Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-32313 PHP HIGH PATCH This Week

Critical cryptographic vulnerability in the xmlseclibs PHP library (versions before 3.1.5) that fails to validate authentication tag lengths in AES-GCM encrypted XML nodes. Attackers can exploit this remotely without authentication to brute-force encryption keys, decrypt sensitive data, and forge ciphertexts. While not currently in CISA's KEV catalog, the vulnerability has a high CVSS score of 8.2 and affects a widely-used XML security library.

PHP Information Disclosure Xmlseclibs
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-32304 npm CRITICAL POC PATCH Act Now

create_function() sandbox bypass via unsanitized args passed to Function constructor. PoC available.

Node.js RCE PHP Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-32426 HIGH PATCH This Week

A PHP remote file inclusion vulnerability exists in themelexus Medilazar Core WordPress plugin that allows attackers to include arbitrary PHP files from local or remote sources, potentially leading to remote code execution. The vulnerability affects all versions of Medilazar Core prior to 1.4.7 and requires low privileges but high attack complexity to exploit. While not currently listed in CISA KEV or showing high EPSS scores, the potential for code execution makes this a serious concern for WordPress sites using this medical/healthcare theme framework.

Information Disclosure PHP LFI
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32401 HIGH This Week

Sprout Invoices Client Invoicing versions 20.8.9 and earlier contain a local file inclusion vulnerability in PHP that allows authenticated attackers with high privileges to read arbitrary files on the affected server. An attacker exploiting this vulnerability could access sensitive configuration files, source code, or other confidential data without requiring user interaction. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-32400 HIGH This Week

A PHP remote file inclusion vulnerability exists in the ThemetechMount Boldman theme that allows attackers to include arbitrary local files, potentially leading to remote code execution. The vulnerability affects all Boldman theme versions up to and including version 7.7, enabling authenticated attackers with low privileges to compromise the system through malicious file inclusion. While not currently listed in CISA's KEV catalog, the vulnerability has a moderate CVSS score of 7.5 and requires some attack complexity to exploit successfully.

LFI PHP Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32393 HIGH PATCH This Week

Greenly Theme Addons for PHP versions prior to 8.2 contain a local file inclusion vulnerability in filename handling that allows authenticated attackers to read arbitrary files on the affected server. An attacker with valid credentials can exploit improper input validation to include and execute local files, potentially leading to information disclosure or code execution. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32392 HIGH This Week

Local file inclusion in Greenly through version 8.1 allows authenticated attackers to read arbitrary files on the server due to improper input validation in file inclusion functions. The vulnerability requires valid credentials but no user interaction, enabling attackers with PHP access to potentially escalate privileges or extract sensitive data. No patch is currently available for this high-severity vulnerability affecting the PHP-based Greenly application.

Information Disclosure LFI PHP
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32384 HIGH This Week

WpBookingly plugin versions 1.2.9 and earlier contain a local file inclusion vulnerability in their service-booking-manager component that allows authenticated attackers to read arbitrary files from the affected server. An attacker with valid credentials can exploit improper filename validation in PHP include/require statements to access sensitive information on the system. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32369 HIGH PATCH This Week

Medilink-Core versions before 2.0.7 contain a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the affected system through improper handling of file inclusion statements. An attacker with valid credentials can exploit this weakness to access sensitive information without requiring user interaction. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32364 HIGH PATCH This Week

Turbo Manager versions below 4.0.8 contain a local file inclusion vulnerability in PHP file handling that allows authenticated attackers to include and execute arbitrary files on the system. An attacker with valid credentials can leverage improper filename validation to access sensitive files or achieve code execution. No patch is currently available, and exploitation requires network access with valid authentication credentials.

Information Disclosure LFI PHP
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22216 MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notific...

PHP Information Disclosure Wpdiscuz
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22183 MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function...

PHP XSS Wpdiscuz
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-22182 HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authent...

PHP Authentication Bypass Denial Of Service Wpdiscuz
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2023-1289 NuGet MEDIUM POC PATCH This Month

Medium severity vulnerability in ImageMagick. # Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.

Denial Of Service PHP Debian Docker Red Hat +1
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-4045 LOW Monitor

A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. [CVSS 3.7 LOW]

PHP Information Disclosure
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-4044 LOW Monitor

A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. [CVSS 3.8 LOW]

PHP Path Traversal
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2019-25543 HIGH POC This Week

Netartmedia Real Estate Portal 5.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the page parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Real Estate Portal
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25542 HIGH POC This Week

Netartmedia Real Estate Portal 5.0 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_email parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Real Estate Portal
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25541 HIGH POC This Week

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through unvalidated parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25540 HIGH POC This Week

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25539 HIGH POC This Week

202CMS v10 beta contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. [CVSS 8.2 HIGH]

PHP SQLi 202cms
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25537 HIGH POC This Week

Netartmedia Event Portal 2.0 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25536 HIGH POC This Week

Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25535 HIGH POC This Week

Netartmedia PHP Dating Site contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25534 HIGH POC This Week

Netartmedia PHP Car Dealer contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25533 HIGH POC This Week

Netartmedia PHP Business Directory 4.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25532 HIGH POC This Week

Netartmedia Jobs Portal 6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25531 HIGH POC This Week

Netartmedia Deals Portal contains an SQL injection vulnerability in the Email parameter of loginaction.php that allows unauthenticated attackers to manipulate database queries. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25530 HIGH POC This Week

uHotelBooking System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the system_page GET parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25529 HIGH POC This Week

Placeto CMS Alpha rv.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'page' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25524 HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25523 HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25522 HIGH POC This Week

XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25521 HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25520 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting improper SQL query validation. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25519 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the option parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2019-25518 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the poll parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25517 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25516 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gallery_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25515 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vulnerability in the login.php administration panel that allows unauthenticated attackers to gain administrative access by submitting crafted SQL syntax. [CVSS 7.5 HIGH]

PHP Authentication Bypass SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2019-25514 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25513 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25512 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2019-25511 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the videoid parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25510 HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V2 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting improper SQL query validation. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass Php Stock News Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25509 HIGH POC This Week

XooDigital Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to extract sensitive database information. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25508 HIGH POC This Week

Jettweb Php Hazir Ilan Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'kat' parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Ready Advertisement Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25488 HIGH POC This Week

Jettweb Hazir Rent A Car Scripti V4 contains multiple SQL injection vulnerabilities in the admin panel that allow unauthenticated attackers to manipulate database queries through GET parameters. [CVSS 8.2 HIGH]

PHP SQLi Denial Of Service Php Ready Rent A Car Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25482 HIGH POC This Week

Jettweb PHP Hazir Rent A Car Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the arac_kategori_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Ready Rent A Car Site Script
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-4014 MEDIUM This Month

SQL injection in the registration module of itsourcecode Cafe Reservation System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, which provides attackers with potential access to sensitive data and database manipulation capabilities. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4013 MEDIUM This Month

Improper authorization in SourceCodester Web-based Pharmacy Product Management System 1.0's add_admin.php allows authenticated remote attackers to gain unauthorized access or modify system data with low complexity. The vulnerability affects confidentiality, integrity, and availability of the affected application. No patch is currently available.

PHP Information Disclosure
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-3993 LOW Monitor

Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System 1.0 exists in the /manage_employee_deductions.php file via unsanitized ID parameters, allowing remote attackers to inject malicious scripts that execute in users' browsers. Public exploit code is available and the vulnerability remains unpatched. Successful exploitation requires user interaction but can lead to session hijacking, credential theft, or unauthorized payroll data manipulation.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3984 LOW Monitor

A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file save_up_athlete.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3983 LOW Monitor

A security flaw has been discovered in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This affects an unknown part of the file save-games.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3982 LOW Monitor

Cross-site scripting (XSS) in the /view_result.php endpoint of PHP-based University Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts through the vr parameter. Public exploit code exists for this vulnerability, which requires user interaction to execute. The vulnerability has no available patch and affects the integrity of affected applications.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3981 MEDIUM This Month

SQL injection in itsourcecode Online Doctor Appointment System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/doctor_action.php, potentially gaining unauthorized access to sensitive data and modifying database records. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3980 MEDIUM This Month

SQL injection in the Online Doctor Appointment System 1.0 admin panel allows unauthenticated remote attackers to manipulate the patient_id parameter and execute arbitrary database queries. The vulnerability affects the /admin/patient_action.php file and enables attackers to compromise data confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3969 MEDIUM This Month

FeMiner WMS versions up to 1.0 contain a SQL injection vulnerability in the department addition module that allows unauthenticated remote attackers to manipulate the Name parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can compromise the confidentiality, integrity, and availability of the underlying database.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-27591 PHP CRITICAL PATCH Act Now

Access control bypass in Winter CMS before 1.0.477/1.1.12/1.2.12. CVSS 9.9.

PHP Laravel
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-32121 HIGH This Week

Stored DOM-based cross-site scripting (XSS) in OpenEMR prior to version 8.0.0.1 allows authenticated attackers with low privileges to inject malicious scripts through unsanitized patient names in the portal signing component, which are rendered client-side via jQuery. Successful exploitation requires user interaction and could enable attackers to perform actions in the context of affected users or steal sensitive health information. A patch is available in OpenEMR 8.0.0.1 and later versions.

PHP XSS Openemr
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-31896 CRITICAL Act Now

SQL injection in WeGIA before 3.6.6.

PHP SQLi Denial Of Service Information Disclosure Wegia
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31895 HIGH This Week

WeGIA is a web manager for charitable institutions. versions up to 3.6.6 is affected by sql injection (CVSS 8.8).

PHP SQLi Wegia
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2019-25480 HIGH POC This Week

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. [CVSS 7.5 HIGH]

PHP RCE Path Traversal File Upload
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2019-25471 CRITICAL POC Act Now

Arbitrary file upload in FileThingie 2.5.7 via ZIP archives. PoC available.

PHP File Upload Path Traversal
NVD GitHub Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-31859 PHP MEDIUM PATCH This Month

Reflected XSS in Craft CMS versions before 5.9.7 and 4.17.3 allows remote attackers to execute arbitrary JavaScript in users' browsers via malicious return URLs that bypass insufficient sanitization. The vulnerability exists because the patch for a prior issue relied on strip_tags() to filter URLs, which fails to block dangerous URL schemes like javascript:. An attacker can craft a malicious link that, when clicked by an authenticated user, steals session cookies or performs actions on their behalf.

PHP XSS Craft Cms
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-22248 HIGH This Week

licenses tracking and software auditing. From 11.0.0 to versions up to 11.0.5 is affected by deserialization of untrusted data (CVSS 8.0).

PHP Deserialization
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-3946 LOW Monitor

A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3944 MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 via the Name parameter in /att_add.php enables unauthenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3231 HIGH This Week

for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted versions up to 2.1.7. is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress PHP XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3826 CRITICAL Act Now

LFI to RCE in IFTOP by WellChoose.

LFI PHP RCE Organization Portal System
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-2707 MEDIUM This Month

Stored XSS in the weForms WordPress plugin allows authenticated users with Subscriber-level access to inject malicious scripts through REST API form submissions, bypassing the sanitization applied to frontend submissions. The vulnerability exists in versions up to 1.6.27 due to inconsistent input validation between the AJAX handler and REST API endpoint, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers. No patch is currently available.

WordPress PHP XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2626 HIGH This Week

divi-booster WordPre versions up to 5.0.2 is affected by cross-site request forgery (csrf) (CVSS 8.1).

WordPress PHP CSRF Deserialization
NVD WPScan
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-13067 HIGH This Week

Royal Addons for Elementor (WordPress plugin) versions up to 1.7.1049. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

WordPress PHP RCE File Upload
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-30954 MEDIUM This Month

LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomies with their own links through insufficient authorization checks in the processTaxonomy() method. This enables privilege escalation where attackers can gain unauthorized access to private tags and lists belonging to other users on the same instance. The vulnerability requires valid authentication credentials and has no available patch at this time.

PHP Authentication Bypass Linkace
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-30953 HIGH This Week

Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network addresses and cloud metadata endpoints by providing malicious URLs during link creation, bypassing validation controls that exist elsewhere in the application. An attacker with valid credentials can exploit this to access Docker service hostnames, internal services, and sensitive metadata endpoints. No patch is currently available for this vulnerability affecting PHP-based LinkAce deployments.

PHP Docker SSRF Linkace
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-28495 CRITICAL POC Act Now

GetSimple CMS massiveAdmin plugin has a CSRF vulnerability enabling attackers to perform admin actions through crafted malicious pages.

PHP RCE CSRF Getsimple Cms
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-70128 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. [CVSS 6.1 MEDIUM]

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3843 CRITICAL Act Now

Gas station automation system BUK TS-G 2.9.1 has a SQL injection enabling compromise of fuel management and transaction data.

PHP RCE SQLi
NVD VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-30964 PHP MEDIUM PATCH This Month

The webauthn-lib PHP library before version 5.2.4 incorrectly validates origin restrictions by comparing only hostname components, allowing attackers to bypass authentication policies that rely on scheme or port differentiation. This enables an attacker to authenticate from origins that should be blocked, such as using HTTP instead of HTTPS or non-standard ports. Applications using this library with strict origin policies are affected until they upgrade to the patched version.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-30927 PHP MEDIUM PATCH This Month

Unauthorized event participation manipulation in Admidio prior to 5.0.6 allows authenticated users to register or cancel participation for other users by manipulating the user_uuid parameter in event functions. Any user with event participation privileges can exploit this to modify another user's event enrollment status without authorization. The vulnerability requires authentication and affects confidentiality through unauthorized modifications.

PHP Authentication Bypass Admidio
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-30885 PHP MEDIUM PATCH This Month

WWBN AVideo is an open source video platform. versions up to 25.0 is affected by missing authentication for critical function.

PHP Authentication Bypass Avideo
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-3817 MEDIUM POC This Month

Patients Waiting Area Queue Management System versions up to 1.0 contains a security vulnerability (CVSS 5.3).

PHP Patients Waiting Area Queue Management System
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-40639 CRITICAL Act Now

SQL injection in Eventobot event management application allows unauthenticated attackers to perform complete database operations including data retrieval, creation, update, and deletion.

PHP SQLi Eventobot
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-3812 LOW POC Monitor

Stored cross-site scripting in itsourcecode Payroll Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the ID parameter in /manage_employee_allowances.php. Public exploit code exists for this vulnerability, though no patch is currently available. Successful exploitation could enable credential theft or unauthorized actions within the payroll system.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3806 LOW POC Monitor

SourceCodester Resort Reservation System 1.0 contains SQL injection in the /room_rates.php endpoint via the q parameter, allowing authenticated remote attackers to execute arbitrary database queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be performed over the network with minimal complexity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3800 LOW POC Monitor

Unrestricted file upload in SourceCodester Resort Reservation System 1.0 allows authenticated remote attackers to upload arbitrary files via the image parameter in /controller.php?action=add, potentially leading to remote code execution. Public exploit code exists for this vulnerability, and no patch is currently available. The issue affects PHP-based installations of the affected resort reservation software.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3793 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sellid GET parameter in sales_invoice1.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems can suffer data exposure, modification, or loss depending on database permissions.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3792 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the purchaseid parameter in purchase_invoice.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3791 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated attackers to execute arbitrary SQL queries through the searchtxt parameter in dashboard.php. Public exploit code exists for this vulnerability, enabling remote exploitation by users with login credentials to read, modify, or delete database contents. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3790 LOW POC Monitor

Sales And Inventory System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Critical cryptographic vulnerability in the xmlseclibs PHP library (versions before 3.1.5) that fails to validate authentication tag lengths in AES-GCM encrypted XML nodes. Attackers can exploit this remotely without authentication to brute-force encryption keys, decrypt sensitive data, and forge ciphertexts. While not currently in CISA's KEV catalog, the vulnerability has a high CVSS score of 8.2 and affects a widely-used XML security library.

PHP Information Disclosure Xmlseclibs
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

create_function() sandbox bypass via unsanitized args passed to Function constructor. PoC available.

Node.js RCE PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A PHP remote file inclusion vulnerability exists in themelexus Medilazar Core WordPress plugin that allows attackers to include arbitrary PHP files from local or remote sources, potentially leading to remote code execution. The vulnerability affects all versions of Medilazar Core prior to 1.4.7 and requires low privileges but high attack complexity to exploit. While not currently listed in CISA KEV or showing high EPSS scores, the potential for code execution makes this a serious concern for WordPress sites using this medical/healthcare theme framework.

Information Disclosure PHP LFI
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Sprout Invoices Client Invoicing versions 20.8.9 and earlier contain a local file inclusion vulnerability in PHP that allows authenticated attackers with high privileges to read arbitrary files on the affected server. An attacker exploiting this vulnerability could access sensitive configuration files, source code, or other confidential data without requiring user interaction. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

A PHP remote file inclusion vulnerability exists in the ThemetechMount Boldman theme that allows attackers to include arbitrary local files, potentially leading to remote code execution. The vulnerability affects all Boldman theme versions up to and including version 7.7, enabling authenticated attackers with low privileges to compromise the system through malicious file inclusion. While not currently listed in CISA's KEV catalog, the vulnerability has a moderate CVSS score of 7.5 and requires some attack complexity to exploit successfully.

LFI PHP Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Greenly Theme Addons for PHP versions prior to 8.2 contain a local file inclusion vulnerability in filename handling that allows authenticated attackers to read arbitrary files on the affected server. An attacker with valid credentials can exploit improper input validation to include and execute local files, potentially leading to information disclosure or code execution. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in Greenly through version 8.1 allows authenticated attackers to read arbitrary files on the server due to improper input validation in file inclusion functions. The vulnerability requires valid credentials but no user interaction, enabling attackers with PHP access to potentially escalate privileges or extract sensitive data. No patch is currently available for this high-severity vulnerability affecting the PHP-based Greenly application.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

WpBookingly plugin versions 1.2.9 and earlier contain a local file inclusion vulnerability in their service-booking-manager component that allows authenticated attackers to read arbitrary files from the affected server. An attacker with valid credentials can exploit improper filename validation in PHP include/require statements to access sensitive information on the system. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Medilink-Core versions before 2.0.7 contain a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the affected system through improper handling of file inclusion statements. An attacker with valid credentials can exploit this weakness to access sensitive information without requiring user interaction. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Turbo Manager versions below 4.0.8 contain a local file inclusion vulnerability in PHP file handling that allows authenticated attackers to include and execute arbitrary files on the system. An attacker with valid credentials can leverage improper filename validation to access sensitive files or achieve code execution. No patch is currently available, and exploitation requires network access with valid authentication credentials.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notific...

PHP Information Disclosure Wpdiscuz
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function...

PHP XSS Wpdiscuz
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authent...

PHP Authentication Bypass Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Medium severity vulnerability in ImageMagick. # Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.

Denial Of Service PHP Debian +3
NVD GitHub
EPSS 0% CVSS 2.9
LOW Monitor

A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. [CVSS 3.7 LOW]

PHP Information Disclosure
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. [CVSS 3.8 LOW]

PHP Path Traversal
NVD VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Netartmedia Real Estate Portal 5.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the page parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure +1
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Netartmedia Real Estate Portal 5.0 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_email parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure +1
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through unvalidated parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

202CMS v10 beta contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. [CVSS 8.2 HIGH]

PHP SQLi 202cms
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia Event Portal 2.0 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia PHP Dating Site contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia PHP Car Dealer contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia PHP Business Directory 4.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia Jobs Portal 6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia Deals Portal contains an SQL injection vulnerability in the Email parameter of loginaction.php that allows unauthenticated attackers to manipulate database queries. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

uHotelBooking System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the system_page GET parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Placeto CMS Alpha rv.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'page' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting improper SQL query validation. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the option parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the poll parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gallery_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vulnerability in the login.php administration panel that allows unauthenticated attackers to gain administrative access by submitting crafted SQL syntax. [CVSS 7.5 HIGH]

PHP Authentication Bypass SQLi +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the videoid parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb PHP Hazir Haber Sitesi Scripti V2 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting improper SQL query validation. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

XooDigital Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to extract sensitive database information. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb Php Hazir Ilan Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'kat' parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Ready Advertisement Site Script
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb Hazir Rent A Car Scripti V4 contains multiple SQL injection vulnerabilities in the admin panel that allow unauthenticated attackers to manipulate database queries through GET parameters. [CVSS 8.2 HIGH]

PHP SQLi Denial Of Service +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Jettweb PHP Hazir Rent A Car Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the arac_kategori_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Ready Rent A Car Site Script
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in the registration module of itsourcecode Cafe Reservation System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, which provides attackers with potential access to sensitive data and database manipulation capabilities. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper authorization in SourceCodester Web-based Pharmacy Product Management System 1.0's add_admin.php allows authenticated remote attackers to gain unauthorized access or modify system data with low complexity. The vulnerability affects confidentiality, integrity, and availability of the affected application. No patch is currently available.

PHP Information Disclosure
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System 1.0 exists in the /manage_employee_deductions.php file via unsanitized ID parameters, allowing remote attackers to inject malicious scripts that execute in users' browsers. Public exploit code is available and the vulnerability remains unpatched. Successful exploitation requires user interaction but can lead to session hijacking, credential theft, or unauthorized payroll data manipulation.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file save_up_athlete.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A security flaw has been discovered in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This affects an unknown part of the file save-games.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting (XSS) in the /view_result.php endpoint of PHP-based University Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts through the vr parameter. Public exploit code exists for this vulnerability, which requires user interaction to execute. The vulnerability has no available patch and affects the integrity of affected applications.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in itsourcecode Online Doctor Appointment System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/doctor_action.php, potentially gaining unauthorized access to sensitive data and modifying database records. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in the Online Doctor Appointment System 1.0 admin panel allows unauthenticated remote attackers to manipulate the patient_id parameter and execute arbitrary database queries. The vulnerability affects the /admin/patient_action.php file and enables attackers to compromise data confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

FeMiner WMS versions up to 1.0 contain a SQL injection vulnerability in the department addition module that allows unauthenticated remote attackers to manipulate the Name parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can compromise the confidentiality, integrity, and availability of the underlying database.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Access control bypass in Winter CMS before 1.0.477/1.1.12/1.2.12. CVSS 9.9.

PHP Laravel
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Stored DOM-based cross-site scripting (XSS) in OpenEMR prior to version 8.0.0.1 allows authenticated attackers with low privileges to inject malicious scripts through unsanitized patient names in the portal signing component, which are rendered client-side via jQuery. Successful exploitation requires user interaction and could enable attackers to perform actions in the context of affected users or steal sensitive health information. A patch is available in OpenEMR 8.0.0.1 and later versions.

PHP XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in WeGIA before 3.6.6.

PHP SQLi Denial Of Service +2
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

WeGIA is a web manager for charitable institutions. versions up to 3.6.6 is affected by sql injection (CVSS 8.8).

PHP SQLi Wegia
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. [CVSS 7.5 HIGH]

PHP RCE Path Traversal +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Arbitrary file upload in FileThingie 2.5.7 via ZIP archives. PoC available.

PHP File Upload Path Traversal
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in Craft CMS versions before 5.9.7 and 4.17.3 allows remote attackers to execute arbitrary JavaScript in users' browsers via malicious return URLs that bypass insufficient sanitization. The vulnerability exists because the patch for a prior issue relied on strip_tags() to filter URLs, which fails to block dangerous URL schemes like javascript:. An attacker can craft a malicious link that, when clicked by an authenticated user, steals session cookies or performs actions on their behalf.

PHP XSS Craft Cms
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH This Week

licenses tracking and software auditing. From 11.0.0 to versions up to 11.0.5 is affected by deserialization of untrusted data (CVSS 8.0).

PHP Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 via the Name parameter in /att_add.php enables unauthenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted versions up to 2.1.7. is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress PHP XSS
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

LFI to RCE in IFTOP by WellChoose.

LFI PHP RCE +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the weForms WordPress plugin allows authenticated users with Subscriber-level access to inject malicious scripts through REST API form submissions, bypassing the sanitization applied to frontend submissions. The vulnerability exists in versions up to 1.6.27 due to inconsistent input validation between the AJAX handler and REST API endpoint, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers. No patch is currently available.

WordPress PHP XSS
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

divi-booster WordPre versions up to 5.0.2 is affected by cross-site request forgery (csrf) (CVSS 8.1).

WordPress PHP CSRF +1
NVD WPScan
EPSS 0% CVSS 8.8
HIGH This Week

Royal Addons for Elementor (WordPress plugin) versions up to 1.7.1049. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

WordPress PHP RCE +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomies with their own links through insufficient authorization checks in the processTaxonomy() method. This enables privilege escalation where attackers can gain unauthorized access to private tags and lists belonging to other users on the same instance. The vulnerability requires valid authentication credentials and has no available patch at this time.

PHP Authentication Bypass Linkace
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network addresses and cloud metadata endpoints by providing malicious URLs during link creation, bypassing validation controls that exist elsewhere in the application. An attacker with valid credentials can exploit this to access Docker service hostnames, internal services, and sensitive metadata endpoints. No patch is currently available for this vulnerability affecting PHP-based LinkAce deployments.

PHP Docker SSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL POC Act Now

GetSimple CMS massiveAdmin plugin has a CSRF vulnerability enabling attackers to perform admin actions through crafted malicious pages.

PHP RCE CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. [CVSS 6.1 MEDIUM]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Gas station automation system BUK TS-G 2.9.1 has a SQL injection enabling compromise of fuel management and transaction data.

PHP RCE SQLi
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The webauthn-lib PHP library before version 5.2.4 incorrectly validates origin restrictions by comparing only hostname components, allowing attackers to bypass authentication policies that rely on scheme or port differentiation. This enables an attacker to authenticate from origins that should be blocked, such as using HTTP instead of HTTPS or non-standard ports. Applications using this library with strict origin policies are affected until they upgrade to the patched version.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Unauthorized event participation manipulation in Admidio prior to 5.0.6 allows authenticated users to register or cancel participation for other users by manipulating the user_uuid parameter in event functions. Any user with event participation privileges can exploit this to modify another user's event enrollment status without authorization. The vulnerability requires authentication and affects confidentiality through unauthorized modifications.

PHP Authentication Bypass Admidio
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

WWBN AVideo is an open source video platform. versions up to 25.0 is affected by missing authentication for critical function.

PHP Authentication Bypass Avideo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Patients Waiting Area Queue Management System versions up to 1.0 contains a security vulnerability (CVSS 5.3).

PHP Patients Waiting Area Queue Management System
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in Eventobot event management application allows unauthenticated attackers to perform complete database operations including data retrieval, creation, update, and deletion.

PHP SQLi Eventobot
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Stored cross-site scripting in itsourcecode Payroll Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the ID parameter in /manage_employee_allowances.php. Public exploit code exists for this vulnerability, though no patch is currently available. Successful exploitation could enable credential theft or unauthorized actions within the payroll system.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SourceCodester Resort Reservation System 1.0 contains SQL injection in the /room_rates.php endpoint via the q parameter, allowing authenticated remote attackers to execute arbitrary database queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be performed over the network with minimal complexity.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in SourceCodester Resort Reservation System 1.0 allows authenticated remote attackers to upload arbitrary files via the image parameter in /controller.php?action=add, potentially leading to remote code execution. Public exploit code exists for this vulnerability, and no patch is currently available. The issue affects PHP-based installations of the affected resort reservation software.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sellid GET parameter in sales_invoice1.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems can suffer data exposure, modification, or loss depending on database permissions.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the purchaseid parameter in purchase_invoice.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated attackers to execute arbitrary SQL queries through the searchtxt parameter in dashboard.php. Public exploit code exists for this vulnerability, enabling remote exploitation by users with login credentials to read, modify, or delete database contents. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Sales And Inventory System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD GitHub VulDB
Prev Page 29 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy