Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-5681 LOW POC Monitor

SQL injection in itsourcecode's 'sanitize or validate this input' application allows authenticated remote attackers to execute arbitrary SQL queries via the emp_id parameter in /borrowedequip.php, potentially compromising data confidentiality and integrity. The vulnerability affects version 1.0 and has publicly available exploit code; exploitation requires valid login credentials but carries low-to-moderate real-world risk given the CVSS 5.3 score and authenticated attack requirement.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-35183 HIGH PATCH This Week

Authenticated users in Brave CMS can delete arbitrary article images belonging to other users via an Insecure Direct Object Reference (IDOR) flaw in versions prior to 2.0.6. The deleteImage method in ArticleController.php accepts filenames without verifying ownership, allowing any authenticated user with edit permissions to delete images from articles they don't own. CVSS 7.1 reflects high integrity impact with low availability impact. No public exploit identified at time of analysis, and EPSS data not available for this recent vulnerability.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-35182 HIGH PATCH This Week

Privilege escalation in Brave CMS 2.0.x before 2.0.6 allows authenticated users with low-privilege accounts to promote themselves to Super Admin by directly calling the unprotected role update endpoint. The vulnerability stems from a missing authorization middleware check on the /rights/update-role/{id} route, enabling complete takeover of the CMS by any user with valid credentials. No public exploit identified at time of analysis, but exploitation is trivial given the straightforward API endpoint access. With EPSS data unavailable and no KEV listing, risk primarily affects organizations using affected Brave CMS versions in multi-user environments.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-35180 MEDIUM This Month

Cross-site request forgery in WWBN AVideo 26.0 and earlier allows unauthenticated remote attackers to overwrite the platform's logo file via a malicious cross-origin POST to the admin/customize_settings_nativeUpdate.json.php endpoint. The vulnerability exploits missing CSRF token validation combined with a SameSite=None cookie policy and a file-write-before-validation logic flaw, enabling integrity compromise of the site's branding. No public exploit code or active exploitation has been identified at the time of analysis.

CSRF PHP
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-5675 LOW Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to manipulate the 'emp' parameter in /borrowed_tool.php, resulting in limited confidentiality, integrity, and availability impact. The vulnerability requires valid credentials (PR:L) but has publicly available exploit code, though exploitation probability remains moderate (EPSS indicates P:P status). This is a classic parameter injection flaw in a PHP application with real but constrained risk due to authentication requirements.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5672 MEDIUM This Month

SQL injection in code-projects Simple IT Discussion Forum 1.0 via the cat_id parameter in /edit-category.php allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to data exfiltration, modification, or deletion. The vulnerability has a publicly disclosed exploit and moderate CVSS score (6.9) with confirmed exploitation capability signals.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-35174 CRITICAL PATCH Act Now

Path traversal in Chyrp Lite administration console allows privileged users with Change Settings permissions to manipulate the uploads path, enabling arbitrary file read (including database credentials from config.json.php) and arbitrary file write leading to remote code execution. Affects all versions prior to 2026.01. CVSS 9.1 (Critical) reflects post-authentication impact with scope change. EPSS data not available; no public exploit identified at time of analysis, no CISA KEV listing.

RCE Path Traversal PHP
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-35164 HIGH PATCH This Week

Remote code execution in Brave CMS versions prior to 2.0.6 allows authenticated users to upload and execute arbitrary PHP scripts through the CKEditor upload functionality. The vulnerability stems from unrestricted file upload in the ckupload method of CkEditorController.php, which fails to validate uploaded file types. No public exploit identified at time of analysis, though the attack requires only low-privilege authentication (PR:L) with low complexity (AC:L). CVSS 8.8 High severity reflects the complete system compromise possible post-authentication.

File Upload PHP RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-5670 LOW Monitor

Unrestricted file upload in Cyber-III Student-Management-System allows authenticated remote attackers to upload arbitrary files via manipulation of the File parameter in /AssignmentSection/submission/upload.php, leading to potential remote code execution or data exfiltration. The vulnerability affects the move_uploaded_file function and has publicly available exploit code; the vendor has not responded to early disclosure notification. CVSS 5.3 reflects low confidentiality and integrity impact within an authenticated context, though real-world risk depends on file execution permissions and web server configuration.

PHP File Upload Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5669 MEDIUM This Month

SQL injection in Cyber-III Student-Management-System login parameter handler allows unauthenticated remote attackers to execute arbitrary SQL queries via the Password parameter in /login.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and the affected project uses rolling releases without fixed version tagging, complicating patch status determination. CVSS 6.9 reflects moderate severity with low confidentiality, integrity, and availability impact across multiple scopes.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5671 LOW POC Monitor

Cross-site scripting (XSS) in Cyber-III Student-Management-System allows unauthenticated remote attackers to inject malicious scripts via the batch parameter in the /admin/class%20schedule/delete_batch.php endpoint, compromised by improper input validation. The vulnerability affects all versions up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f and has publicly available exploit code disclosed on GitHub; the vendor has not responded to early notification.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5668 LOW POC Monitor

Cross-site scripting (XSS) in Cyber-III Student-Management-System allows high-privileged authenticated attackers to inject malicious scripts via the $_SERVER['PHP_SELF'] parameter in the /admin/Add%20notice/add%20notice.php endpoint. The vulnerability requires user interaction (UI:P) to trigger and is confirmed by publicly available exploit code, though real-world risk is mitigated by high privilege requirements (PR:H) and limited technical impact (integrity only). The product uses rolling releases with no versioning, and the vendor has not responded to early disclosure.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-34402 HIGH PATCH This Week

Time-based blind SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with Edit Records or Manage Groups permissions to exfiltrate or modify database content including credentials, PII, and configuration secrets via the PropertyAssign.php endpoint. Attack requires low-privilege authentication (PR:L) but enables high confidentiality and integrity impact through database manipulation. No public exploit identified at time of analysis, though EPSS data was not provided. CVSS 8.1 reflects network-accessible exploitation with low complexity requiring only basic user privileges.

SQLi PHP
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-5665 MEDIUM POC This Month

SQL injection in code-projects Online FIR System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the email and password parameters in /Login/checklogin.php. CVSS 7.3 (High) with attack vector Network, Low complexity, and No privileges required. Publicly available exploit code exists (GitHub POC published). EPSS data not provided, but the combination of unauthenticated access, public exploit, and login bypass potential makes this a significant risk for exposed instances.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5660 LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the emp parameter in /borrowed_equip.php, potentially compromising data confidentiality and integrity. The vulnerability has a CVSS score of 5.3 with publicly available exploit code; however, exploitation requires valid authentication credentials and does not grant administrative privileges or enable denial of service.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5648 MEDIUM This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the firstName parameter in /userfinishregister.php, enabling data exfiltration and manipulation. The vulnerability has publicly available exploit code and a published CVSS 6.9 score reflecting moderate confidentiality and integrity impact.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5647 LOW Monitor

Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated administrators to inject malicious scripts via the product_name parameter in the Add Product Page (/admin/admin_feature.php), which execute in the context of other users' browsers. The vulnerability requires high-privilege administrative access and user interaction (clicking a malicious link), limiting real-world impact, but publicly available exploit code exists.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5649 LOW POC Monitor

SQL injection in code-projects Online Application System for Admission 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the /enrollment/admsnform.php endpoint, enabling data exfiltration and database manipulation. The vulnerability has a CVSS score of 6.3 (medium severity) with public exploit code disclosed; exploitation requires valid user credentials but no special complexity.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5646 MEDIUM POC This Month

SQL injection in code-projects Easy Blog Site 1.0 allows unauthenticated remote attackers to compromise authentication and potentially extract, modify, or delete database contents via crafted username/password parameters in login.php. CVSS 7.3 (High) with network attack vector, low complexity, and no authentication required. Publicly available exploit code exists (GitHub POC), significantly lowering the barrier to exploitation. No vendor-released patch identified at time of analysis.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5645 MEDIUM POC This Month

SQL injection in projectworlds Car Rental System 1.0 allows unauthenticated remote attackers to manipulate database queries via the mpesa parameter in /pay.php. The vulnerability carries a CVSS score of 7.3 with network-based exploitation requiring low complexity and no user interaction. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation, though no CISA KEV listing confirms active widespread exploitation at time of analysis.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5644 LOW POC Monitor

Stored cross-site scripting (XSS) in Cyber-III Student-Management-System via manipulation of the $_SERVER['PHP_SELF'] variable in the batch-notice.php admin file allows authenticated attackers with high privileges to inject malicious scripts. The vulnerability affects all versions up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f, exploitable remotely with user interaction, and publicly available exploit code exists. CVSS score of 4.8 reflects moderate risk constrained by authentication and interaction requirements, though the integrity impact and active public disclosure elevate operational concern.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5643 LOW POC Monitor

Reflected cross-site scripting in Cyber-III Student-Management-System up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f allows high-privilege authenticated attackers to inject malicious scripts via the $_SERVER['PHP_SELF'] parameter in the admin notice endpoint (/admin/Add%20notice/notice.php). Publicly available exploit code exists, and the vulnerability requires user interaction (UI) to trigger, limiting practical impact despite remote accessibility.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5642 MEDIUM POC This Month

Improper authorization in Cyber-III Student-Management-System allows unauthenticated remote attackers to bypass authentication controls via crafted HTTP POST requests to /viva/update.php. The vulnerability (CWE-285) enables unauthorized modification of student records by manipulating the 'Name' parameter. Publicly available exploit code exists (GitHub issue #236), and the project maintainer has not responded to responsible disclosure attempts. EPSS data not provided, but CVSS 7.3 with PR:N indicates significant risk for internet-facing deployments.

Authentication Bypass PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5641 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the filename parameter in /admin/update-image1.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS score.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5640 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the filename parameter in /admin/update-image2.php. The vulnerability affects the parameter handling mechanism and has publicly available exploit code; attackers with administrative credentials can manipulate the filename argument to inject SQL commands, potentially leading to data exfiltration or modification with limited direct impact to confidentiality and integrity of the application layer.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5639 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to manipulate the filename parameter in /admin/update-image3.php, leading to database query manipulation with limited confidentiality and integrity impact. The vulnerability carries a CVSS score of 5.3 (medium severity) and requires valid admin credentials to exploit; publicly available exploit code exists but the vulnerability is not confirmed as actively exploited in CISA KEV.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5637 MEDIUM POC This Month

SQL injection in projectworlds Car Rental System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the Message parameter in /message_admin.php. Publicly available exploit code exists, significantly lowering the barrier to exploitation. The vulnerability enables unauthorized data access, modification, and potential denial of service against the administrative messaging interface. CVSS 7.3 severity reflects network-accessible attack vector with low complexity and no authentication requirement.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5636 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the oid parameter in /cancelorder.php, potentially enabling unauthorized data access or modification. Publicly available exploit code exists for this vulnerability, which affects the parameter handler component and carries a CVSS score of 5.3 with confirmed exploitation feasibility.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5635 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL commands via the cid parameter in /categorywise-products.php. Publicly available exploit code exists for this vulnerability, which affects the parameter handler component. The attack requires valid user credentials but carries low impact, affecting confidentiality, integrity, and availability of data at limited scope.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5634 MEDIUM POC This Month

SQL injection in projectworlds Car Rental Project 1.0 allows remote attackers to execute arbitrary SQL queries via the fname parameter in /book_car.php, enabling unauthenticated database manipulation with potential confidentiality and integrity impact. The vulnerability has publicly available exploit code and a moderate CVSS score of 6.9, indicating practical exploitability despite low attack complexity.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5624 LOW PATCH Monitor

Cross-site request forgery (CSRF) in ProjectSend r2002 allows unauthenticated remote attackers to perform unauthorized file upload operations via the upload.php endpoint with user interaction (UI:R). The vulnerability has been publicly disclosed with exploit code available, and ProjectSend has released patched version r2029 with commit 2c0d25824ab571b6c219ac1a188ad9350149661b to remediate the issue. While the CVSS score of 4.3 indicates low-to-moderate severity, the presence of public exploit code and lack of authentication requirements elevates the real-world risk for unpatched instances.

CSRF PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5620 LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Home parameter in /borrowed_equip_report.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and demonstrates low attack complexity with network-based delivery requiring valid credentials.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5615 LOW POC PATCH Monitor

Cross-site scripting (XSS) in givanz Vvvebjs file upload endpoint allows unauthenticated remote attackers to inject malicious scripts via the uploadAllowExtensions parameter in upload.php. The vulnerability affects Vvvebjs versions up to 2.0.5 and requires user interaction (UI:R). A publicly available exploit exists and a patch (commit 8cac22cff99b8bc701c408aa8e887fa702755336) has been released by the vendor; EPSS exploitation likelihood is indicated as probable (E:P) with a CVSS score of 4.3.

XSS PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5606 MEDIUM This Month

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the orderid parameter in /order-details.php, enabling data exfiltration and database manipulation. CVSS 6.3 reflects authenticated access requirement and limited scope; no public exploit code or active KEV status confirmed at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2019-25675 HIGH POC This Week

eDirectory contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to bypass administrator authentication and disclose sensitive files by injecting SQL code into. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25687 CRITICAL POC Act Now

Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal RCE
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2019-25685 HIGH POC This Week

phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal File Upload RCE
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2019-25684 HIGH POC This Week

OpenDocMan 1.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'where' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25682 MEDIUM POC This Month

CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF
NVD Exploit-DB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2019-25678 HIGH POC This Week

C4G Basic Laboratory Information System 3.4 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25676 HIGH POC This Week

Ask Expert Script 3.0.5 contains cross-site scripting and SQL injection vulnerabilities that allow unauthenticated attackers to inject malicious code by manipulating URL parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS SQLi RCE
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25674 HIGH POC This Week

CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25673 HIGH POC This Week

UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload RCE
NVD Exploit-DB GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2019-25671 HIGH POC This Week

VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal RCE Apache
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2019-25668 HIGH POC This Week

News Website Script 2.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the news ID parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25664 HIGH POC This Week

SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25662 HIGH POC This Week

ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-5583 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the fullname parameter in /my-profile.php. The vulnerability has a publicly disclosed exploit and CVSS 5.3 score reflecting low confidentiality and integrity impact; however, the moderate real-world risk is elevated by public exploit availability and the authentication-required nature suggesting insider or credential-based attack scenarios.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5579 LOW Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the fname parameter in the /OnlineClassroom/updatedetailsfromfaculty.php endpoint. The vulnerability has been publicly disclosed with exploit code available, presenting moderate real-world risk due to required authentication (PR:L) but low technical impact (VC:L, VI:L, VA:L) per CVSS 4.0 scoring.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5580 LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the videotitle parameter in /OnlineClassroom/addvideos.php. Publicly available exploit code exists, enabling database manipulation with low complexity. CVSS 6.3 (Medium) reflects authentication requirement and limited scope, though exploitation is straightforward and could lead to unauthorized data access or modification.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5578 LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 via the deleteid parameter in /OnlineClassroom/addassessment.php allows authenticated remote attackers to manipulate database queries with low impact to confidentiality, integrity, and availability. Public exploit code is available, increasing practical risk despite the moderate CVSS 5.3 score. The vulnerability requires valid authentication (PR:L) but uses a common attack vector (AV:N, AC:L) typical of parameter validation flaws in PHP web applications.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5575 MEDIUM This Month

SQL injection in SourceCodester jkev Record Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter in the Login component (index.php) to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. The exploit code is publicly available, and the vulnerability carries a CVSS 4.0 base score of 6.9 with low confidentiality, integrity, and availability impact.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5576 LOW POC Monitor

Unrestricted file upload in SourceCodester/jkev Record Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the save_emp.php Add Employee Page component, potentially enabling remote code execution. The vulnerability requires high-privilege authentication and has publicly available exploit code, though real-world risk remains limited by the authentication barrier and moderate CVSS score of 4.7.

File Upload PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5565 MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the userid parameter in /delmemberinfo.php. The vulnerability has publicly available exploit code (GitHub POC) and CVSS 7.3 severity with network-accessible attack vector requiring low complexity and no privileges. No vendor-released patch identified at time of analysis. EPSS data not provided, but public exploit availability increases likelihood of opportunistic scanning and exploitation.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5564 MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the searchServiceId parameter in /searchguest.php. CVSS 7.3 reflects network-accessible attack with low complexity requiring no privileges. Publicly available exploit code exists (GitHub PoC published), significantly lowering exploitation barrier. No vendor-released patch identified at time of analysis. EPSS data unavailable, but combination of remotely exploitable SQLi with public PoC against an unmaintained open-source project indicates elevated real-world risk for installations exposed to untrusted networks.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5561 LOW POC Monitor

Campcodes Complete POS Management and Inventory System up to version 4.0.6 allows authenticated remote attackers to inject malicious input through the Environment Variable Handler in SettingsController.php, leading to information disclosure and potential system compromise. The vulnerability has publicly available exploit code and affects an undisclosed function handling environment variable manipulation, with moderate CVSS 6.3 severity driven by network-accessible attack surface and low attack complexity.

PHP Information Disclosure
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5560 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to manipulate the paymethod parameter in /payment-method.php, enabling database query execution with limited confidentiality, integrity, and availability impact. The vulnerability is publicly documented with exploit code available, presenting moderate real-world risk despite the CVSS 6.3 score, as exploitation requires valid authentication credentials.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5558 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project up to version 2.1 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /pending-orders.php, potentially leading to unauthorized data access or modification. The vulnerability has a published proof-of-concept exploit available and carries a CVSS score of 5.3 with moderate real-world impact due to authentication requirements.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5555 MEDIUM POC This Month

SQL injection in code-projects Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Email parameter in login.php. The vulnerability is trivially exploitable (CVSS AC:L, PR:N) with publicly available exploit code demonstrating the attack path. EPSS data not available, but the combination of remote exploitation without authentication, public POC, and database compromise capabilities indicates moderate real-world risk for internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5554 MEDIUM POC This Month

SQL injection in Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'searching' parameter in process_search.php. Publicly available exploit code exists (GitHub), enabling immediate weaponization. CVSS 7.3 reflects network-accessible attack with no complexity barriers, though EPSS data unavailable. Not confirmed as actively exploited (no CISA KEV listing), but POC publication significantly lowers exploitation threshold for opportunistic attackers targeting exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5553 LOW POC Monitor

SQL injection in itsourcecode Online Cellphone System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /cp/available.php, potentially compromising confidentiality, integrity, and availability of the application database. Publicly available exploit code exists and the vulnerability has moderate exploitability signals (CVSS 6.3, EPSS evidence of public tools), though no CISA KEV confirmation of active exploitation is present.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5552 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the pid parameter in /sub-category.php, enabling information disclosure and potential data modification. Publicly available exploit code exists for this vulnerability, which carries a CVSS score of 6.3 with confirmed exploitation feasibility.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5551 MEDIUM POC This Month

SQL injection in itsourcecode Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'email' parameter in /hotel/admin/login.php. The vulnerability is remotely exploitable with low attack complexity and no user interaction required. Publicly available exploit code exists (confirmed POC on GitHub), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of unauthenticated remote access, public exploit, and impact on confidentiality, integrity, and availability creates moderate-to-high real-world risk for exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5546 LOW POC Monitor

Unrestricted file upload in Campcodes Complete Online Learning Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the add_lesson function in /application/models/Crud_model.php, enabling potential remote code execution or malware deployment. The vulnerability requires low-privilege authentication, carries a CVSS score of 6.3 (medium), and publicly available exploit code exists.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5543 LOW POC Monitor

SQL injection in PHPGurukul User Registration & Login and User Management System 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/yesterday-reg-users.php, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists; CVSS 6.3 reflects moderate impact with low attack complexity and authenticated access requirement.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5542 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /modstaffinfo.php, affecting confidentiality and integrity of user sessions. The vulnerability requires user interaction (clicking a crafted link) and has a publicly available exploit (CVSS 4.3, EPSS signal: E:P indicates public exploit availability). This is a stored or reflected XSS vulnerability in a PHP-based application with low CVSS severity but non-negligible real-world risk due to ease of exploitation and public disclosure.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5541 LOW POC Monitor

Stored or reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /modmemberinfo.php, potentially compromising user sessions or stealing sensitive data. The vulnerability requires user interaction (UI:R) and publicly available exploit code exists, elevating the practical risk despite the moderate CVSS 4.3 score.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5540 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the firstName parameter in /modifymember.php. Publicly available exploit code exists (GitHub POC), enabling attackers to extract, modify, or delete database contents without authentication. CVSS 7.3 reflects network-based attack with low complexity and no privilege requirements. Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC availability.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5539 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the firstName parameter in /modifymember.php, which are executed in the context of other users' browsers. The vulnerability has a CVSS score of 4.3 with low impact severity but publicly available exploit code, though exploitation requires user interaction (UI:R). This represents a typical reflected or stored XSS in a parameter handler with limited immediate risk due to no confidentiality or availability impact, though it enables session hijacking and credential theft.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5537 LOW POC Monitor

SQL injection in halex CourseSEL up to version 1.1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the seid parameter in the HTTP GET request handler, potentially leading to unauthorized data access, modification, and denial of service. The vulnerability affects the check_sel function in IndexController.class.php and has publicly available exploit code; the vendor has not responded to early disclosure notifications.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5534 MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate database queries via the USERID parameter in /sms/user/index.php. The CVSS 7.3 score reflects network-accessible exploitation with low complexity requiring no privileges. Publicly available exploit code exists on GitHub, elevating immediate risk. CVSS impact ratings indicate potential for limited confidentiality, integrity, and availability compromise across the database layer.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2018-25248 MEDIUM POC This Month

MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2016-20052 CRITICAL POC Act Now

Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload PHP
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-35452 PHP MEDIUM GHSA This Month

Unauthenticated information disclosure in AVideo CloneSite plugin allows remote attackers to retrieve sensitive operational logs containing internal filesystem paths, remote server URLs, and SSH connection metadata via the client.log.php endpoint, which lacks authentication controls present in all sibling endpoints within the same plugin directory.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-35450 PHP MEDIUM GHSA This Month

Unauthenticated access to FFmpeg server configuration endpoint in AVideo allows remote attackers to probe infrastructure details and determine encoding architecture without authentication, while sibling management endpoints properly enforce admin-only access. This information disclosure aids reconnaissance for targeted attacks against video encoding infrastructure. CVSS 5.3, no public exploit code identified, no active exploitation confirmed.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-35449 PHP MEDIUM GHSA This Month

AVideo install/test.php diagnostic script exposes sensitive viewer statistics including IP addresses, session IDs, and user agents to unauthenticated remote attackers due to a disabled CLI-only access guard. The vulnerability allows any visitor to retrieve video viewer data via HTTP GET requests without authentication, combined with enabled error reporting that leaks internal filesystem paths. CVSS 5.3 reflects low confidentiality impact; no public exploit code identified at time of analysis.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-35448 PHP LOW GHSA Monitor

Unauthenticated access to payment order data in the BlockonomicsYPT plugin for AVideo allows remote attackers to retrieve sensitive payment information including user IDs, transaction amounts, and Bitcoin transaction details for any address without authentication. The vulnerable check.php endpoint returns complete order records queryable by Bitcoin address alone, enabling attackers to link on-chain transactions to specific platform user accounts and violate user privacy. No exploit complexity is required beyond discovering Bitcoin addresses on the public blockchain.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-35181 PHP MEDIUM GHSA This Month

Cross-site request forgery (CSRF) in AVideo's player skin configuration endpoint allows unauthenticated remote attackers to modify the video player appearance platform-wide when an authenticated administrator visits a malicious webpage. The vulnerability stems from missing CSRF token validation combined with disabled ORM-level domain security checks and SameSite=None cookie configuration; a proof-of-concept demonstrates silent modification of player skin settings without admin consent.

CSRF PHP
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-35179 PHP MEDIUM GHSA This Month

Unauthenticated proxy access in AVideo's SocialMediaPublisher plugin allows any user to make arbitrary Facebook/Instagram Graph API calls through the `publishInstagram.json.php` endpoint without authentication or authorization checks. By sending crafted requests with stolen or leaked access tokens, attackers can publish, modify, or delete content on the platform's Instagram account and potentially bypass rate limits using the server's IP address. CVSS 5.3 (medium integrity impact); no active exploitation confirmed but proof-of-concept is publicly available.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-34788 MEDIUM This Month

SQL injection in Emlog tag management allows authenticated administrators to execute arbitrary SQL queries through the updateTagName() function in include/model/tag_model.php. Versions 2.6.2 and prior are affected. An attacker with administrative privileges can exploit this via direct SQL manipulation to modify or exfiltrate database contents. No public exploit code or active exploitation has been confirmed; patch status remains unavailable as of publication.

SQLi PHP
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-34787 MEDIUM This Month

Local file inclusion in Emlog admin/plugin.php allows authenticated attackers to execute arbitrary PHP code via unsanitized $plugin parameter in GET requests, provided CSRF token validation can be bypassed. Emlog versions 2.6.2 and prior are affected. An authenticated attacker with high privileges can include arbitrary files from the server filesystem, achieving remote code execution without requiring user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.

LFI CSRF PHP RCE
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-34607 HIGH This Week

Path traversal in Emlog CMS 2.6.2 and earlier enables authenticated administrators to achieve remote code execution by uploading malicious ZIP archives containing directory traversal sequences. The emUnZip() function fails to sanitize entry paths during plugin/template uploads and backup imports, allowing arbitrary file writes including PHP webshells. CVSS 7.2 (High) with network attack vector and low complexity. No vendor-released patch identified at time of analysis; publicly available exploit code exists via GitHub Security Advisory GHSA-2jg8-rmhm-xv9m.

RCE Path Traversal PHP
NVD GitHub
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-35470 PHP HIGH PATCH GHSA This Week

SQL injection in OpenSTAManager 2.10.1 and prior allows authenticated users to extract database contents including bcrypt password hashes, customer records, and financial data via unsanitized GET parameters across six vulnerable PHP modules. The righe parameter in confronta_righe.php files is directly concatenated into IN() clauses without parameterization. CVSS 8.8 (High) with network attack vector, low complexity, and low privilege requirement. Vendor-released patch available in version 2.10.2. Exploit reproduction demonstrated via EXTRACTVALUE-based error injection extracting MySQL version, database user, and admin credentials. Confirmed publicly available exploit code exists (GitHub advisory GHSA-mmm5-3g4x-qw39).

SQLi Information Disclosure PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5484 MEDIUM POC PATCH This Month

BookStack chapter export functionality allows unauthenticated remote attackers to bypass access controls via manipulation of the pages parameter in the chapterToMarkdown function, enabling improper access to restricted content. Affects BookStack versions up to 26.03; patch available in version 26.03.1. Publicly available exploit code exists and CVSS 5.5 reflects low confidentiality impact with no integrity or availability compromise.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5472 LOW POC Monitor

Unrestricted file upload in ProjectsAndPrograms School Management System up to commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59 allows authenticated users to upload arbitrary files via the Profile Picture Handler in /admin_panel/settings.php, enabling remote code execution. The vulnerability affects the File parameter with low attack complexity and has publicly available exploit code; while CVSS 5.3 reflects moderate integrity and confidentiality impact, the low authentication requirement and network accessibility make this a practical privilege escalation and code execution vector for authenticated attackers.

File Upload PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4350 HIGH This Week

Arbitrary file deletion in Perfmatters WordPress plugin (≤2.5.9.1) allows authenticated attackers with Subscriber-level access to delete critical files including wp-config.php via path traversal, enabling full site takeover. The vulnerability stems from unsanitized GET parameter processing in PMCS::action_handler() without authentication or nonce checks. CVSS 8.1 reflects network-accessible attack requiring only low-privilege authentication with high integrity and availability impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the lack of input validation.

WordPress PHP Path Traversal
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-26477 MEDIUM This Month

Denial of service in Dokuwiki version 2025-05-14b 'Librarian' release allows remote attackers to crash or disable the application through improper input handling in the media_upload_xhr() function within media.php. The vulnerability requires network access to the media upload endpoint but does not require authentication. No public exploit code, CVSS scoring, or active exploitation has been confirmed at the time of analysis.

Denial Of Service PHP
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-34735 HIGH This Week

Remote code execution in Hytale Modding Wiki version 1.2.0 and earlier allows authenticated users to upload malicious PHP files through a MIME type validation bypass. The quickUpload() endpoint performs independent validation of file content (via MIME type) and filename extension, enabling attackers to craft files with benign content signatures but executable .php extensions. Uploaded files are stored in a publicly accessible location, allowing direct URL access for server-side code execution. EPSS data unavailable; publicly available exploit code exists per SSVC assessment. No vendor-released patch identified at time of analysis.

PHP File Upload RCE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-5368 MEDIUM POC This Month

SQL injection in projectworlds Car Rental Project 1.0 login.php allows unauthenticated remote attackers to bypass authentication, extract sensitive database contents, and potentially modify or delete data via the 'uname' parameter. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network-accessible attack vector, no authentication requirement, and public exploit makes this a practical threat for internet-facing deployments of this vulnerable application.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5344 LOW Monitor

Path traversal in Textpattern XML-RPC handler allows authenticated remote attackers to write arbitrary files via the file.name parameter in mt_uploadImage function, enabling potential code execution or sensitive file overwrite. Affects Textpattern up to version 4.9.1, with publicly available exploit code and vendor confirmation of the issue pending fix in an upcoming release.

PHP Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode's 'sanitize or validate this input' application allows authenticated remote attackers to execute arbitrary SQL queries via the emp_id parameter in /borrowedequip.php, potentially compromising data confidentiality and integrity. The vulnerability affects version 1.0 and has publicly available exploit code; exploitation requires valid login credentials but carries low-to-moderate real-world risk given the CVSS 5.3 score and authenticated attack requirement.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authenticated users in Brave CMS can delete arbitrary article images belonging to other users via an Insecure Direct Object Reference (IDOR) flaw in versions prior to 2.0.6. The deleteImage method in ArticleController.php accepts filenames without verifying ownership, allowing any authenticated user with edit permissions to delete images from articles they don't own. CVSS 7.1 reflects high integrity impact with low availability impact. No public exploit identified at time of analysis, and EPSS data not available for this recent vulnerability.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Brave CMS 2.0.x before 2.0.6 allows authenticated users with low-privilege accounts to promote themselves to Super Admin by directly calling the unprotected role update endpoint. The vulnerability stems from a missing authorization middleware check on the /rights/update-role/{id} route, enabling complete takeover of the CMS by any user with valid credentials. No public exploit identified at time of analysis, but exploitation is trivial given the straightforward API endpoint access. With EPSS data unavailable and no KEV listing, risk primarily affects organizations using affected Brave CMS versions in multi-user environments.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in WWBN AVideo 26.0 and earlier allows unauthenticated remote attackers to overwrite the platform's logo file via a malicious cross-origin POST to the admin/customize_settings_nativeUpdate.json.php endpoint. The vulnerability exploits missing CSRF token validation combined with a SameSite=None cookie policy and a file-write-before-validation logic flaw, enabling integrity compromise of the site's branding. No public exploit code or active exploitation has been identified at the time of analysis.

CSRF PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to manipulate the 'emp' parameter in /borrowed_tool.php, resulting in limited confidentiality, integrity, and availability impact. The vulnerability requires valid credentials (PR:L) but has publicly available exploit code, though exploitation probability remains moderate (EPSS indicates P:P status). This is a classic parameter injection flaw in a PHP application with real but constrained risk due to authentication requirements.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Simple IT Discussion Forum 1.0 via the cat_id parameter in /edit-category.php allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to data exfiltration, modification, or deletion. The vulnerability has a publicly disclosed exploit and moderate CVSS score (6.9) with confirmed exploitation capability signals.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Path traversal in Chyrp Lite administration console allows privileged users with Change Settings permissions to manipulate the uploads path, enabling arbitrary file read (including database credentials from config.json.php) and arbitrary file write leading to remote code execution. Affects all versions prior to 2026.01. CVSS 9.1 (Critical) reflects post-authentication impact with scope change. EPSS data not available; no public exploit identified at time of analysis, no CISA KEV listing.

RCE Path Traversal PHP
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Brave CMS versions prior to 2.0.6 allows authenticated users to upload and execute arbitrary PHP scripts through the CKEditor upload functionality. The vulnerability stems from unrestricted file upload in the ckupload method of CkEditorController.php, which fails to validate uploaded file types. No public exploit identified at time of analysis, though the attack requires only low-privilege authentication (PR:L) with low complexity (AC:L). CVSS 8.8 High severity reflects the complete system compromise possible post-authentication.

File Upload PHP RCE
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Unrestricted file upload in Cyber-III Student-Management-System allows authenticated remote attackers to upload arbitrary files via manipulation of the File parameter in /AssignmentSection/submission/upload.php, leading to potential remote code execution or data exfiltration. The vulnerability affects the move_uploaded_file function and has publicly available exploit code; the vendor has not responded to early disclosure notification. CVSS 5.3 reflects low confidentiality and integrity impact within an authenticated context, though real-world risk depends on file execution permissions and web server configuration.

PHP File Upload Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in Cyber-III Student-Management-System login parameter handler allows unauthenticated remote attackers to execute arbitrary SQL queries via the Password parameter in /login.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and the affected project uses rolling releases without fixed version tagging, complicating patch status determination. CVSS 6.9 reflects moderate severity with low confidentiality, integrity, and availability impact across multiple scopes.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting (XSS) in Cyber-III Student-Management-System allows unauthenticated remote attackers to inject malicious scripts via the batch parameter in the /admin/class%20schedule/delete_batch.php endpoint, compromised by improper input validation. The vulnerability affects all versions up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f and has publicly available exploit code disclosed on GitHub; the vendor has not responded to early notification.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Cross-site scripting (XSS) in Cyber-III Student-Management-System allows high-privileged authenticated attackers to inject malicious scripts via the $_SERVER['PHP_SELF'] parameter in the /admin/Add%20notice/add%20notice.php endpoint. The vulnerability requires user interaction (UI:P) to trigger and is confirmed by publicly available exploit code, though real-world risk is mitigated by high privilege requirements (PR:H) and limited technical impact (integrity only). The product uses rolling releases with no versioning, and the vendor has not responded to early disclosure.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Time-based blind SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with Edit Records or Manage Groups permissions to exfiltrate or modify database content including credentials, PII, and configuration secrets via the PropertyAssign.php endpoint. Attack requires low-privilege authentication (PR:L) but enables high confidentiality and integrity impact through database manipulation. No public exploit identified at time of analysis, though EPSS data was not provided. CVSS 8.1 reflects network-accessible exploitation with low complexity requiring only basic user privileges.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online FIR System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the email and password parameters in /Login/checklogin.php. CVSS 7.3 (High) with attack vector Network, Low complexity, and No privileges required. Publicly available exploit code exists (GitHub POC published). EPSS data not provided, but the combination of unauthenticated access, public exploit, and login bypass potential makes this a significant risk for exposed instances.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the emp parameter in /borrowed_equip.php, potentially compromising data confidentiality and integrity. The vulnerability has a CVSS score of 5.3 with publicly available exploit code; however, exploitation requires valid authentication credentials and does not grant administrative privileges or enable denial of service.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the firstName parameter in /userfinishregister.php, enabling data exfiltration and manipulation. The vulnerability has publicly available exploit code and a published CVSS 6.9 score reflecting moderate confidentiality and integrity impact.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated administrators to inject malicious scripts via the product_name parameter in the Add Product Page (/admin/admin_feature.php), which execute in the context of other users' browsers. The vulnerability requires high-privilege administrative access and user interaction (clicking a malicious link), limiting real-world impact, but publicly available exploit code exists.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Online Application System for Admission 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the /enrollment/admsnform.php endpoint, enabling data exfiltration and database manipulation. The vulnerability has a CVSS score of 6.3 (medium severity) with public exploit code disclosed; exploitation requires valid user credentials but no special complexity.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Easy Blog Site 1.0 allows unauthenticated remote attackers to compromise authentication and potentially extract, modify, or delete database contents via crafted username/password parameters in login.php. CVSS 7.3 (High) with network attack vector, low complexity, and no authentication required. Publicly available exploit code exists (GitHub POC), significantly lowering the barrier to exploitation. No vendor-released patch identified at time of analysis.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in projectworlds Car Rental System 1.0 allows unauthenticated remote attackers to manipulate database queries via the mpesa parameter in /pay.php. The vulnerability carries a CVSS score of 7.3 with network-based exploitation requiring low complexity and no user interaction. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation, though no CISA KEV listing confirms active widespread exploitation at time of analysis.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in Cyber-III Student-Management-System via manipulation of the $_SERVER['PHP_SELF'] variable in the batch-notice.php admin file allows authenticated attackers with high privileges to inject malicious scripts. The vulnerability affects all versions up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f, exploitable remotely with user interaction, and publicly available exploit code exists. CVSS score of 4.8 reflects moderate risk constrained by authentication and interaction requirements, though the integrity impact and active public disclosure elevate operational concern.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Reflected cross-site scripting in Cyber-III Student-Management-System up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f allows high-privilege authenticated attackers to inject malicious scripts via the $_SERVER['PHP_SELF'] parameter in the admin notice endpoint (/admin/Add%20notice/notice.php). Publicly available exploit code exists, and the vulnerability requires user interaction (UI) to trigger, limiting practical impact despite remote accessibility.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper authorization in Cyber-III Student-Management-System allows unauthenticated remote attackers to bypass authentication controls via crafted HTTP POST requests to /viva/update.php. The vulnerability (CWE-285) enables unauthorized modification of student records by manipulating the 'Name' parameter. Publicly available exploit code exists (GitHub issue #236), and the project maintainer has not responded to responsible disclosure attempts. EPSS data not provided, but CVSS 7.3 with PR:N indicates significant risk for internet-facing deployments.

Authentication Bypass PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the filename parameter in /admin/update-image1.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS score.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the filename parameter in /admin/update-image2.php. The vulnerability affects the parameter handling mechanism and has publicly available exploit code; attackers with administrative credentials can manipulate the filename argument to inject SQL commands, potentially leading to data exfiltration or modification with limited direct impact to confidentiality and integrity of the application layer.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to manipulate the filename parameter in /admin/update-image3.php, leading to database query manipulation with limited confidentiality and integrity impact. The vulnerability carries a CVSS score of 5.3 (medium severity) and requires valid admin credentials to exploit; publicly available exploit code exists but the vulnerability is not confirmed as actively exploited in CISA KEV.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in projectworlds Car Rental System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the Message parameter in /message_admin.php. Publicly available exploit code exists, significantly lowering the barrier to exploitation. The vulnerability enables unauthorized data access, modification, and potential denial of service against the administrative messaging interface. CVSS 7.3 severity reflects network-accessible attack vector with low complexity and no authentication requirement.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the oid parameter in /cancelorder.php, potentially enabling unauthorized data access or modification. Publicly available exploit code exists for this vulnerability, which affects the parameter handler component and carries a CVSS score of 5.3 with confirmed exploitation feasibility.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL commands via the cid parameter in /categorywise-products.php. Publicly available exploit code exists for this vulnerability, which affects the parameter handler component. The attack requires valid user credentials but carries low impact, affecting confidentiality, integrity, and availability of data at limited scope.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in projectworlds Car Rental Project 1.0 allows remote attackers to execute arbitrary SQL queries via the fname parameter in /book_car.php, enabling unauthenticated database manipulation with potential confidentiality and integrity impact. The vulnerability has publicly available exploit code and a moderate CVSS score of 6.9, indicating practical exploitability despite low attack complexity.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Cross-site request forgery (CSRF) in ProjectSend r2002 allows unauthenticated remote attackers to perform unauthorized file upload operations via the upload.php endpoint with user interaction (UI:R). The vulnerability has been publicly disclosed with exploit code available, and ProjectSend has released patched version r2029 with commit 2c0d25824ab571b6c219ac1a188ad9350149661b to remediate the issue. While the CVSS score of 4.3 indicates low-to-moderate severity, the presence of public exploit code and lack of authentication requirements elevates the real-world risk for unpatched instances.

CSRF PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Home parameter in /borrowed_equip_report.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and demonstrates low attack complexity with network-based delivery requiring valid credentials.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Cross-site scripting (XSS) in givanz Vvvebjs file upload endpoint allows unauthenticated remote attackers to inject malicious scripts via the uploadAllowExtensions parameter in upload.php. The vulnerability affects Vvvebjs versions up to 2.0.5 and requires user interaction (UI:R). A publicly available exploit exists and a patch (commit 8cac22cff99b8bc701c408aa8e887fa702755336) has been released by the vendor; EPSS exploitation likelihood is indicated as probable (E:P) with a CVSS score of 4.3.

XSS PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the orderid parameter in /order-details.php, enabling data exfiltration and database manipulation. CVSS 6.3 reflects authenticated access requirement and limited scope; no public exploit code or active KEV status confirmed at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

eDirectory contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to bypass administrator authentication and disclose sensitive files by injecting SQL code into. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal RCE
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC This Week

phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal File Upload +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

OpenDocMan 1.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'where' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF
NVD Exploit-DB GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

C4G Basic Laboratory Information System 3.4 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Ask Expert Script 3.0.5 contains cross-site scripting and SQL injection vulnerabilities that allow unauthenticated attackers to inject malicious code by manipulating URL parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS SQLi +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload RCE
NVD Exploit-DB GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal RCE +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

News Website Script 2.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the news ID parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the fullname parameter in /my-profile.php. The vulnerability has a publicly disclosed exploit and CVSS 5.3 score reflecting low confidentiality and integrity impact; however, the moderate real-world risk is elevated by public exploit availability and the authentication-required nature suggesting insider or credential-based attack scenarios.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the fname parameter in the /OnlineClassroom/updatedetailsfromfaculty.php endpoint. The vulnerability has been publicly disclosed with exploit code available, presenting moderate real-world risk due to required authentication (PR:L) but low technical impact (VC:L, VI:L, VA:L) per CVSS 4.0 scoring.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the videotitle parameter in /OnlineClassroom/addvideos.php. Publicly available exploit code exists, enabling database manipulation with low complexity. CVSS 6.3 (Medium) reflects authentication requirement and limited scope, though exploitation is straightforward and could lead to unauthorized data access or modification.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 via the deleteid parameter in /OnlineClassroom/addassessment.php allows authenticated remote attackers to manipulate database queries with low impact to confidentiality, integrity, and availability. Public exploit code is available, increasing practical risk despite the moderate CVSS 5.3 score. The vulnerability requires valid authentication (PR:L) but uses a common attack vector (AV:N, AC:L) typical of parameter validation flaws in PHP web applications.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester jkev Record Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter in the Login component (index.php) to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. The exploit code is publicly available, and the vulnerability carries a CVSS 4.0 base score of 6.9 with low confidentiality, integrity, and availability impact.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload in SourceCodester/jkev Record Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the save_emp.php Add Employee Page component, potentially enabling remote code execution. The vulnerability requires high-privilege authentication and has publicly available exploit code, though real-world risk remains limited by the authentication barrier and moderate CVSS score of 4.7.

File Upload PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the userid parameter in /delmemberinfo.php. The vulnerability has publicly available exploit code (GitHub POC) and CVSS 7.3 severity with network-accessible attack vector requiring low complexity and no privileges. No vendor-released patch identified at time of analysis. EPSS data not provided, but public exploit availability increases likelihood of opportunistic scanning and exploitation.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the searchServiceId parameter in /searchguest.php. CVSS 7.3 reflects network-accessible attack with low complexity requiring no privileges. Publicly available exploit code exists (GitHub PoC published), significantly lowering exploitation barrier. No vendor-released patch identified at time of analysis. EPSS data unavailable, but combination of remotely exploitable SQLi with public PoC against an unmaintained open-source project indicates elevated real-world risk for installations exposed to untrusted networks.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Campcodes Complete POS Management and Inventory System up to version 4.0.6 allows authenticated remote attackers to inject malicious input through the Environment Variable Handler in SettingsController.php, leading to information disclosure and potential system compromise. The vulnerability has publicly available exploit code and affects an undisclosed function handling environment variable manipulation, with moderate CVSS 6.3 severity driven by network-accessible attack surface and low attack complexity.

PHP Information Disclosure
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to manipulate the paymethod parameter in /payment-method.php, enabling database query execution with limited confidentiality, integrity, and availability impact. The vulnerability is publicly documented with exploit code available, presenting moderate real-world risk despite the CVSS 6.3 score, as exploitation requires valid authentication credentials.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project up to version 2.1 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /pending-orders.php, potentially leading to unauthorized data access or modification. The vulnerability has a published proof-of-concept exploit available and carries a CVSS score of 5.3 with moderate real-world impact due to authentication requirements.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Email parameter in login.php. The vulnerability is trivially exploitable (CVSS AC:L, PR:N) with publicly available exploit code demonstrating the attack path. EPSS data not available, but the combination of remote exploitation without authentication, public POC, and database compromise capabilities indicates moderate real-world risk for internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'searching' parameter in process_search.php. Publicly available exploit code exists (GitHub), enabling immediate weaponization. CVSS 7.3 reflects network-accessible attack with no complexity barriers, though EPSS data unavailable. Not confirmed as actively exploited (no CISA KEV listing), but POC publication significantly lowers exploitation threshold for opportunistic attackers targeting exposed instances.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Online Cellphone System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /cp/available.php, potentially compromising confidentiality, integrity, and availability of the application database. Publicly available exploit code exists and the vulnerability has moderate exploitability signals (CVSS 6.3, EPSS evidence of public tools), though no CISA KEV confirmation of active exploitation is present.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the pid parameter in /sub-category.php, enabling information disclosure and potential data modification. Publicly available exploit code exists for this vulnerability, which carries a CVSS score of 6.3 with confirmed exploitation feasibility.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'email' parameter in /hotel/admin/login.php. The vulnerability is remotely exploitable with low attack complexity and no user interaction required. Publicly available exploit code exists (confirmed POC on GitHub), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of unauthenticated remote access, public exploit, and impact on confidentiality, integrity, and availability creates moderate-to-high real-world risk for exposed instances.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in Campcodes Complete Online Learning Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the add_lesson function in /application/models/Crud_model.php, enabling potential remote code execution or malware deployment. The vulnerability requires low-privilege authentication, carries a CVSS score of 6.3 (medium), and publicly available exploit code exists.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul User Registration & Login and User Management System 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/yesterday-reg-users.php, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists; CVSS 6.3 reflects moderate impact with low attack complexity and authenticated access requirement.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /modstaffinfo.php, affecting confidentiality and integrity of user sessions. The vulnerability requires user interaction (clicking a crafted link) and has a publicly available exploit (CVSS 4.3, EPSS signal: E:P indicates public exploit availability). This is a stored or reflected XSS vulnerability in a PHP-based application with low CVSS severity but non-negligible real-world risk due to ease of exploitation and public disclosure.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Stored or reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /modmemberinfo.php, potentially compromising user sessions or stealing sensitive data. The vulnerability requires user interaction (UI:R) and publicly available exploit code exists, elevating the practical risk despite the moderate CVSS 4.3 score.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the firstName parameter in /modifymember.php. Publicly available exploit code exists (GitHub POC), enabling attackers to extract, modify, or delete database contents without authentication. CVSS 7.3 reflects network-based attack with low complexity and no privilege requirements. Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC availability.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the firstName parameter in /modifymember.php, which are executed in the context of other users' browsers. The vulnerability has a CVSS score of 4.3 with low impact severity but publicly available exploit code, though exploitation requires user interaction (UI:R). This represents a typical reflected or stored XSS in a parameter handler with limited immediate risk due to no confidentiality or availability impact, though it enables session hijacking and credential theft.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in halex CourseSEL up to version 1.1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the seid parameter in the HTTP GET request handler, potentially leading to unauthorized data access, modification, and denial of service. The vulnerability affects the check_sel function in IndexController.class.php and has publicly available exploit code; the vendor has not responded to early disclosure notifications.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate database queries via the USERID parameter in /sms/user/index.php. The CVSS 7.3 score reflects network-accessible exploitation with low complexity requiring no privileges. Publicly available exploit code exists on GitHub, elevating immediate risk. CVSS impact ratings indicate potential for limited confidentiality, integrity, and availability compromise across the database layer.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM POC This Month

MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated information disclosure in AVideo CloneSite plugin allows remote attackers to retrieve sensitive operational logs containing internal filesystem paths, remote server URLs, and SSH connection metadata via the client.log.php endpoint, which lacks authentication controls present in all sibling endpoints within the same plugin directory.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated access to FFmpeg server configuration endpoint in AVideo allows remote attackers to probe infrastructure details and determine encoding architecture without authentication, while sibling management endpoints properly enforce admin-only access. This information disclosure aids reconnaissance for targeted attacks against video encoding infrastructure. CVSS 5.3, no public exploit code identified, no active exploitation confirmed.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

AVideo install/test.php diagnostic script exposes sensitive viewer statistics including IP addresses, session IDs, and user agents to unauthenticated remote attackers due to a disabled CLI-only access guard. The vulnerability allows any visitor to retrieve video viewer data via HTTP GET requests without authentication, combined with enabled error reporting that leaks internal filesystem paths. CVSS 5.3 reflects low confidentiality impact; no public exploit code identified at time of analysis.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 3.7
LOW Monitor

Unauthenticated access to payment order data in the BlockonomicsYPT plugin for AVideo allows remote attackers to retrieve sensitive payment information including user IDs, transaction amounts, and Bitcoin transaction details for any address without authentication. The vulnerable check.php endpoint returns complete order records queryable by Bitcoin address alone, enabling attackers to link on-chain transactions to specific platform user accounts and violate user privacy. No exploit complexity is required beyond discovering Bitcoin addresses on the public blockchain.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in AVideo's player skin configuration endpoint allows unauthenticated remote attackers to modify the video player appearance platform-wide when an authenticated administrator visits a malicious webpage. The vulnerability stems from missing CSRF token validation combined with disabled ORM-level domain security checks and SameSite=None cookie configuration; a proof-of-concept demonstrates silent modification of player skin settings without admin consent.

CSRF PHP
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated proxy access in AVideo's SocialMediaPublisher plugin allows any user to make arbitrary Facebook/Instagram Graph API calls through the `publishInstagram.json.php` endpoint without authentication or authorization checks. By sending crafted requests with stolen or leaked access tokens, attackers can publish, modify, or delete content on the platform's Instagram account and potentially bypass rate limits using the server's IP address. CVSS 5.3 (medium integrity impact); no active exploitation confirmed but proof-of-concept is publicly available.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in Emlog tag management allows authenticated administrators to execute arbitrary SQL queries through the updateTagName() function in include/model/tag_model.php. Versions 2.6.2 and prior are affected. An attacker with administrative privileges can exploit this via direct SQL manipulation to modify or exfiltrate database contents. No public exploit code or active exploitation has been confirmed; patch status remains unavailable as of publication.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Local file inclusion in Emlog admin/plugin.php allows authenticated attackers to execute arbitrary PHP code via unsanitized $plugin parameter in GET requests, provided CSRF token validation can be bypassed. Emlog versions 2.6.2 and prior are affected. An authenticated attacker with high privileges can include arbitrary files from the server filesystem, achieving remote code execution without requiring user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.

LFI CSRF PHP +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Path traversal in Emlog CMS 2.6.2 and earlier enables authenticated administrators to achieve remote code execution by uploading malicious ZIP archives containing directory traversal sequences. The emUnZip() function fails to sanitize entry paths during plugin/template uploads and backup imports, allowing arbitrary file writes including PHP webshells. CVSS 7.2 (High) with network attack vector and low complexity. No vendor-released patch identified at time of analysis; publicly available exploit code exists via GitHub Security Advisory GHSA-2jg8-rmhm-xv9m.

RCE Path Traversal PHP
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in OpenSTAManager 2.10.1 and prior allows authenticated users to extract database contents including bcrypt password hashes, customer records, and financial data via unsanitized GET parameters across six vulnerable PHP modules. The righe parameter in confronta_righe.php files is directly concatenated into IN() clauses without parameterization. CVSS 8.8 (High) with network attack vector, low complexity, and low privilege requirement. Vendor-released patch available in version 2.10.2. Exploit reproduction demonstrated via EXTRACTVALUE-based error injection extracting MySQL version, database user, and admin credentials. Confirmed publicly available exploit code exists (GitHub advisory GHSA-mmm5-3g4x-qw39).

SQLi Information Disclosure PHP
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

BookStack chapter export functionality allows unauthenticated remote attackers to bypass access controls via manipulation of the pages parameter in the chapterToMarkdown function, enabling improper access to restricted content. Affects BookStack versions up to 26.03; patch available in version 26.03.1. Publicly available exploit code exists and CVSS 5.5 reflects low confidentiality impact with no integrity or availability compromise.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in ProjectsAndPrograms School Management System up to commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59 allows authenticated users to upload arbitrary files via the Profile Picture Handler in /admin_panel/settings.php, enabling remote code execution. The vulnerability affects the File parameter with low attack complexity and has publicly available exploit code; while CVSS 5.3 reflects moderate integrity and confidentiality impact, the low authentication requirement and network accessibility make this a practical privilege escalation and code execution vector for authenticated attackers.

File Upload PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary file deletion in Perfmatters WordPress plugin (≤2.5.9.1) allows authenticated attackers with Subscriber-level access to delete critical files including wp-config.php via path traversal, enabling full site takeover. The vulnerability stems from unsanitized GET parameter processing in PMCS::action_handler() without authentication or nonce checks. CVSS 8.1 reflects network-accessible attack requiring only low-privilege authentication with high integrity and availability impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the lack of input validation.

WordPress PHP Path Traversal
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Denial of service in Dokuwiki version 2025-05-14b 'Librarian' release allows remote attackers to crash or disable the application through improper input handling in the media_upload_xhr() function within media.php. The vulnerability requires network access to the media upload endpoint but does not require authentication. No public exploit code, CVSS scoring, or active exploitation has been confirmed at the time of analysis.

Denial Of Service PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Remote code execution in Hytale Modding Wiki version 1.2.0 and earlier allows authenticated users to upload malicious PHP files through a MIME type validation bypass. The quickUpload() endpoint performs independent validation of file content (via MIME type) and filename extension, enabling attackers to craft files with benign content signatures but executable .php extensions. Uploaded files are stored in a publicly accessible location, allowing direct URL access for server-side code execution. EPSS data unavailable; publicly available exploit code exists per SSVC assessment. No vendor-released patch identified at time of analysis.

PHP File Upload RCE
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in projectworlds Car Rental Project 1.0 login.php allows unauthenticated remote attackers to bypass authentication, extract sensitive database contents, and potentially modify or delete data via the 'uname' parameter. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network-accessible attack vector, no authentication requirement, and public exploit makes this a practical threat for internet-facing deployments of this vulnerable application.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Path traversal in Textpattern XML-RPC handler allows authenticated remote attackers to write arbitrary files via the file.name parameter in mt_uploadImage function, enabling potential code execution or sensitive file overwrite. Affects Textpattern up to version 4.9.1, with publicly available exploit code and vendor confirmation of the issue pending fix in an upcoming release.

PHP Path Traversal
NVD GitHub VulDB
Prev Page 23 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy