIUM This Month

Authenticated attackers with subscriber-level WordPress access can bypass capability checks in the Canto plugin (versions up to 3.1.1) via unprotected AJAX endpoints to arbitrarily modify or delete critical plugin options controlling cron scheduling and disable scheduled update tasks. The vulnerability requires a logged-in user but accepts any authenticated account regardless of intended permissions, allowing privilege escalation of low-level accounts to perform administrative functions without authorization. No active exploitation confirmed; patch status not yet identified.

PHP Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4666 MEDIUM This Month

wpForo Forum plugin for WordPress allows authenticated Subscriber-level attackers to modify arbitrary forum posts via variable extraction abuse and weak nonce validation. Attackers exploit the `extract($args, EXTR_OVERWRITE)` function in the `edit()` method to bypass permission checks, enabling unauthorized modification of post titles, bodies, names, and emails across all forum visibility levels including private forums and admin/moderator posts. A hardcoded nonce shared across all forum templates allows any user viewing any forum page to obtain a valid nonce, making exploitation trivial for authenticated users.

PHP Authentication Bypass WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31317 PHP HIGH GHSA This Week

Server-Side Request Forgery (SSRF) in Craftql PHP library versions 1.3.7 and earlier enables remote attackers to force the server to make unintended requests, potentially leading to arbitrary code execution. The vulnerability resides in the GetAssetsFieldSchema.php listener component. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept repository with detailed exploitation documentation exists on GitHub. Despite the CVSS 7.5 rating, the extremely low EPSS score (0.01%, 0th percentile) indicates minimal real-world exploitation activity observed to date. The description claims RCE capability, but the CVSS vector shows only confidentiality impact (C:H/I:N/A:N), suggesting the SSRF may enable information disclosure that could chain into RCE rather than direct code execution - verification with vendor advisories needed.

PHP SSRF RCE N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-37749 CRITICAL NEWS Act Now

SQL injection in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation. CISA SSVC framework confirms proof-of-concept exists, attack is automatable, and technical impact is total (full system compromise). Public POC available on GitHub enables immediate weaponization by attackers with no specialized skills.

PHP SQLi N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-40308 PHP HIGH POC PATCH GHSA This Week

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.

PHP Authentication Bypass WordPress Denial Of Service
NVD GitHub
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-6409 PHP HIGH PATCH GHSA This Week

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages-specifically those containing negative varints or deep recursion-can be used to crash the application, impacting service availability.

PHP Denial Of Service
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-37347 CRITICAL Act Now

SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-37346 MEDIUM This Month

SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-37345 CRITICAL Act Now

SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37344 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated administrators to execute arbitrary SQL commands via the /parking/manage_location.php endpoint. CVSS 7.2 indicates high-privilege requirement (PR:H) limiting exploitation to compromised admin accounts or insider threats. EPSS score of 0.01% (2nd percentile) suggests minimal observed exploitation activity. No CISA KEV listing indicates no confirmed active exploitation in enterprise environments.

PHP SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37343 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL queries via the /parking/manage_user.php endpoint. CVSS 7.2 with network vector but requires high-privilege authentication (PR:H), significantly limiting attack surface. EPSS probability is very low (0.01%, 2nd percentile), indicating minimal observed exploitation activity. No CISA KEV listing or public POC confirmation, though a technical writeup exists in GitHub repository mt-0505/cve-report.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37342 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL commands via the /parking/view_parked_details.php endpoint. The vulnerability requires administrative credentials (CVSS PR:H) but enables full database compromise once authenticated. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. A public proof-of-concept exists on GitHub, lowering the technical barrier for authenticated attackers.

PHP SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37341 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows high-privileged authenticated attackers to execute arbitrary SQL commands via the /parking/manage_category.php endpoint, enabling complete database compromise. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. Proof-of-concept exploit code is publicly available on GitHub, lowering the barrier for authenticated attackers with administrative access.

PHP SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37340 CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0's /music/edit_music.php endpoint allows unauthenticated remote attackers to execute arbitrary SQL commands with full database access. The vulnerability carries a critical CVSS 9.8 score with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS probability is notably low at 0.01% (2nd percentile), suggesting limited real-world exploitation interest despite the critical severity rating. Proof-of-concept code is publicly available via GitHub, lowering the barrier for opportunistic attacks against exposed instances.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37339 CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the /music/view_genre.php endpoint, enabling complete database compromise including data theft, modification, and potential server takeover. CVSS 9.8 (Critical) with network-exploitable attack vector requiring no authentication or user interaction. EPSS score of 0.01% (2nd percentile) indicates low observed exploitation probability despite critical severity. Publicly available proof-of-concept exists (GitHub repository), lowering exploitation barrier for opportunistic attackers.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37338 CRITICAL Act Now

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php.

PHP SQLi
NVD GitHub
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-37337 HIGH This Week

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php.

PHP SQLi
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-37336 HIGH This Week

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php.

PHP SQLi
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31843 PHP CRITICAL GHSA Act Now

The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.

PHP Authentication Bypass RCE
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.9%
CVE-2026-1620 HIGH This Week

Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).

PHP LFI WordPress Path Traversal Elementor
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40486 PHP MEDIUM PATCH GHSA This Month

### Summary A Mass Assignment / Broken Object Property Level Authorization (BOPA) vulnerability in the User Preferences API allows any authenticated user (even those with the lowest privileges) to arbitrarily modify restricted financial attributes on their profile, specifically their `hourly_rate` and `internal_rate`. ### Details Kimai restrictively protects the `hourly_rate` and `internal_rate` parameters during standard GUI flow. Users lacking the `hourly-rate` role permissions cannot see or edit these fields via the standard Web Form (`UserApiEditForm` / `UserEditType`). The vulnerability exists in the dedicated preferences API endpoint: `src/API/UserController.php::updateUserPreference`. When a `PATCH` request is sent to `/api/users/{id}/preferences`, the endpoint iterates through the submitted JSON array and blindly applies the new values: ```php foreach ($request->request->all() as $preference) { // ... validation omitted ... if (null === ($meta = $profile->getPreference($name))) { throw $this->createNotFoundException(\sprintf('Unknown custom-field "%s" requested', $name)); } $meta->setValue($value); // <-- VULNERABILITY } ``` The underlying Role-Based Access Control logic (`UserPreferenceSubscriber::getDefaultPreferences`) accurately identifies that standard users lack the `hourly-rate` role, and flags the dynamically generated preference object as disabled (`$preference->setEnabled(false)`). However, the `updateUserPreference` API endpoint entirely ignores this `isEnabled()` flag and forcefully saves the mutated object to the database natively via Doctrine ORM. This allows unauthorized accounts to manipulate the business-logic variables calculating their own financial earnings. ### PoC 1. Log into Kimai as an unprivileged, standard employee account (a user with absolutely no `roles` array privileges). 2. Capture the `cookie` or Session cookies. (In this example, the user's ID is `2`). 3. Send the following cURL request (or intercept via Burp Suite) targeting your own user ID: ```bash curl -i -X PATCH "http://localhost:8001/api/users/2/preferences" \ -H "Content-Type: application/json" \ -H "cookie: <YOUR_STANDARD_USER_TOKEN>" \ -d '[ { "name": "hourly_rate", "value": "1337" }, { "name": "internal_rate", "value": "1337" } ]' ``` 4. The server responds with `HTTP/1.1 200 OK`. (Note: The `hourly_rate` will intentionally NOT appear in the JSON echo due to `User::getVisiblePreferences` sanitizing output based on the same disabled flag). 5. If an Administrator organically views User 2's profile within Kimai, or if the user logs any new timesheets, the active and billed `hourly_rate` applied to their account will be confirmed as `1337`. <img width="1542" height="1039" alt="user_account" src="https://github.com/user-attachments/assets/fff5e2da-d598-408d-8a01-784499ade844" /> <img width="1539" height="1037" alt="admin_account" src="https://github.com/user-attachments/assets/86a6e8c3-a97f-4be3-9f9f-2e23fad1d8a0" /> ### Impact This is a Privilege Escalation and Business Logic Flaw impacting the core financial calculations of the application. An attacker with a standard user account can manipulate their own billing rate multipliers unbeknownst to administrators, resulting in fraudulent invoices, distorted timesheet exports, and unauthorized financial tampering.

PHP Privilege Escalation
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3643 HIGH This Week

Stored XSS in Accessibly WordPress plugin (≤3.0.3) allows unauthenticated attackers to inject malicious JavaScript executed by all site visitors via unprotected REST API endpoints. Two endpoints (/otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config) lack authentication checks (permission_callback set to __return_true), enabling attackers to modify the widgetSrc option with a URL pointing to attacker-controlled scripts. The malicious URL is stored unsanitized in WordPress options and

PHP WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-30993 CRITICAL Act Now

Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input.

PHP Code Injection RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-30995 HIGH This Week

Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint.

SQLi PHP
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-30994 HIGH This Week

Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.

Authentication Bypass PHP
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30996 HIGH This Week

An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET request.

PHP Path Traversal
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-30461 HIGH This Week

Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.

PHP Command Injection RCE N A
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-39387 HIGH This Week

Local File Inclusion in BoidCMS versions prior to 2.1.3 enables authenticated administrators to execute arbitrary PHP code via path traversal in the tpl parameter combined with file upload. The vulnerability chains unsanitized require_once() inclusion with media upload functionality, allowing attackers to upload malicious files and force their execution with web server privileges. Vendor-released patch available in version 2.1.3. CVSS 7.2 reflects high-privilege requirement (administrator access), but exploitation complexity is low once authenticated. No CISA KEV listing or public exploit code identified at time of analysis.

RCE LFI PHP File Upload Path Traversal
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-39971 PHP HIGH PATCH GHSA This Week

SMTP header injection in Serendipity CMS allows remote unauthenticated attackers to inject arbitrary email headers via malicious Host header during email-triggering operations (comments, subscriptions, password resets). The unsanitized $_SERVER['HTTP_HOST'] value is embedded directly into Message-ID headers without validation, enabling BCC injection, email spoofing, and reply hijacking. CVSS 7.2 with Changed scope indicates cross-domain impact. EPSS data not available; no public exploit identified at time of analysis, though a detailed proof-of-concept exists in the GitHub security advisory demonstrating successful header injection via comment submission.

PHP RCE
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-39963 PHP MEDIUM PATCH GHSA This Month

Serendipity's serendipity_setCookie() function accepts unsanitized HTTP_HOST header values as the cookie domain parameter, allowing remote attackers to scope authentication cookies (session tokens, auto-login tokens) to attacker-controlled domains and facilitate session hijacking. The vulnerability requires user interaction (victim authentication during poisoned Host header) and man-in-the-middle or reverse proxy misconfiguration to exploit, affecting all versions of Serendipity that use the vulnerable function. A proof-of-concept demonstrating cookie domain poisoning exists; exploitation probability is moderate (EPSS 6.9, CVSS AC:H reflects attack complexity), and no evidence of active exploitation has been identified.

Privilege Escalation PHP
NVD GitHub
CVSS 3.1
6.9
EPSS
0.0%
CVE-2026-35196 HIGH PATCH This Week

OS command injection in Chamilo LMS prior to 2.0.0-RC.3 allows authenticated attackers to execute arbitrary system commands via session poisoning of the course ID parameter. Attackers with low-privilege accounts can manipulate the $_SESSION['_cid'] variable to inject shell metacharacters into shell_exec() calls in the gradebook certificate export functionality, achieving full system compromise. CVSS 8.8 (High) with network attack vector and low complexity. No public exploit identified at time of analysis, though technical details are disclosed in the GitHub advisory. EPSS data not available for this recent CVE.

PHP Command Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-34160 HIGH PATCH This Week

Unauthenticated Server-Side Request Forgery (SSRF) in Chamilo LMS versions prior to 2.0.0-RC.3 allows remote attackers to access internal network services and cloud metadata endpoints via unfiltered package-url parameter in the PENS plugin. Attackers can steal AWS IAM credentials from 169.254.169.254, probe internal infrastructure, and trigger state-changing operations on internal services without requiring authentication. CVSS 8.6 (High) with Changed Scope reflects the ability to pivot from the LMS to other internal systems. No public exploit identified at time of analysis, though the attack vector is straightforward requiring only HTTP requests to the exposed endpoint.

Authentication Bypass PHP SSRF Microsoft
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-33715 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Chamilo LMS 2.0-RC.2 allows unauthenticated remote attackers to weaponize the learning management system as an open email relay and probe internal networks. The vulnerability stems from an authentication bypass in install.ajax.php, which accepts arbitrary SMTP server connections via Symfony Mailer DSN strings. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L). EPSS data not provided. Vendor-released patch: version 2.0.0-RC.3.

Authentication Bypass PHP SSRF
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-33714 HIGH PATCH This Week

SQL injection in Chamilo LMS 2.0.0-RC.2 allows authenticated administrators to extract arbitrary database contents via unsanitized date parameters in the statistics AJAX endpoint's users_active action. This represents an incomplete fix for CVE-2026-30881, where only one of two vulnerable parameter sets was sanitized. Time-based blind SQL injection techniques enable data exfiltration despite requiring admin-level authentication. EPSS data not available; no public exploit identified at time of analysis, though the incomplete remediation pattern and technical details in the GitHub advisory lower exploitation barriers for attackers with admin access.

SQLi PHP
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25125 PHP MEDIUM PATCH GHSA This Month

October CMS versions prior to 3.7.14 and 4.1.10 allow authenticated editors to disclose sensitive environment variables through PHP's parse_ini_string() interpolation syntax in page settings fields. An attacker with Editor access can inject patterns like ${APP_KEY} or ${DB_PASSWORD} into CMS configuration fields, causing the server to resolve and expose database passwords, AWS credentials, and application keys, potentially enabling database compromise or session forgery. The vulnerability is limited to installations with cms.safe_mode enabled; CVSS 4.9 reflects high confidentiality impact but requires elevated privileges (PR:H) to exploit.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-3017 HIGH This Week

PHP object injection in Smart Post Show WordPress plugin versions ≤3.0.12 allows administrators to deserialize untrusted input via the import_shortcodes() function. While no POP chain exists in the plugin itself (making direct exploitation impossible), the vulnerability becomes critical if paired with another plugin/theme containing exploitable gadget chains, potentially enabling file deletion, data exfiltration, or remote code execution. CVSS 7.2 (High) reflects theoretical maximum impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE identifier.

PHP WordPress Information Disclosure Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-6227 HIGH This Week

Local file inclusion in BackWPup WordPress plugin versions ≤5.6.6 allows authenticated administrators to read sensitive configuration files or achieve remote code execution via path traversal bypass in the `/wp-json/backwpup/v1/getblock` REST endpoint. The vulnerability stems from insufficient sanitization using non-recursive `str_replace()`, enabling crafted sequences like `....//` to bypass filtering. While requiring high privileges (PR:H), the plugin's permission delegation feature allows administrators to grant backup management rights to lower-privileged users, expanding the attack surface. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CVSS 7.2 reflects high confidentiality, integrity, and availability impact.

PHP Path Traversal WordPress RCE
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-30480 MEDIUM This Month

A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the nfsen parameter.

PHP LFI Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-38530 PHP HIGH GHSA This Week

Broken Object-Level Authorization in Webkul Krayin CRM 2.2.x allows authenticated attackers to read, modify, and permanently delete leads belonging to other users via crafted GET requests to the LeadController endpoint. This multi-tenant access control failure enables horizontal privilege escalation across customer boundaries. Authentication requirements are minimal (PR:L in CVSS vector), and the attack complexity is low with no user interaction required. No public exploit identified at time of analysis, though the vulnerability appears straightforward to exploit given its BOLA nature.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-38532 PHP HIGH GHSA This Week

Broken Object-Level Authorization in Webkul Krayin CRM v2.2.x allows authenticated attackers to access, modify, and delete contact records belonging to other users without authorization. The vulnerability exists in the PersonController.php endpoint where insufficient access controls permit low-privileged authenticated users to manipulate arbitrary contact objects via crafted GET requests. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity (CVSS:3.1 AV:N/AC:L/PR:L).

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-38529 PHP HIGH GHSA This Week

Authenticated attackers can reset arbitrary user passwords in Webkul Krayin CRM v2.2.x through a Broken Object-Level Authorization (BOLA) vulnerability in the /Settings/UserController.php endpoint, enabling full account takeover of any user account. The attack requires low-privilege authentication (PR:L) and is exploitable remotely with low complexity (AV:N/AC:L), presenting an 8.8 CVSS severity with high impact to confidentiality, integrity, and availability. EPSS data not available; no CISA KEV listing identified; publicly available exploit code exists per researcher disclosure.

PHP Privilege Escalation
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-38528 HIGH This Week

SQL injection in Krayin CRM 2.2.x allows authenticated remote attackers to extract sensitive database contents via the rotten_lead parameter in LeadDataGrid.php. CVSS 7.1 severity with network attack vector and low complexity enables database enumeration with low-privilege credentials. No public exploit identified at time of analysis, though EPSS data unavailable. Technical advisory published on GitHub indicates vulnerability affects lead management functionality in this Laravel-based open-source CRM platform.

PHP SQLi
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-38526 CRITICAL POC Act Now

Remote code execution in Webkul Krayin CRM v2.2.x allows authenticated attackers with low-level privileges to upload and execute malicious PHP files through an unrestricted file upload vulnerability in the /admin/tinymce/upload endpoint. The scope change (CVSS S:C) indicates potential container escape or cross-tenant impact. Authentication requirement confirmed (CVSS PR:L). No public exploit identified at time of analysis, though technical details are available in security advisory references.

File Upload PHP RCE
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-65136 MEDIUM This Month

Reflected cross-site scripting (XSS) in manikandan580 School-management-system 1.0 allows unauthenticated remote attackers to inject malicious scripts via the pagedes POST parameter in /studentms/admin/contact-us.php, affecting users with browser cookies or session tokens. Publicly available exploit code exists, and the vulnerability impacts confidentiality and integrity with moderate scope. CVSS score of 6.1 reflects the requirement for user interaction to trigger the malicious payload.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-65135 CRITICAL Act Now

Time-based blind SQL injection in manikandan580 School Management System 1.0 allows unauthenticated remote attackers to extract sensitive database contents and potentially execute arbitrary SQL commands through the fromdate POST parameter in /studentms/admin/between-date-reprtsdetails.php. The CVSS 9.8 critical score reflects network-based exploitation requiring no privileges or user interaction, with complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the specific vulnerable parameter and injection type are documented in public security advisories.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-65134 MEDIUM This Month

Reflected cross-site scripting (XSS) in School Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the email POST parameter in the contact-us.php admin interface. A victim must click a crafted link, enabling attackers to steal session cookies, perform administrative actions, or redirect users to malicious sites. Public proof-of-concept code exists; however, real-world exploitation probability remains low (EPSS 0.02%) due to reliance on user interaction and limited automaton.

XSS PHP N A
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-65132 MEDIUM This Month

Stored or reflected cross-site scripting (XSS) in alandsilva26 hotel-management-php 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in the context of authenticated administrators via a malicious room_id GET parameter in /public/admin/edit_room.php. Public exploit code exists (SSVC confirms poc status). The vulnerability requires user interaction (UI:R) to trigger, affecting confidentiality and integrity of admin sessions with partial technical impact.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-63939 CRITICAL Act Now

SQL injection in Grocery Store Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the sitem_name parameter in search_products_itname.php. The vulnerability achieves maximum CVSS 9.8 due to network accessibility without authentication, enabling complete database compromise including data exfiltration, modification, and potential system takeover. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists per researcher advisory.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37602 LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 at /scheduler/admin/user/manage_user.php allows high-privilege authenticated attackers to read sensitive data via crafted SQL queries. CVSS score of 2.7 reflects the requirement for high administrative privileges (PR:H), limiting real-world impact. SSVC framework confirms no known active exploitation, non-automatable attack, and partial technical impact (confidentiality only). This is a low-severity vulnerability constrained by authentication requirements despite the presence of a SQL injection flaw.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37601 LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege administrators to read sensitive data through the /scheduler/admin/appointments/manage_appointment.php endpoint. The vulnerability requires administrative credentials and does not enable data modification or denial of service, limiting real-world impact despite network-accessible exposure. CVSS score of 2.7 reflects the high authentication barrier and confidentiality-only impact; CISA SSVC framework rates exploitation as 'none' with no automatable attack path.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37600 LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege users to read sensitive database information via the /scheduler/admin/appointments/view_details.php endpoint. The vulnerability requires administrative credentials and network access but carries low real-world risk due to restrictive authentication requirements (PR:H), limited scope of impact (confidentiality only), and CVSS score of 2.7. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37598 LOW Monitor

SourceCodester Patient Appointment Scheduler System v1.0 suffers from SQL injection in the SystemSettings.php update_settings function, allowing authenticated high-privilege administrators to execute arbitrary SQL queries. While tagged as RCE, the CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) and SSVC framework indicate limited confidentiality impact with no confirmed integrity or availability consequences; this is primarily a SQL injection vulnerability requiring administrative credentials with no public exploit code identified at time of analysis.

PHP RCE SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37597 LOW Monitor

SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/attendance_list.php endpoint, enabling unauthorized data disclosure with low confidentiality impact. The vulnerability requires administrator-level access and carries minimal real-world risk due to high privilege requirements and low exploitability (SSVC exploitation status: none), though it represents a defense-in-depth failure in an administrative function.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37596 LOW Monitor

SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to extract sensitive database information via the /wfh_attendance/admin/manage_department.php endpoint. The CVSS 2.7 score reflects low real-world risk due to the requirement for high-privilege administrative credentials and confidentiality-only impact; no public exploit code has been identified, and the vulnerability is not confirmed as actively exploited.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37595 LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/manage_employee.php file. The CVSS score of 2.7 reflects limited impact (confidentiality only, no integrity or availability loss) and high authentication barriers (administrator role required). No public exploit code or active exploitation has been confirmed.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37594 LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege remote attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/view_employee.php endpoint. CVSS 2.7 reflects high authentication barriers (PR:H requires admin access), no automatable exploitation per SSVC, and confidentiality impact only. No public exploit code or active exploitation confirmed at time of analysis.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37593 LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privileged authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/view_att.php endpoint, potentially disclosing sensitive employee attendance data. The vulnerability requires administrative credentials and carries low real-world risk despite SQL injection's severity class, as evidenced by CVSS 2.7 and SSVC designation of no exploitation likelihood with partial technical impact. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37592 LOW Monitor

SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privilege authenticated administrators to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_pricing.php endpoint, resulting in partial confidentiality impact. The CVSS score of 2.7 reflects the requirement for high administrative privileges and absence of integrity or availability impact, placing this as a low-risk vulnerability despite the SQL injection classification. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37591 LOW Monitor

SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privileged remote attackers to read sensitive data through the /storage/admin/tenants/view_details.php endpoint. With a CVSS score of 2.7 and requirement for high administrative privileges (PR:H), this vulnerability has minimal real-world impact despite the SQL injection class; however, it represents a privilege-abuse risk within already-compromised administrative contexts. No public exploit code or active exploitation has been confirmed.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37589 LOW Monitor

SQL Injection in SourceCodester Storage Unit Rental Management System v1.0 allows authenticated administrative users to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_storage_unit.php endpoint. The vulnerability requires high-privilege access (PR:H) and returns only limited information (confidentiality impact only), resulting in a low CVSS score of 2.7. No public exploit code or active exploitation has been confirmed at the time of analysis.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37590 LOW Monitor

SQL injection in SourceCodester Storage Unit Rental Management System v1.0 allows high-privileged authenticated attackers to read sensitive database contents via crafted input in /storage/admin/rents/manage_rent.php. The vulnerability requires administrator-level access and produces only limited information disclosure with no impact on data integrity or availability. EPSS and SSVC assessments indicate minimal real-world exploitation risk due to authentication barrier and non-automatable attack requirements.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-32271 PHP HIGH PATCH GHSA This Week

Remote code execution via SQL injection in Craft Commerce 4.x (4.0.0-4.10.2) and 5.x (5.0.0-5.5.4) allows authenticated control panel users to write PHP webshells through a four-step exploitation chain. Attack exploits unsanitized TotalRevenue widget settings interpolated into SQL, PDO multi-statement support, and unsafe PHP deserialization in yii2-queue to instantiate a GuzzleHttp FileCookieJar gadget chain. Complete exploitation requires only three HTTP requests and low-privileged authenticati

SQLi Deserialization RCE PHP
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-6202 LOW POC Monitor

A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6201 LOW POC Monitor

A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit is publicly available and might be used.

Authentication Bypass PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-40044 CRITICAL Act Now

Remote code execution in Pachno 1.0.6 allows unauthenticated attackers to achieve arbitrary code execution by exploiting unsafe deserialization of PHP objects. Attackers write malicious serialized payloads to world-writable cache files with predictable names, which are automatically unserialized during framework bootstrap before authentication occurs. EPSS indicates 0.14% probability of exploitation (33rd percentile), no active exploitation confirmed per CISA KEV, and SSVC classifies this as automatable with total technical impact.

PHP Deserialization RCE
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
EPSS 0% CVSS 8.2
HIGH This Week

SQL injection in Apartment Visitors Management System v1.1 allows unauthenticated remote attackers to extract sensitive database contents via the contactno parameter on the password reset page. The vulnerability bypasses authentication controls through crafted input during password recovery operations. EPSS and KEV data not available, but SSVC framework indicates proof-of-concept exists and the vulnerability is automatable with partial technical impact. The CVSS score of 8.2 reflects high confidentiality impact with network-accessible attack surface requiring no user interaction.

PHP SQLi N A
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting (XSS) in Apartment Visitors Management System v1.1 allows authenticated attackers to inject malicious JavaScript via the visname parameter in visitors-form.php, which executes when other users view the injected data in manage-newvisitors.php or visitor-detail.php. The vulnerability requires user interaction (victim visiting affected pages) and valid authentication but can escalate privileges, steal session tokens, or perform actions on behalf of administrative users viewing visitor records.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in PHPEMS 11.0 allows authenticated remote attackers to manipulate the uploadfile parameter in the Instant Exam Creation Handler component, enabling SSRF attacks that can access internal resources or perform unauthorized requests from the server. The vulnerability affects the temppage function in /app/exam/controller/exams.master.php and has public exploit code available, though exploitation requires valid user credentials (PR:L).

PHP SSRF
NVD VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper authorization in Collabora KodExplorer up to version 4.52 allows remote unauthenticated attackers to bypass authentication via manipulation of the fileUpload parameter in the /app/controller/share.class.php endpoint, potentially enabling unauthorized file access or modification with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; however, the attack requires high complexity and is described as difficult to execute in practice, limiting real-world exploitation despite public disclosure and vendor non-responsiveness.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Kodcloud KodExplorer up to version 4.52 contains an authorization bypass vulnerability in the roleGroupAction function that allows authenticated remote attackers to manipulate the group_role parameter and gain unauthorized access to sensitive information and system modification capabilities. The vulnerability has a CVSS score of 6.3 with public exploit code available, and the vendor has not responded to early disclosure notifications, leaving deployed instances without official patching options.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Remote authorization bypass in KodCloud KodExplorer up to version 4.52 allows high-privileged authenticated attackers to manipulate the path argument in the initInstall function (/app/controller/systemMember.class.php), resulting in integrity compromise. The exploit code is publicly available, and the vendor has not responded to early disclosure notifications, leaving deployed instances vulnerable without official remediation guidance.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Improper authentication in kodcloud KodExplorer versions up to 4.52 allows unauthenticated remote attackers to bypass access controls via the fileGet endpoint. The vulnerability resides in the fileGet function within /app/controller/share.class.php, exploitable by manipulating the fileUrl parameter. With CVSS 7.3 and network attack vector requiring no privileges or user interaction, this enables unauthorized file access and potential data manipulation. EPSS score unavailable; no CISA KEV listing indicates no confirmed widespread exploitation. Vendor non-responsive to disclosure attempts.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Path traversal in kodcloud KodExplorer 4.52 and earlier allows unauthenticated remote attackers to access unauthorized files via the public share handler's path parameter. The vulnerability has publicly available exploit code (EPSS data not provided, not listed in CISA KEV). The vendor did not respond to responsible disclosure, leaving all versions through 4.52 unpatched at time of analysis.

PHP Path Traversal
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

EyouCMS versions up to 1.7.1 allow high-privileged attackers to upload arbitrary files via manipulation of the filename parameter in the edit_adminlogo function, leading to information disclosure and potential code execution. The vulnerability requires authenticated admin access and is publicly exploitable with proof-of-concept code available on GitHub; the vendor has not responded to disclosure attempts.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Cross-Site Request Forgery (CSRF) in ChurchCRM versions before 7.2.0 allows remote attackers to permanently delete family records and all associated data (notes, pledges, persons, property) through the SelectDelete.php endpoint. The endpoint executes irreversible deletions via unauthenticated GET requests without CSRF token validation, requiring only that an authenticated administrator visit a malicious page. Attackers can weaponize this via phishing emails or malicious websites to trigger silent data destruction. Fixed in version 7.2.0 via PR #8613 and commit 3936162. No KEV listing or public POC identified at time of analysis, though exploitation is trivial given the simplicity of CSRF attacks against GET endpoints.

PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote code execution in ChurchCRM <7.2.0 allows authenticated administrators to upload PHP webshells through the database backup restore function, which copies files from archive Images/ directories to web-accessible paths without extension filtering. The vulnerability includes a CSRF bypass enabling forced exploitation through cross-site request forgery. Exploitation requires high privileges (administrator account) but is network-accessible with low complexity (CVSS:3.1/AV:N/AC:L/PR:H). No active exploitation confirmed (not in CISA KEV). Vendor-released fix available in version 7.2.0 via GitHub PR #8610 and commit 68be1d12.

PHP Privilege Escalation CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Broken object-level authorization in ChurchCRM 7.1.x and earlier allows authenticated users with minimal EditSelf privileges to enumerate and exfiltrate sensitive personal data (names, addresses, phone numbers, emails) of all church members via the unauthenticated GET /api/person/{personId} API endpoint. While legacy UI enforces canEditPerson() checks, the API layer completely omits these authorization controls, enabling horizontal privilege escalation. Fixed in version 7.2.0. CVSS 7.1 (AV:N/AC:L/PR:L) indicates network-accessible exploitation by any low-privileged authenticated user with no technical complexity. EPSS data unavailable; no KEV listing or public POC identified at time of analysis, though the fix commit and GitHub advisory provide full technical details for replication.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting in ChurchCRM UserEditor.php prior to version 7.2.0 allows authenticated administrators to inject malicious HTML and JavaScript into username fields, which then executes in the browsers of other administrators viewing the user editor page. The vulnerability stems from failure to sanitize usernames before rendering them into HTML input value attributes, and exploitation requires administrator-level privileges combined with user interaction (another admin viewing the compromised user's editor). This is a low-CVSS but real privilege-escalation concern within multi-administrator deployments, particularly where administrators may have differing trust levels.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

DOMSanitizer before version 1.0.10 fails to sanitize CSS content within SVG <style> elements, allowing attackers to inject url() references and @import rules that trigger unauthorized HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered in a browser. This affects PHP applications using the vulnerable library to sanitize user-supplied SVG content, enabling information disclosure through request metadata and potential CSRF attacks. The vulnerability requires user interaction (rendering the SVG) but affects all downstream users of the sanitized content due to scope change (C:L, S:C).

XSS PHP
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Command injection in Dolibarr ERP/CRM versions before 23.0.0 allows authenticated administrators to execute arbitrary operating system commands during ODT-to-PDF template conversion. The vulnerability stems from unsanitized concatenation of the MAIN_ODT_AS_PDF configuration constant into shell commands in odf.php. Exploitation requires administrative privileges (PR:H) but can be executed remotely (AV:N) with low complexity (AC:L), resulting in full system compromise as the web server user. Fixed in version 23.0.0. EPSS data not available; no public exploit identified at time of analysis.

PHP Command Injection RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in WeGIA charitable institution manager allows authenticated users to impersonate arbitrary identities and execute database queries with elevated privileges. The cpf_usuario parameter in dao/memorando/UsuarioDAO.php bypasses session-based identity controls through PHP's extract($_REQUEST) function, enabling any low-privileged authenticated user to query sensitive data or modify database contents as any other user, including administrators. WeGIA versions before 3.6.10 are affected. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L) requiring only valid user credentials.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH POC This Week

Remote code execution in Drag and Drop Multiple File Upload for Contact Form 7 plugin (WordPress) versions ≤1.3.9.6 allows unauthenticated attackers to upload PHP webshells via dual file validation weaknesses. The plugin's custom blacklist configuration overwrites default protections instead of merging, and non-ASCII filenames bypass the wpcf7_antiscript_file_name() sanitizer. CVSS 8.1 with High attack complexity (AV:N/AC:H/PR:N/UI:N). Wordfence reported; patch released in changeset 3508522. No KEV listing or confirmed public exploitation, but proof-of-concept feasible given detailed vulnerable code references (lines 62, 883, 970, 987).

PHP File Upload WordPress +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Path traversal in WP Customer Area plugin through version 8.3.4 enables low-privileged authenticated users (Subscriber-level or higher, as configured by administrators) to read sensitive files like wp-config.php or delete critical WordPress files to achieve remote code execution. Wordfence reported this vulnerability affecting the ajax_attach_file function, which fails to properly validate file paths. CVSS 8.8 reflects network-based exploitation with low complexity, though exploitation requires authentication and administrator-granted plugin access. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

PHP Path Traversal WordPress +1
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery (SSRF) in TinyFileManager file upload handler (versions up to 2.6) allows authenticated remote attackers to manipulate the uploadurl parameter and forge requests to arbitrary servers. The vulnerability affects the /filemanager.php?p=&ajax=true&type=upload endpoint and has publicly available exploit code; the vendor has not responded to disclosure attempts.

PHP SSRF File Upload
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in prasathmani TinyFileManager up to version 2.6 allows authenticated remote attackers to manipulate the file[] POST parameter in /filemanager.php to read, modify, or delete arbitrary files on the server outside the intended directory scope. CVSS 5.4 reflects the authenticated requirement and lack of confidentiality impact, though integrity and availability are compromised. Public exploit code exists and the vendor has not responded to disclosure, leaving users dependent on manual patching or upgrading.

PHP Path Traversal
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in QueryMine SMS admin/deletecourse.php allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in GET requests. Affects all versions up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. Public exploit code exists (GitHub POC available). EPSS data not available. Not listed in CISA KEV. Vendor non-responsive to disclosure. CVSS 7.3 with network attack vector and no authentication required indicates moderate-high severity, but real-world risk depends on deployment exposure of admin interface.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload vulnerability in QueryMine SMS admin panel allows authenticated remote attackers to upload arbitrary files via the image parameter in admin/addteacher.php, potentially enabling remote code execution. Affects all versions up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. Public exploit code exists and the vendor has not responded to disclosure attempts.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in QueryMine SMS admin/editcourse.php parameter handler allows authenticated remote attackers to query or modify the database via a crafted ID parameter, with publicly available exploit code demonstrating the vulnerability. The affected product uses rolling releases with no versioning available, and the vendor has not responded to disclosure attempts. CVSS 5.3 reflects limited scope impact under authenticated access (PR:L), but real-world risk depends on network exposure of the administrative interface.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in Qihui jtbc5 CMS 5.0.3.6 allows authenticated remote attackers to read arbitrary files via a manipulated path parameter in /dev/code/common/diplomat/manage.php. The vulnerability has a published exploit and affects the Code Endpoint component; the vendor has not responded to early disclosure. With CVSS 4.3 and EPSS probability marked as Proof-of-Concept, this represents a moderate confidentiality risk limited to authenticated users.

PHP Path Traversal
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC PATCH Monitor

Stored cross-site scripting (XSS) in Classroom Bookings up to version 2.17.0 allows authenticated users to inject malicious scripts via the displayname parameter in the User Display Name Handler component, resulting in arbitrary script execution in other users' browsers. The vulnerability requires user interaction (victim must view the affected page) and authenticated access, limiting immediate risk, but publicly available exploit code and vendor confirmation of the issue increase real-world threat. Upgrading to version 2.17.1 resolves the vulnerability.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated attackers with subscriber-level WordPress access can bypass capability checks in the Canto plugin (versions up to 3.1.1) via unprotected AJAX endpoints to arbitrarily modify or delete critical plugin options controlling cron scheduling and disable scheduled update tasks. The vulnerability requires a logged-in user but accepts any authenticated account regardless of intended permissions, allowing privilege escalation of low-level accounts to perform administrative functions without authorization. No active exploitation confirmed; patch status not yet identified.

PHP Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

wpForo Forum plugin for WordPress allows authenticated Subscriber-level attackers to modify arbitrary forum posts via variable extraction abuse and weak nonce validation. Attackers exploit the `extract($args, EXTR_OVERWRITE)` function in the `edit()` method to bypass permission checks, enabling unauthorized modification of post titles, bodies, names, and emails across all forum visibility levels including private forums and admin/moderator posts. A hardcoded nonce shared across all forum templates allows any user viewing any forum page to obtain a valid nonce, making exploitation trivial for authenticated users.

PHP Authentication Bypass WordPress
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Server-Side Request Forgery (SSRF) in Craftql PHP library versions 1.3.7 and earlier enables remote attackers to force the server to make unintended requests, potentially leading to arbitrary code execution. The vulnerability resides in the GetAssetsFieldSchema.php listener component. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept repository with detailed exploitation documentation exists on GitHub. Despite the CVSS 7.5 rating, the extremely low EPSS score (0.01%, 0th percentile) indicates minimal real-world exploitation activity observed to date. The description claims RCE capability, but the CVSS vector shows only confidentiality impact (C:H/I:N/A:N), suggesting the SSRF may enable information disclosure that could chain into RCE rather than direct code execution - verification with vendor advisories needed.

PHP SSRF RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation. CISA SSVC framework confirms proof-of-concept exists, attack is automatable, and technical impact is total (full system compromise). Public POC available on GitHub enables immediate weaponization by attackers with no specialized skills.

PHP SQLi N A
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.

PHP Authentication Bypass WordPress +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages-specifically those containing negative varints or deep recursion-can be used to crash the application, impacting service availability.

PHP Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated administrators to execute arbitrary SQL commands via the /parking/manage_location.php endpoint. CVSS 7.2 indicates high-privilege requirement (PR:H) limiting exploitation to compromised admin accounts or insider threats. EPSS score of 0.01% (2nd percentile) suggests minimal observed exploitation activity. No CISA KEV listing indicates no confirmed active exploitation in enterprise environments.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL queries via the /parking/manage_user.php endpoint. CVSS 7.2 with network vector but requires high-privilege authentication (PR:H), significantly limiting attack surface. EPSS probability is very low (0.01%, 2nd percentile), indicating minimal observed exploitation activity. No CISA KEV listing or public POC confirmation, though a technical writeup exists in GitHub repository mt-0505/cve-report.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL commands via the /parking/view_parked_details.php endpoint. The vulnerability requires administrative credentials (CVSS PR:H) but enables full database compromise once authenticated. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. A public proof-of-concept exists on GitHub, lowering the technical barrier for authenticated attackers.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows high-privileged authenticated attackers to execute arbitrary SQL commands via the /parking/manage_category.php endpoint, enabling complete database compromise. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. Proof-of-concept exploit code is publicly available on GitHub, lowering the barrier for authenticated attackers with administrative access.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0's /music/edit_music.php endpoint allows unauthenticated remote attackers to execute arbitrary SQL commands with full database access. The vulnerability carries a critical CVSS 9.8 score with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS probability is notably low at 0.01% (2nd percentile), suggesting limited real-world exploitation interest despite the critical severity rating. Proof-of-concept code is publicly available via GitHub, lowering the barrier for opportunistic attacks against exposed instances.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the /music/view_genre.php endpoint, enabling complete database compromise including data theft, modification, and potential server takeover. CVSS 9.8 (Critical) with network-exploitable attack vector requiring no authentication or user interaction. EPSS score of 0.01% (2nd percentile) indicates low observed exploitation probability despite critical severity. Publicly available proof-of-concept exists (GitHub repository), lowering exploitation barrier for opportunistic attackers.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL Act Now

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php.

PHP SQLi
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.

PHP Authentication Bypass RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).

PHP LFI WordPress +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

### Summary A Mass Assignment / Broken Object Property Level Authorization (BOPA) vulnerability in the User Preferences API allows any authenticated user (even those with the lowest privileges) to arbitrarily modify restricted financial attributes on their profile, specifically their `hourly_rate` and `internal_rate`. ### Details Kimai restrictively protects the `hourly_rate` and `internal_rate` parameters during standard GUI flow. Users lacking the `hourly-rate` role permissions cannot see or edit these fields via the standard Web Form (`UserApiEditForm` / `UserEditType`). The vulnerability exists in the dedicated preferences API endpoint: `src/API/UserController.php::updateUserPreference`. When a `PATCH` request is sent to `/api/users/{id}/preferences`, the endpoint iterates through the submitted JSON array and blindly applies the new values: ```php foreach ($request->request->all() as $preference) { // ... validation omitted ... if (null === ($meta = $profile->getPreference($name))) { throw $this->createNotFoundException(\sprintf('Unknown custom-field "%s" requested', $name)); } $meta->setValue($value); // <-- VULNERABILITY } ``` The underlying Role-Based Access Control logic (`UserPreferenceSubscriber::getDefaultPreferences`) accurately identifies that standard users lack the `hourly-rate` role, and flags the dynamically generated preference object as disabled (`$preference->setEnabled(false)`). However, the `updateUserPreference` API endpoint entirely ignores this `isEnabled()` flag and forcefully saves the mutated object to the database natively via Doctrine ORM. This allows unauthorized accounts to manipulate the business-logic variables calculating their own financial earnings. ### PoC 1. Log into Kimai as an unprivileged, standard employee account (a user with absolutely no `roles` array privileges). 2. Capture the `cookie` or Session cookies. (In this example, the user's ID is `2`). 3. Send the following cURL request (or intercept via Burp Suite) targeting your own user ID: ```bash curl -i -X PATCH "http://localhost:8001/api/users/2/preferences" \ -H "Content-Type: application/json" \ -H "cookie: <YOUR_STANDARD_USER_TOKEN>" \ -d '[ { "name": "hourly_rate", "value": "1337" }, { "name": "internal_rate", "value": "1337" } ]' ``` 4. The server responds with `HTTP/1.1 200 OK`. (Note: The `hourly_rate` will intentionally NOT appear in the JSON echo due to `User::getVisiblePreferences` sanitizing output based on the same disabled flag). 5. If an Administrator organically views User 2's profile within Kimai, or if the user logs any new timesheets, the active and billed `hourly_rate` applied to their account will be confirmed as `1337`. <img width="1542" height="1039" alt="user_account" src="https://github.com/user-attachments/assets/fff5e2da-d598-408d-8a01-784499ade844" /> <img width="1539" height="1037" alt="admin_account" src="https://github.com/user-attachments/assets/86a6e8c3-a97f-4be3-9f9f-2e23fad1d8a0" /> ### Impact This is a Privilege Escalation and Business Logic Flaw impacting the core financial calculations of the application. An attacker with a standard user account can manipulate their own billing rate multipliers unbeknownst to administrators, resulting in fraudulent invoices, distorted timesheet exports, and unauthorized financial tampering.

PHP Privilege Escalation
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in Accessibly WordPress plugin (≤3.0.3) allows unauthenticated attackers to inject malicious JavaScript executed by all site visitors via unprotected REST API endpoints. Two endpoints (/otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config) lack authentication checks (permission_callback set to __return_true), enabling attackers to modify the widgetSrc option with a URL pointing to attacker-controlled scripts. The malicious URL is stored unsanitized in WordPress options and

PHP WordPress XSS
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input.

PHP Code Injection RCE
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.

Authentication Bypass PHP
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET request.

PHP Path Traversal
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.

PHP Command Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Local File Inclusion in BoidCMS versions prior to 2.1.3 enables authenticated administrators to execute arbitrary PHP code via path traversal in the tpl parameter combined with file upload. The vulnerability chains unsanitized require_once() inclusion with media upload functionality, allowing attackers to upload malicious files and force their execution with web server privileges. Vendor-released patch available in version 2.1.3. CVSS 7.2 reflects high-privilege requirement (administrator access), but exploitation complexity is low once authenticated. No CISA KEV listing or public exploit code identified at time of analysis.

RCE LFI PHP +2
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

SMTP header injection in Serendipity CMS allows remote unauthenticated attackers to inject arbitrary email headers via malicious Host header during email-triggering operations (comments, subscriptions, password resets). The unsanitized $_SERVER['HTTP_HOST'] value is embedded directly into Message-ID headers without validation, enabling BCC injection, email spoofing, and reply hijacking. CVSS 7.2 with Changed scope indicates cross-domain impact. EPSS data not available; no public exploit identified at time of analysis, though a detailed proof-of-concept exists in the GitHub security advisory demonstrating successful header injection via comment submission.

PHP RCE
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Serendipity's serendipity_setCookie() function accepts unsanitized HTTP_HOST header values as the cookie domain parameter, allowing remote attackers to scope authentication cookies (session tokens, auto-login tokens) to attacker-controlled domains and facilitate session hijacking. The vulnerability requires user interaction (victim authentication during poisoned Host header) and man-in-the-middle or reverse proxy misconfiguration to exploit, affecting all versions of Serendipity that use the vulnerable function. A proof-of-concept demonstrating cookie domain poisoning exists; exploitation probability is moderate (EPSS 6.9, CVSS AC:H reflects attack complexity), and no evidence of active exploitation has been identified.

Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

OS command injection in Chamilo LMS prior to 2.0.0-RC.3 allows authenticated attackers to execute arbitrary system commands via session poisoning of the course ID parameter. Attackers with low-privilege accounts can manipulate the $_SESSION['_cid'] variable to inject shell metacharacters into shell_exec() calls in the gradebook certificate export functionality, achieving full system compromise. CVSS 8.8 (High) with network attack vector and low complexity. No public exploit identified at time of analysis, though technical details are disclosed in the GitHub advisory. EPSS data not available for this recent CVE.

PHP Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Unauthenticated Server-Side Request Forgery (SSRF) in Chamilo LMS versions prior to 2.0.0-RC.3 allows remote attackers to access internal network services and cloud metadata endpoints via unfiltered package-url parameter in the PENS plugin. Attackers can steal AWS IAM credentials from 169.254.169.254, probe internal infrastructure, and trigger state-changing operations on internal services without requiring authentication. CVSS 8.6 (High) with Changed Scope reflects the ability to pivot from the LMS to other internal systems. No public exploit identified at time of analysis, though the attack vector is straightforward requiring only HTTP requests to the exposed endpoint.

Authentication Bypass PHP SSRF +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Chamilo LMS 2.0-RC.2 allows unauthenticated remote attackers to weaponize the learning management system as an open email relay and probe internal networks. The vulnerability stems from an authentication bypass in install.ajax.php, which accepts arbitrary SMTP server connections via Symfony Mailer DSN strings. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L). EPSS data not provided. Vendor-released patch: version 2.0.0-RC.3.

Authentication Bypass PHP SSRF
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Chamilo LMS 2.0.0-RC.2 allows authenticated administrators to extract arbitrary database contents via unsanitized date parameters in the statistics AJAX endpoint's users_active action. This represents an incomplete fix for CVE-2026-30881, where only one of two vulnerable parameter sets was sanitized. Time-based blind SQL injection techniques enable data exfiltration despite requiring admin-level authentication. EPSS data not available; no public exploit identified at time of analysis, though the incomplete remediation pattern and technical details in the GitHub advisory lower exploitation barriers for attackers with admin access.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

October CMS versions prior to 3.7.14 and 4.1.10 allow authenticated editors to disclose sensitive environment variables through PHP's parse_ini_string() interpolation syntax in page settings fields. An attacker with Editor access can inject patterns like ${APP_KEY} or ${DB_PASSWORD} into CMS configuration fields, causing the server to resolve and expose database passwords, AWS credentials, and application keys, potentially enabling database compromise or session forgery. The vulnerability is limited to installations with cms.safe_mode enabled; CVSS 4.9 reflects high confidentiality impact but requires elevated privileges (PR:H) to exploit.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

PHP object injection in Smart Post Show WordPress plugin versions ≤3.0.12 allows administrators to deserialize untrusted input via the import_shortcodes() function. While no POP chain exists in the plugin itself (making direct exploitation impossible), the vulnerability becomes critical if paired with another plugin/theme containing exploitable gadget chains, potentially enabling file deletion, data exfiltration, or remote code execution. CVSS 7.2 (High) reflects theoretical maximum impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE identifier.

PHP WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Local file inclusion in BackWPup WordPress plugin versions ≤5.6.6 allows authenticated administrators to read sensitive configuration files or achieve remote code execution via path traversal bypass in the `/wp-json/backwpup/v1/getblock` REST endpoint. The vulnerability stems from insufficient sanitization using non-recursive `str_replace()`, enabling crafted sequences like `....//` to bypass filtering. While requiring high privileges (PR:H), the plugin's permission delegation feature allows administrators to grant backup management rights to lower-privileged users, expanding the attack surface. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CVSS 7.2 reflects high confidentiality, integrity, and availability impact.

PHP Path Traversal WordPress +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the nfsen parameter.

PHP LFI Path Traversal
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Broken Object-Level Authorization in Webkul Krayin CRM 2.2.x allows authenticated attackers to read, modify, and permanently delete leads belonging to other users via crafted GET requests to the LeadController endpoint. This multi-tenant access control failure enables horizontal privilege escalation across customer boundaries. Authentication requirements are minimal (PR:L in CVSS vector), and the attack complexity is low with no user interaction required. No public exploit identified at time of analysis, though the vulnerability appears straightforward to exploit given its BOLA nature.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Broken Object-Level Authorization in Webkul Krayin CRM v2.2.x allows authenticated attackers to access, modify, and delete contact records belonging to other users without authorization. The vulnerability exists in the PersonController.php endpoint where insufficient access controls permit low-privileged authenticated users to manipulate arbitrary contact objects via crafted GET requests. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity (CVSS:3.1 AV:N/AC:L/PR:L).

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated attackers can reset arbitrary user passwords in Webkul Krayin CRM v2.2.x through a Broken Object-Level Authorization (BOLA) vulnerability in the /Settings/UserController.php endpoint, enabling full account takeover of any user account. The attack requires low-privilege authentication (PR:L) and is exploitable remotely with low complexity (AV:N/AC:L), presenting an 8.8 CVSS severity with high impact to confidentiality, integrity, and availability. EPSS data not available; no CISA KEV listing identified; publicly available exploit code exists per researcher disclosure.

PHP Privilege Escalation
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

SQL injection in Krayin CRM 2.2.x allows authenticated remote attackers to extract sensitive database contents via the rotten_lead parameter in LeadDataGrid.php. CVSS 7.1 severity with network attack vector and low complexity enables database enumeration with low-privilege credentials. No public exploit identified at time of analysis, though EPSS data unavailable. Technical advisory published on GitHub indicates vulnerability affects lead management functionality in this Laravel-based open-source CRM platform.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC Act Now

Remote code execution in Webkul Krayin CRM v2.2.x allows authenticated attackers with low-level privileges to upload and execute malicious PHP files through an unrestricted file upload vulnerability in the /admin/tinymce/upload endpoint. The scope change (CVSS S:C) indicates potential container escape or cross-tenant impact. Authentication requirement confirmed (CVSS PR:L). No public exploit identified at time of analysis, though technical details are available in security advisory references.

File Upload PHP RCE
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting (XSS) in manikandan580 School-management-system 1.0 allows unauthenticated remote attackers to inject malicious scripts via the pagedes POST parameter in /studentms/admin/contact-us.php, affecting users with browser cookies or session tokens. Publicly available exploit code exists, and the vulnerability impacts confidentiality and integrity with moderate scope. CVSS score of 6.1 reflects the requirement for user interaction to trigger the malicious payload.

PHP XSS
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Time-based blind SQL injection in manikandan580 School Management System 1.0 allows unauthenticated remote attackers to extract sensitive database contents and potentially execute arbitrary SQL commands through the fromdate POST parameter in /studentms/admin/between-date-reprtsdetails.php. The CVSS 9.8 critical score reflects network-based exploitation requiring no privileges or user interaction, with complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the specific vulnerable parameter and injection type are documented in public security advisories.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting (XSS) in School Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the email POST parameter in the contact-us.php admin interface. A victim must click a crafted link, enabling attackers to steal session cookies, perform administrative actions, or redirect users to malicious sites. Public proof-of-concept code exists; however, real-world exploitation probability remains low (EPSS 0.02%) due to reliance on user interaction and limited automaton.

XSS PHP N A
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored or reflected cross-site scripting (XSS) in alandsilva26 hotel-management-php 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in the context of authenticated administrators via a malicious room_id GET parameter in /public/admin/edit_room.php. Public exploit code exists (SSVC confirms poc status). The vulnerability requires user interaction (UI:R) to trigger, affecting confidentiality and integrity of admin sessions with partial technical impact.

PHP XSS
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in Grocery Store Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the sitem_name parameter in search_products_itname.php. The vulnerability achieves maximum CVSS 9.8 due to network accessibility without authentication, enabling complete database compromise including data exfiltration, modification, and potential system takeover. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists per researcher advisory.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 at /scheduler/admin/user/manage_user.php allows high-privilege authenticated attackers to read sensitive data via crafted SQL queries. CVSS score of 2.7 reflects the requirement for high administrative privileges (PR:H), limiting real-world impact. SSVC framework confirms no known active exploitation, non-automatable attack, and partial technical impact (confidentiality only). This is a low-severity vulnerability constrained by authentication requirements despite the presence of a SQL injection flaw.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege administrators to read sensitive data through the /scheduler/admin/appointments/manage_appointment.php endpoint. The vulnerability requires administrative credentials and does not enable data modification or denial of service, limiting real-world impact despite network-accessible exposure. CVSS score of 2.7 reflects the high authentication barrier and confidentiality-only impact; CISA SSVC framework rates exploitation as 'none' with no automatable attack path.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege users to read sensitive database information via the /scheduler/admin/appointments/view_details.php endpoint. The vulnerability requires administrative credentials and network access but carries low real-world risk due to restrictive authentication requirements (PR:H), limited scope of impact (confidentiality only), and CVSS score of 2.7. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SourceCodester Patient Appointment Scheduler System v1.0 suffers from SQL injection in the SystemSettings.php update_settings function, allowing authenticated high-privilege administrators to execute arbitrary SQL queries. While tagged as RCE, the CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) and SSVC framework indicate limited confidentiality impact with no confirmed integrity or availability consequences; this is primarily a SQL injection vulnerability requiring administrative credentials with no public exploit code identified at time of analysis.

PHP RCE SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/attendance_list.php endpoint, enabling unauthorized data disclosure with low confidentiality impact. The vulnerability requires administrator-level access and carries minimal real-world risk due to high privilege requirements and low exploitability (SSVC exploitation status: none), though it represents a defense-in-depth failure in an administrative function.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to extract sensitive database information via the /wfh_attendance/admin/manage_department.php endpoint. The CVSS 2.7 score reflects low real-world risk due to the requirement for high-privilege administrative credentials and confidentiality-only impact; no public exploit code has been identified, and the vulnerability is not confirmed as actively exploited.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/manage_employee.php file. The CVSS score of 2.7 reflects limited impact (confidentiality only, no integrity or availability loss) and high authentication barriers (administrator role required). No public exploit code or active exploitation has been confirmed.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege remote attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/view_employee.php endpoint. CVSS 2.7 reflects high authentication barriers (PR:H requires admin access), no automatable exploitation per SSVC, and confidentiality impact only. No public exploit code or active exploitation confirmed at time of analysis.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privileged authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/view_att.php endpoint, potentially disclosing sensitive employee attendance data. The vulnerability requires administrative credentials and carries low real-world risk despite SQL injection's severity class, as evidenced by CVSS 2.7 and SSVC designation of no exploitation likelihood with partial technical impact. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privilege authenticated administrators to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_pricing.php endpoint, resulting in partial confidentiality impact. The CVSS score of 2.7 reflects the requirement for high administrative privileges and absence of integrity or availability impact, placing this as a low-risk vulnerability despite the SQL injection classification. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privileged remote attackers to read sensitive data through the /storage/admin/tenants/view_details.php endpoint. With a CVSS score of 2.7 and requirement for high administrative privileges (PR:H), this vulnerability has minimal real-world impact despite the SQL injection class; however, it represents a privilege-abuse risk within already-compromised administrative contexts. No public exploit code or active exploitation has been confirmed.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL Injection in SourceCodester Storage Unit Rental Management System v1.0 allows authenticated administrative users to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_storage_unit.php endpoint. The vulnerability requires high-privilege access (PR:H) and returns only limited information (confidentiality impact only), resulting in a low CVSS score of 2.7. No public exploit code or active exploitation has been confirmed at the time of analysis.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Storage Unit Rental Management System v1.0 allows high-privileged authenticated attackers to read sensitive database contents via crafted input in /storage/admin/rents/manage_rent.php. The vulnerability requires administrator-level access and produces only limited information disclosure with no impact on data integrity or availability. EPSS and SSVC assessments indicate minimal real-world exploitation risk due to authentication barrier and non-automatable attack requirements.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Remote code execution via SQL injection in Craft Commerce 4.x (4.0.0-4.10.2) and 5.x (5.0.0-5.5.4) allows authenticated control panel users to write PHP webshells through a four-step exploitation chain. Attack exploits unsanitized TotalRevenue widget settings interpolated into SQL, PDO multi-statement support, and unsafe PHP deserialization in yii2-queue to instantiate a GuzzleHttp FileCookieJar gadget chain. Complete exploitation requires only three HTTP requests and low-privileged authenticati

SQLi Deserialization RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit is publicly available and might be used.

Authentication Bypass PHP
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in Pachno 1.0.6 allows unauthenticated attackers to achieve arbitrary code execution by exploiting unsafe deserialization of PHP objects. Attackers write malicious serialized payloads to world-writable cache files with predictable names, which are automatically unserialized during framework bootstrap before authentication occurs. EPSS indicates 0.14% probability of exploitation (33rd percentile), no active exploitation confirmed per CISA KEV, and SSVC classifies this as automatable with total technical impact.

PHP Deserialization RCE
NVD VulDB
Prev Page 20 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy