Skip to main content

PHP

24709 CVEs product

Monthly

CVE-2026-43918 HIGH PATCH This Week

Privilege retention in FOSSBilling before 0.8.0 allows a suspended or deactivated client, staff, or admin to keep full authenticated access because the session identity loaders in src/di.php never re-check account status. Suspending or deactivating a user does not terminate their live session - access persists until the session expires naturally. This is an authenticated (PR:L) session-management flaw with no public exploit identified at time of analysis and no CISA KEV listing; the vendor rates it 8.7 (CVSS 4.0).

Information Disclosure PHP Fossbilling
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-42148 LOW PATCH Monitor

OS command injection in Coolify's settings module allows a highly privileged attacker in a development environment to execute arbitrary shell commands on the host server by injecting metacharacters into the dev_helper_version field, which is passed unsanitized into a Docker build command. All Coolify releases prior to 4.0.0-beta.474 are affected. No public exploit code exists and no CISA KEV listing has been issued; the provided CVSS score of 3.8 (Low) accurately reflects the highly constrained exploitation prerequisites, though the underlying command injection class warrants upgrade regardless.

Command Injection PHP Docker Coolify
NVD GitHub
CVSS 3.1
3.8
EPSS
0.1%
CVE-2026-42341 CRITICAL PATCH Act Now

Unauthenticated payment bypass in FOSSBilling 0.6.0 through 0.7.2 lets a remote attacker mark any unpaid invoice as paid and credit the associated client's account balance with a single crafted HTTP request to the IPN callback endpoint (/ipn.php), provided the Custom payment adapter is enabled. The flaw stems from missing authentication (CWE-306) on a financially critical callback, so no credentials or user interaction are needed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates it 9.2 (CVSS 4.0) and a patched release (0.8.0) is available.

Authentication Bypass PHP Fossbilling
NVD GitHub
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-6382 CRITICAL POC PATCH Act Now

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

WordPress Command Injection PHP Fileorganizer Advanced File Manager +2
NVD WPScan VulDB
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-11962 HIGH POC PATCH This Week

Authenticated remote code execution in the FileOrganizer WordPress plugin before 1.2.0 lets users granted file-manager access upload arbitrary PHP files because several file-management operations skip file-type validation. Publicly available exploit code exists, and the flaw is an incomplete fix of CVE-2024-7985, which only hardened the upload operation while leaving other file-management endpoints unvalidated. With CVSS 3.1 base 8.8 (PR:L) and a working PoC, any low-privileged account with file-manager rights - extendable to sub-administrator roles via the premium add-on - can achieve full site compromise.

WordPress RCE PHP Fileorganizer
NVD WPScan
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-6228 HIGH POC PATCH This Week

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

PHP Information Disclosure WordPress Notifications For Forms Wordpress Actions
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-14799 LOW POC Monitor

SQL injection in CodeAstro Ecommerce Website 1.0 exposes the `/customer/my_account.php?my_wishlist` endpoint to database manipulation via the unsanitized `delete_wishlist` parameter, allowing remote attackers with a valid customer account to read or modify backend database contents. The CVSS 4.0 vector (PR:L) confirms exploitation requires an authenticated customer session, constraining the attack surface to registered users. A public proof-of-concept exploit has been released, no public exploit identified as confirmed actively exploited (not in CISA KEV), though the low barrier to exploitation once authenticated elevates practical risk.

SQLi PHP Ecommerce Website
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14798 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the visname parameter in /apartment-visitor/visitor-entry.php. The flaw, classified as CWE-89, yields partial confidentiality, integrity, and availability impact against the vulnerable system. A publicly available proof-of-concept exploit exists on GitHub, lowering the skill bar for exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14797 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the application's database to remote authenticated attackers through the unsanitized `editid` parameter in `/apartment-visitor/edit-apartment.php`. Low-privilege authenticated users can manipulate this parameter to read, modify, or partially disrupt database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified in CISA KEV at time of analysis), making this a realistic risk for any internet-exposed deployment of this PHP application.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14796 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes backend database contents to authenticated low-privileged remote attackers via the unsanitized `fromdate` parameter in `/apartment-visitor/report.php`. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low-privilege credentials. Publicly available exploit code has been published on GitHub (github.com/lilukun337/cve/issues/7), though no active exploitation has been confirmed by CISA KEV. The injection enables read and limited write access to the underlying database, with a moderate combined impact score of 5.3.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14795 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate database queries through the `remark` parameter of `/apartment-visitor/action-visitor.php`. A low-privileged user can extract, modify, or delete underlying database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified as CISA KEV, but POC availability lowers the bar for exploitation).

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14794 MEDIUM PATCH This Month

Improper authorization in Craft CMS up to 4.18.0.1 allows authenticated low-privileged users to access new user statistics for arbitrary user groups via the Charts endpoint. The flaw resides in the `actionGetNewUsersData` function within `src/controllers/ChartsController.php`, where the `userGroupId` parameter is not properly validated against the requesting user's authorization scope, enabling horizontal privilege escalation to read data across user group boundaries. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 4.18.1.

Authentication Bypass PHP Cms
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-14793 MEDIUM PATCH This Month

Authorization bypass in Craft CMS up to 4.18.0.1 allows authenticated low-privilege users to invoke the reorder-sets endpoint and manipulate Global Set ordering outside their authorized scope. The flaw resides in the actionReorderSets function of GlobalsController.php and is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), an IDOR-class root cause where resource-level permission checks are absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; a vendor-released patch is available in version 4.18.1.

Authentication Bypass PHP Cms
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-14791 LOW POC Monitor

Cross-site scripting in Crater invoice application (up to v6.0.6) allows an authenticated attacker to inject malicious script payloads via the invoice notes field, executing in the browser of any user who subsequently views the crafted invoice. The vulnerable function getFormattedString in app/Http/Requests/InvoicesRequest.php performs insufficient neutralization of the notes argument, classified under CWE-79. A public proof-of-concept exploit exists; no vendor patch has been released as the project has not responded to the coordinated disclosure made via GitHub issue #1327.

XSS PHP Crater
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-14778 MEDIUM This Month

Improper authorization in SourceCodester Online Examination & Learning Management System 1.0 allows unauthenticated remote attackers to manipulate enrollment records by supplying arbitrary student_id, schedule_id, or action values to /ajax_enroll.php. The vulnerability is an Insecure Direct Object Reference (IDOR) - the application performs no ownership or privilege check before processing enrollment actions on behalf of any student. A public proof-of-concept has been disclosed (referenced by VulDB submission 850695 and GitHub advisory OE-LMS-IDOR-ajax_enroll.md); no active exploitation via CISA KEV has been confirmed at time of analysis.

Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14777 LOW POC Monitor

Unrestricted file upload in SourceCodester's "Onlne Examination & Learning Management System" 1.0 (note: product name contains a known typo per CVE data) exposes the /announcements.php endpoint to arbitrary file upload by low-privileged authenticated users. A publicly available proof-of-concept, referenced under the title 'OE-LMS-RCE-3-announcements.md', demonstrates that the flaw can be leveraged for remote code execution - a significantly more severe real-world impact than the low CIA metrics in the provided CVSS 4.0 score suggest. No active exploitation (CISA KEV) has been confirmed, but the combination of low-complexity exploitation, a network-accessible vector, and a public POC elevates practical risk well above the 5.3 base score.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14776 LOW POC Monitor

Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 (a PHP-based web application whose product name contains a documented typo - 'Onlne' rather than 'Online') permits remote low-privileged authenticated users to upload arbitrary files, including PHP webshells, via the /upload_files.php endpoint by exploiting inadequate extension validation in the pathinfo() function. Publicly available exploit code exists on GitHub, with the exploit document explicitly titled to reference remote code execution against this specific upload handler. No vendor-released patch has been identified, and the vulnerability is not listed in the CISA KEV catalog, though the public exploit materially lowers the barrier to exploitation.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14775 LOW POC Monitor

Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 allows network-accessible, low-privilege attackers to upload arbitrary file types - including executable PHP webshells - via the `user_id` parameter in `/process_lesson.php`, with the publicly available proof-of-concept explicitly framed as a remote code execution chain. No CISA KEV listing exists, but a working exploit is publicly available on GitHub under the title 'OE-LMS-RCE-1'. The assigned CVSS 4.0 score of 2.1 with low-impact metrics materially understates the realistic impact; CWE-434 in PHP environments routinely enables full server compromise when uploads land in web-executable directories.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14774 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/paymentdischarge.php` endpoint to database manipulation via the unsanitized `patientid` parameter. Low-privileged authenticated attackers can exploit this remotely with no user interaction required, achieving limited read, write, and availability impact against the underlying database. No public KEV listing, but a proof-of-concept exploit is publicly disclosed on GitHub, meaningfully lowering the bar for opportunistic exploitation in any internet-exposed deployment.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14772 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the /edit_course1.php endpoint to remote, unauthenticated database manipulation via an unsanitized ID parameter. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required and the attack is trivially executable over the network. Exploit code has been publicly disclosed per VulDB submission and a GitHub issue report, with the E:P modifier in the CVSS 4.0 vector corroborating proof-of-concept availability - though no CISA KEV listing indicates confirmed active exploitation at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14773 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the /payment.php endpoint to database manipulation via an unsanitized `patientid` parameter, exploitable by any authenticated low-privilege user over the network. The CVSS 4.0 vector (PR:L, AV:N) confirms remote exploitation is feasible with only a basic account, and partial confidentiality, integrity, and availability impact is expected against the underlying database. Publicly available exploit code exists on GitHub, materially lowering the skill threshold for exploitation despite the moderate 5.3 CVSS score.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14771 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /edit_exam1.php to execute arbitrary SQL commands against the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, and the exploit has been publicly published on GitHub. Real-world impact is limited by the niche, educational-software footprint of this SourceCodester application, but any internet-exposed instance is trivially exploitable given the available POC.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14770 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized ID parameter in /edit_room.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or special conditions are required, and the E:P supplemental metric confirms public exploit code exists. An attacker can read, modify, or partially disrupt the underlying database without any prior access to the application.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14768 MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/builderHome.php` endpoint to unauthenticated remote attackers who can manipulate database queries via the unsanitized `loc` parameter. A public proof-of-concept exploit exists (referenced via GitHub), lowering the exploitation barrier to script-kiddie level. No KEV listing exists, and the product's limited real-world deployment constrains overall population risk despite the trivial attack conditions.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14767 LOW Monitor

SQL injection in CodeAstro Ecommerce Website 1.0 exposes the order confirmation endpoint to authenticated remote attackers who can manipulate the unsanitized `invoice_no` POST parameter to alter backend SQL queries. Exploitation is constrained to authenticated customer accounts (PR:L per CVSS 4.0 vector) but requires no additional configuration or user interaction. A public proof-of-concept has been released via GitHub Gist (E:P), lowering the technical bar for abuse despite a low CVSS 4.0 score of 2.1; no confirmed active exploitation or CISA KEV listing exists at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14769 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/pay.php` endpoint to remote unauthenticated attackers who can manipulate the `Bankname` parameter to execute arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote reachability, though partial CIA impact scores indicate constrained blast radius rather than full database takeover; no public confirmation of active exploitation (CISA KEV) exists at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14766 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the `/apartment-visitor/search-result.php` endpoint to remote exploitation via the `searchdata` POST parameter, allowing low-privileged authenticated attackers to read, modify, or partially disrupt underlying database contents. A public proof-of-concept exploit exists on GitHub, lowering the skill barrier for opportunistic attacks against any internet-facing deployment. No CISA KEV listing has been confirmed, and the CVSS 4.0 score of 5.3 reflects a limited partial-impact scope; however, the POC's availability meaningfully elevates real-world exploitation probability above what the score alone suggests.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14764 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the backend database via the fdetails parameter in /admin/add_event.php. The flaw is reachable over the network with no authentication required per the CVSS 4.0 vector, enabling data extraction, modification, or disruption against the application's database. A public exploit has been disclosed on GitHub; no patch has been identified at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14762 MEDIUM This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the backend database through the Room Management Page at /admin/rooms.php, where the `delete` parameter is passed unsanitized into SQL queries. Remote attackers can exploit this to read, modify, or potentially delete database records. Publicly available exploit code exists per the GitHub advisory by anubhavv106, raising the operational risk despite the moderate CVSS 4.0 score of 5.5 and absence of a CISA KEV listing.

SQLi PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14763 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the unsanitized `tour` parameter in /admin/tour_reserves.php, enabling arbitrary SQL query execution against the backend database. The CVSS 4.0 vector assigns PR:N (no privileges required), though the admin-panel endpoint raises questions about whether authentication is genuinely absent or misconfigured - a discrepancy worth verifying in deployments. A public proof-of-concept exploit has been published via GitHub, raising the practical risk despite the medium CVSS 4.0 score of 6.9 and absence of CISA KEV listing.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14756 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the reservation database to remote manipulation via the `delete_image` parameter in the admin Tour Management Page (`/admin/add_tour.php`). The CVSS 4.0 vector asserts no privileges required (PR:N), yet the vulnerable endpoint sits under an `/admin/` path - this conflict is unresolved in available data and defenders must verify whether the admin panel is publicly accessible without authentication. A public proof-of-concept is available on GitHub, elevating practical risk beyond the moderate base score, though no CISA KEV listing indicates confirmed widespread exploitation at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14754 MEDIUM This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the admin panel endpoint /admin/add_room.php to database manipulation via multiple unsanitized parameters. A proof-of-concept exploit has been publicly documented in a Medium article, lowering the barrier for opportunistic exploitation. The CVSS 4.0 vector rates this as network-reachable with no authentication required (PR:N), though this conflicts with the admin-panel location of the endpoint - a discrepancy that should be verified, as exploitation scope depends entirely on whether the admin interface enforces access controls.

SQLi PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14753 MEDIUM This Month

Authorization bypass in stumasy, a PHP-based student management system, exposes the Note Handler and Assignment Handler endpoints at /PHP/objects/notes to unauthenticated remote exploitation by manipulating the assignment_item_id parameter. The flaw (CWE-285: Improper Authorization) allows an attacker to read, modify, or otherwise interact with notes and assignment records belonging to other users without possessing the required authorization. Public exploit code exists per the CVSS 4.0 E:P threat metric, and the project maintainer has not responded to the disclosure, meaning no patch is available at time of analysis.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14752 LOW Monitor

Cross-site scripting in stumasy's dictionary notes feature allows a low-privileged, remote attacker to inject malicious JavaScript via the unsanitized `reference` argument of the `add_definition` function. The vulnerability affects the PHP web application at commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be and earlier, with exploit code publicly disclosed via VulDB submission 849495. Real-world impact is constrained by the requirement for prior authentication and victim interaction, but no vendor patch exists and the project maintainer has not responded to the responsible disclosure.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-14755 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the /admin/reservations.php endpoint to database manipulation via the unsanitized `delete` parameter. The vulnerability is reachable over the network with no confirmed complexity barriers, and a public proof-of-concept exploit has been disclosed. No vendor patch has been identified, leaving all deployments of version 1.0 exposed to database read, write, and potential full compromise of hosted reservation data.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14751 LOW POC Monitor

SQL injection in stumasy's notes search functionality exposes authenticated remote attackers to database manipulation via the unsanitized `field_name` parameter in `Notes_controller::search_scratch_data`. The affected PHP application by developer mjperpinosa has a publicly available proof-of-concept exploit filed as GitHub issue #7, and the maintainer has not responded to disclosure, leaving all users on any commit through 327d1b0f2915ba79d7ef8ebb74553e987609d9be without a remediation path. No public exploit identified at time of analysis meets the KEV threshold, but the confirmed POC and absence of vendor response meaningfully elevate operational risk.

SQLi PHP Stumasy
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14750 MEDIUM POC This Month

SQL injection in stumasy's Notes_controller grants remote unauthenticated attackers the ability to manipulate database queries through the unsanitized Password argument in the accessing_dictionary_authorization function. The affected codebase is an obscure PHP application maintained by mjperpinosa, pinned to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be as the last known vulnerable state. Publicly available exploit code exists via a GitHub issue report, and the project maintainer has not responded to disclosure, leaving no vendor-released patch at time of analysis.

SQLi PHP Stumasy
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14749 MEDIUM POC This Month

Remote PHP code injection in stumasy's calculator module allows unauthenticated network attackers to execute arbitrary server-side code by manipulating the `mathematical_sentence` parameter passed unsanitized into PHP's `eval()` function in calculate.php. A public proof-of-concept exploit exists (GitHub issue #5), and no patch has been released - the project maintainer has not responded to the disclosure. The rolling release model means no fixed version can be cited; the vulnerability is present through at least commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be.

Code Injection PHP RCE Stumasy
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14747 MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the application's database to remote unauthenticated manipulation via the `amen` parameter in `/addprojectsale.php`. Any attacker with network access to the PHP web application can craft a malicious HTTP request to read, modify, or partially disrupt the underlying database without authentication. No active exploitation is confirmed in CISA KEV, but a GitHub issue filed under the researcher's CVE repository suggests reproduction steps or proof-of-concept detail is publicly accessible.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-14746 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the backend database via the `amen` parameter in `/addprojectrent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no attack preconditions. A publicly available proof-of-concept exploit has been disclosed via GitHub, elevating the realistic threat beyond theoretical; however, this CVE is not currently listed in the CISA KEV catalog, and the product's limited enterprise footprint constrains broad impact.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14745 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the `id` parameter of `/single-list_rent.php` to read, modify, or corrupt backend database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction unauthenticated network exploitation against a standard installation. A public proof-of-concept exploit is available on GitHub (E:P confirmed in CVSS 4.0 supplemental metrics), raising realistic risk of opportunistic automated attacks against any internet-exposed instance; no CISA KEV listing and no patch are confirmed at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14744 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes unauthenticated remote attackers a direct path to manipulate the backend database via the `loc` parameter in `/normalHomeRent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special configuration are required against default deployments. A public proof-of-concept exploit has been released on GitHub, materially increasing opportunistic exploitation risk despite the moderate aggregate score; no CISA KEV listing has been identified at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14743 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/normalHomeSale.php` endpoint to unauthenticated remote database manipulation via the unsanitized `loc` parameter. Any internet-accessible deployment of this PHP real estate application is vulnerable to data extraction or modification without credentials. A public proof-of-concept exploit is available on GitHub, lowering the skill barrier for opportunistic attackers; however, no CISA KEV listing has been issued and no patch has been identified from the vendor.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14736 MEDIUM This Month

Unrestricted file upload in Ruijie RG-UAC unified access controller appliances (all versions through 1.0-R1.8.2.p5) allows unauthenticated remote attackers to upload arbitrary files via the upload_image parameter in user_auth_commit.php. The combination of an authentication bypass (CWE-284) and unrestricted file type acceptance creates a pathway to persistent server-side code execution if uploaded content reaches an executable web path. A public proof-of-concept exploit exists, elevating the urgency of remediation despite the absence of a CISA KEV listing.

Authentication Bypass File Upload PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-14735 MEDIUM This Month

SQL injection in code-projects Smart Parking System 1.0 exposes the `/parkings/parkings.php` endpoint to remote unauthenticated exploitation via unsanitized `street`, `city`, and `status` parameters. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier network access with no authentication or user interaction required. A public proof-of-concept has been disclosed via a Medium article specifically documenting escalation from SQL injection to arbitrary file read, materially increasing real-world risk beyond the moderate base score of 5.5.

SQLi PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14734 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to remote, unauthenticated attackers through the unsanitized ID parameter in /edit_product.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial remote access with no prerequisites, yielding low-rated but real confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is contradicted by the description and E:P supplemental metric - a public exploit exists, elevating the practical risk above what the 5.5 base score alone suggests for any internet-exposed instance.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14733 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers through the unsanitized 'ID' parameter in /edit_coursea.php. The CVSS 4.0 E:P modifier and the CVE description both confirm that public exploit code exists, lowering the bar for opportunistic exploitation. Impact is assessed as limited across confidentiality, integrity, and availability (all Low), but the absence of authentication requirements makes this accessible to any network-reachable attacker.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14732 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database through the unsanitized ID parameter in /edit_exam.php, reachable by unauthenticated remote attackers. The exploit has been publicly disclosed (CVSS 4.0 E:P), allowing any actor with network access to enumerate, read, or manipulate database contents. No KEV listing is present; exploitation appears opportunistic rather than targeted, consistent with the niche deployment footprint of this product.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14731 LOW Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientreport.php` endpoint to remote manipulation via the `editid` parameter, allowing an authenticated attacker to craft arbitrary SQL statements against the backend database. The CVSS 4.0 base score is 2.1 (Low), reflecting constrained confidentiality, integrity, and availability impact, with no scope change to adjacent systems. Publicly available exploit code exists (E:P per the CVSS 4.0 threat metric), though no active exploitation has been confirmed via CISA KEV.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14730 LOW Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the patient database to authenticated low-privilege attackers via the `patientname` parameter in `/patientprofile.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L) confirms network-accessible exploitation with no attack complexity, while the E:P supplemental metric confirms publicly available proof-of-concept exploit code. No vendor patch has been released, leaving deployments reliant on compensating controls; however, real-world risk is bounded by the product's extremely limited production footprint as an educational PHP project.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14719 MEDIUM POC This Month

Privilege escalation in SourceCodester's Onlne Examination & Learning Management System 1.0 (the product name itself contains a typo - 'Onlne' instead of 'Online') exposes an unauthenticated registration endpoint at register.php where the role parameter is not server-side validated, allowing any remote actor to self-assign elevated privileges at account creation. A publicly available exploit has been published on Pastebin, confirming the attack is trivially reproducible. No CISA KEV listing exists, but the CVSS 4.0 E:P modifier and Pastebin reference corroborate working exploit availability; no vendor patch has been identified at time of analysis.

Privilege Escalation PHP Onlne Examination Learning Management System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14717 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows remote attackers with low-level privileges to manipulate the `loginid` parameter in `/patientlogin.php`, enabling unauthorized database read, modification, or deletion operations. The vulnerability scores 5.3 on CVSS 4.0 and is compounded by a publicly available proof-of-concept exploit published on GitHub, materially lowering the barrier to opportunistic attack. No CISA KEV listing has been identified, but the public POC and low attack complexity make any internet-exposed deployment an actionable target.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14713 MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 exposes the application to unauthenticated remote database compromise via the `id` parameter in `/admin/ajax.php?action=confirm_order`. The CVSS 4.0 vector (PR:N) indicates the vulnerable admin endpoint is reachable without authentication, compounding the severity of the unsanitized input. A publicly available exploit exists on GitHub, though the product is not listed in the CISA KEV catalog and has a very limited production deployment footprint.

SQLi PHP Pizzafy E Commerce System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14706 LOW POC Monitor

SQL injection in code-projects Online Examination 1.0 allows authenticated remote attackers to manipulate database queries through multiple unsanitized parameters in the Quiz Creation Feature. The endpoint /update.php?q=addquiz accepts user-supplied input for the name, total, right, wrong, time, tag, and desc arguments without adequate sanitization, enabling read and write access to the underlying database. A public proof-of-concept exploit exists on GitHub, though the application's extremely limited deployment footprint constrains real-world impact.

SQLi PHP Online Examination
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14705 MEDIUM POC This Month

SQL injection in code-projects Online Examination 1.0 exposes the login endpoint to unauthenticated remote attackers via the uname and password parameters in head.php. Manipulation of either parameter enables classic SQL injection, allowing database enumeration, authentication bypass, and potential data manipulation against any deployed instance. A public proof-of-concept exploit is available on GitHub (no public exploit identified as KEV), making weaponization trivial for low-skill attackers targeting this application.

SQLi PHP Online Examination
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14703 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows authenticated remote attackers to manipulate the `editid` parameter in `/patientorder.php`, potentially exposing or modifying patient order records and underlying database contents. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and that a public exploit has been disclosed via GitHub. While the base impact metrics are rated Low across confidentiality, integrity, and availability, the sensitivity of healthcare data in scope and the trivially available proof-of-concept raise practical risk above what the numeric score alone suggests.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14701 LOW POC Monitor

SQL injection in code-projects Internship Management System 1.0 exposes authenticated employer accounts to database query manipulation via the `Current` parameter in the password change endpoint (`employer/details/change_password.php`). The flaw carries a CVSS 4.0 score of 5.3, is rooted in unsanitized PHP input passed directly into SQL queries (CWE-89), and has a publicly available proof-of-concept exploit on GitHub. No public exploit identified as confirmed in CISA KEV, but the combination of low attack complexity and public PoC meaningfully raises real-world exploitation likelihood against any internet-exposed deployment.

SQLi PHP Internship Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14700 MEDIUM POC This Month

SQL injection in code-projects Internship Management System 1.0 permits unauthenticated remote attackers to manipulate the email and password parameters of employer/login.php, altering backend SQL query logic to bypass authentication or partially expose database contents. A proof-of-concept exploit has been publicly disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 score of 6.9 with PR:N and no attack complexity reflects straightforward unauthenticated access, though impact is bounded at Low across confidentiality, integrity, and availability - suggesting partial rather than full database compromise.

SQLi PHP Internship Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14698 LOW POC Monitor

Unrestricted file upload in SourceCodester Syllabus-Aligned Learning Management and Examination System 1.0 allows low-privileged remote attackers to upload arbitrary file types via the upload_files.php endpoint, with potential for remote code execution through PHP webshell deployment given the application's PHP runtime environment. The vulnerability is rooted in CWE-434 and carries a network-accessible attack vector with no special configuration required beyond a valid user account. A public proof-of-concept exploit is confirmed available on Pastebin; no CISA KEV listing has been identified at time of analysis.

PHP File Upload Syllabus Aligned Learning Management And Examination System
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14695 MEDIUM POC This Month

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows unauthenticated remote attackers to manipulate backend database queries via the Name argument in the save_client function of the registration handler. The vulnerability resides in classes/Users.php and is exploitable without any prior authentication, as it targets the public-facing user registration flow. A public proof-of-concept exploit has been published on GitHub, and no KEV listing exists, though the low-friction exploitation path and public PoC elevate urgency for any live deployment of this software.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14694 LOW POC Monitor

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a remote low-privileged attacker to manipulate database queries via the `ID` POST parameter in the `cancel_order` function of `classes/Master.php`. The flaw is a classic CWE-89 unsanitized parameter passed directly into a SQL statement, enabling data extraction, modification, or potential authentication bypass within the application database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references), raising the practical risk beyond the conservative CVSS 4.0 base score of 2.1.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14693 LOW POC Monitor

Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a low-privileged remote attacker to invoke the cancel_order function in classes/Master.php against orders they do not own, enabling unauthorized order cancellation and limited disruption of platform integrity. The vulnerability stems from CWE-285 (Improper Authorization) - the application fails to verify that the requesting user has authority over the targeted order resource. A proof-of-concept exploit has been publicly disclosed on GitHub, lowering the bar for exploitation; however, no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14692 LOW POC Monitor

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System versions 1.0 and 5.7.26 allows remote authenticated attackers to manipulate backend database queries through unsanitized POST parameters passed to the `save_shop_type` function in `classes/Master.php`. A public proof-of-concept exploit is available via GitHub, lowering the exploitation barrier for any actor who has obtained application credentials. The CVSS 4.0 score of 2.1 reflects partial confidentiality, integrity, and availability impact rather than full database compromise, and no patch has been confirmed available at time of analysis.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14691 LOW POC Monitor

Code injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote low-privileged attackers to execute arbitrary PHP code by manipulating the `content[]` argument passed to the `update_settings_info` function in `classes/SystemSettings.php`. A public proof-of-concept exploit has been disclosed on GitHub, and exploitation requires only a low-privileged authenticated session over the network. No CISA KEV listing exists, but the public exploit materially lowers the barrier for opportunistic attacks against any internet-exposed instance.

Code Injection PHP RCE Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14690 MEDIUM POC This Month

Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to invoke the save_users function in classes/Users.php without valid authorization checks, enabling unauthorized user account creation or modification. The CVSS 4.0 vector confirms network-accessible, zero-privilege exploitation with low confidentiality, integrity, and availability impact on the vulnerable system. A public proof-of-concept exploit exists (GitHub), and no CISA KEV listing indicates active widespread exploitation has not been confirmed at time of analysis.

Authentication Bypass PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14689 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 enables remote, low-privilege authenticated attackers to manipulate backend database queries via the `apartmentno` parameter in `/apartment-visitor/add-apartment.php`. The CVSS 4.0 score of 2.1 reflects a constrained impact scope (low C/I/A on the vulnerable system, no downstream system impact), but the presence of a publicly available proof-of-concept lowers the exploitation bar significantly. Real-world impact could extend beyond the CVSS score if the database user holds elevated permissions, potentially enabling unauthorized data extraction or record manipulation across the application's dataset. No public exploit identified via CISA KEV; no vendor patch identified at time of analysis.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14688 MEDIUM POC This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin login endpoint to remote unauthenticated exploitation via an unsanitized `email` parameter in `/admin/login.php`. A public proof-of-concept is available on GitHub (reflected in the CVSS 4.0 E:P metric), meaning exploitation requires minimal technical skill and is accessible to opportunistic attackers. No CISA KEV listing has been identified, but the zero-authentication barrier combined with available exploit code makes this a practical risk for any internet-exposed deployment.

SQLi PHP Online Hotel Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14660 MEDIUM POC This Month

SQL injection in code-projects Online Job Portal 1.0 exposes the login.php endpoint to remote unauthenticated exploitation via the txtUser and txtPass parameters, enabling attackers to manipulate backend SQL queries without any credentials or user interaction. A public proof-of-concept exploit is documented on GitHub, significantly lowering the barrier to attack for any internet-exposed instance. No patch has been identified from the vendor at time of analysis; the wildcard CPE suggests all versions are affected.

SQLi PHP Online Job Portal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14659 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient and appointment data to remote attackers holding low-privilege credentials via the `patiente` parameter in `/patientappointment.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation with no attack complexity, and the E:P modifier reflects a publicly disclosed proof-of-concept on GitHub. While not yet listed in CISA KEV, the combination of a live PoC, a healthcare data context, and trivial exploitation conditions makes this a credible risk for any organization running this application.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14658 LOW POC Monitor

SQL injection in code-projects Assessment Management 1.0 allows authenticated remote attackers to execute arbitrary SQL queries by manipulating the smarksrange[] array parameter in /lecturer/marking-scheme.php. The CVSS 4.0 vector (PR:L) confirms low-privilege authentication is required, limiting the attack surface to registered users such as lecturers. A public exploit proof-of-concept is available on GitHub, elevating the practical risk despite the medium CVSS 4.0 score of 5.3 and no confirmed active exploitation in the CISA KEV catalog.

SQLi PHP Assessment Management
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14657 LOW POC Monitor

SQL injection in code-projects Assessment Management 1.0 exposes database query handling in the lecturer marking-scheme feature to manipulation via the unsanitized `squestions[]` parameter at `/lecturer/marking-scheme.php`. Authenticated remote attackers with low-privilege access can alter SQL query logic to extract or modify student assessment data. A public proof-of-concept exploit is documented on GitHub, lowering the skill bar for exploitation; however, the application is not listed in CISA KEV and carries a CVSS 4.0 score of 2.1 reflecting its constrained impact and authentication prerequisite.

SQLi PHP Assessment Management
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14656 LOW POC Monitor

Cross-site scripting in code-projects Assessment Management 1.0 allows remote unauthenticated attackers to inject malicious scripts via the unsanitized `ID` parameter in `/admin/remove-user.php`. A public proof-of-concept exploit is available on GitHub (E:P in the CVSS 4.0 supplemental metrics), lowering the bar for exploitation. The vulnerability is not listed in the CISA KEV catalog, so confirmed widespread active exploitation has not been established, though the admin-facing endpoint makes session hijacking of privileged users a realistic outcome.

XSS PHP Assessment Management
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-14654 MEDIUM This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the database to remote query manipulation via the `user_id` parameter in `/admin/girlsproductdeletequery.php`. The CVSS 4.0 vector rates this as network-exploitable with no authentication required (PR:N), though the `/admin/` path location raises questions about whether authentication is enforced in practice - a discrepancy worth verifying in deployment. A publicly available exploit exists per VulDB, though the vulnerability is not listed in CISA KEV and the overall CVSS 4.0 score of 5.5 reflects limited impact across confidentiality, integrity, and availability.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14655 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Assessment Management 1.0 allows a remote attacker with administrative credentials to inject malicious scripts via the User parameter in admin/view-users.php, executing arbitrary JavaScript in the browser context of users who view the affected admin page. The CVSS 4.0 vector (PR:H, UI:P) confirms exploitation is gated behind high-privilege authentication and requires a victim to load the tampered page. A public proof-of-concept exploit exists on GitHub, though no active exploitation or CISA KEV listing has been identified at time of analysis.

XSS PHP Assessment Management
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.3%
CVE-2026-14653 MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 enables remote, unauthenticated attackers to manipulate database queries through the user_id parameter in /admin/mensproductdeletequery.php, exposing partial confidentiality, integrity, and availability of the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication or special conditions are required for exploitation over the network. A public exploit has been disclosed on GitHub, elevating the practical risk above the raw score suggests - though this is not confirmed as actively exploited by CISA KEV at time of analysis.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14652 MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the admin login interface to remote unauthenticated attackers through unsanitized input in the Username parameter of /admin/login.php. The CVSS 4.0 score of 6.9 (Medium) reflects limited per-request impact (VC:L/VI:L/VA:L), but a publicly available proof-of-concept exploit (E:P) on GitHub substantially lowers the exploitation bar for opportunistic attackers. No KEV listing exists at time of analysis; however, the trivial attack complexity (AC:L, AT:N, PR:N, UI:N) combined with public exploit code makes any internet-facing deployment of this script an immediate remediation priority.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14649 MEDIUM This Month

SQL injection in code-projects Online Voting System 1.0 exposes remote unauthenticated attackers a direct path to manipulate backend database queries through four parameters in the vote submission endpoint /saveVote.php. The test_input function - intended as a sanitization layer - fails to neutralize SQL metacharacters across voterName, voterEmail, voterID, and selectedCandidate, indicating a systemic rather than isolated input-handling failure. A publicly available proof-of-concept exists on GitHub, lowering the exploitation barrier, though real-world exposure is substantially constrained by the product's near-zero production deployment footprint as an educational PHP project.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-14648 MEDIUM POC This Month

Unauthenticated SQL injection in code-projects Online Voting System 0.x-1.0 exposes the admin login endpoint to full authentication bypass and database extraction. The vulnerability resides in the `test_input` function within `/authentication.php`, where the `adminUserName` and `adminPassword` parameters are passed unsanitized into SQL queries, enabling classic injection attacks against the login form. A public proof-of-concept exploit has been published on GitHub; no vendor patch has been identified at time of analysis.

SQLi PHP Online Voting System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14642 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the database to remote unauthenticated attackers via the unvalidated ID parameter in /edit_class2.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms trivial, unauthenticated remote exploitation requiring no special conditions. Publicly available exploit code (E:P) lowers the bar to exploitation further, though the product's niche deployment footprint significantly limits real-world blast radius. No KEV listing; no patch identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14641 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_course.php` endpoint to unauthenticated remote database manipulation via a malicious `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no authentication or user interaction required, and a public proof-of-concept exploit has been disclosed on GitHub. No active exploitation is confirmed in CISA KEV, though the combination of a public POC and fully unauthenticated attack path elevates practical risk for any internet-exposed deployment.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14639 LOW Monitor

SQL injection in CodeAstro Ecommerce Website 1.0 exposes authenticated customers to database manipulation via the c_name parameter on the account-editing endpoint. The vulnerability was publicly disclosed with a proof-of-concept exploit referenced on GitHub, meaning exploitation tooling is accessible. Impact is assessed as limited scope - low confidentiality, integrity, and availability - but network reachability and the public PoC raise opportunistic risk for unpatched deployments.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14640 MEDIUM POC This Month

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the login endpoint at /index.php to unauthenticated remote attackers who can manipulate the Username parameter to execute arbitrary SQL queries against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero prerequisites for exploitation, and the E:P modifier reflects a publicly available proof-of-concept on GitHub. No CISA KEV listing was found at time of analysis, but the combination of an exposed login surface, no authentication barrier, and live POC code materially elevates practical risk beyond the medium CVSS score of 6.9.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14638 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient records to partial disclosure and modification via the `editid` parameter in `/patient.php`. The CVSS 4.0 vector (PR:L) confirms exploitation requires a low-privilege authenticated session, limiting the immediate attack surface to users who can log in. A public proof-of-concept exploit exists (E:P), elevating practical risk above the base score of 5.3, though no CISA KEV listing confirms active exploitation at time of analysis.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14637 HIGH POC PATCH This Week

PHP object injection in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows remote unauthenticated attackers to pass attacker-controlled data into the getCartItems() function of application/libraries/ShoppingCart.php, which deserializes the shopping_cart argument (CWE-502). Depending on available gadget chains in the CodeIgniter application, this can lead to code execution or denial of service. Publicly available exploit code exists (VulDB, GHSA-9g5q-g6m3-v5cr), but there is no public exploit identified as being used in active attacks and the item is not in CISA KEV; EPSS was not provided.

Deserialization PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
CVSS 4.0
7.8
EPSS
0.6%
CVE-2026-14636 MEDIUM This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows authenticated remote attackers to manipulate filesystem paths via the unsanitized `folder` argument in the Vendor Image Manager's `do_upload_others_images` function. The flaw in `application/modules/vendor/controllers/AddProduct.php` permits directory traversal sequences to redirect file-write operations outside the intended upload directory, resulting in limited integrity and availability impact. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Path Traversal PHP
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-14635 MEDIUM POC PATCH This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap exposes server-side files and upload directories to manipulation via the unsanitized `folder` parameter in the Vendor Multi-Image Endpoint (AddProduct.php), enabling remote attackers to read or write files outside the designated upload path. A public exploit has been released per GitHub Security Advisory GHSA-6whv-r5hm-vcjr and the CVSS 4.0 E:P modifier confirms proof-of-concept availability, with a base score of 6.9 reflecting low-complexity network exploitation. No CISA KEV listing was identified; however, all deployed instances cloned prior to patch commit 2a9497ff are exposed, as this is a rolling-release project with no discrete versioned releases.

Path Traversal PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14633 LOW Monitor

Stored cross-site scripting in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows remote unauthenticated attackers to inject malicious scripts via the title or description arguments of the hidden REST API endpoint /index.php/api/product/set, executing arbitrary JavaScript in the browsers of users who subsequently view the affected product data. A public exploit has been disclosed (CVSS 4.0 E:P), though the low CVSS 4.0 score of 2.1 and the user-interaction requirement constrain practical impact. No active exploitation is confirmed by CISA KEV, and a patch commit is available in the project repository.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14634 LOW POC PATCH Monitor

Reflected/stored cross-site scripting in the Subscribed Emails Admin Page of kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows an unauthenticated remote attacker to inject arbitrary JavaScript by crafting a malicious HTTP User-Agent header, which is rendered unencoded via the checkForPostRequests function in application/core/MY_Controller.php. When an administrator subsequently views the subscription management panel, the payload executes in their browser session. A public exploit exists (CVSS E:P); this is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis.

XSS PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14632 LOW POC PATCH Monitor

Open redirect in kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows remote attackers to manipulate the href argument of the setReferrer() function in the Trusted Backend Interface, redirecting users to arbitrary attacker-controlled URLs. A publicly available proof-of-concept exploit exists (CVSS 4.0 E:P), lowering the exploitation barrier for phishing and credential harvesting campaigns. This vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis.

Open Redirect PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-12194 LOW POC Monitor

PHP file inclusion in PHPIPAM allows authenticated API users to include and execute arbitrary PHP files from the web server's filesystem, with primary impact on application confidentiality through exposure of sensitive configuration data. Exploitation is gated behind two non-default conditions: the REST API must be deliberately enabled by an administrator, and the attacker must hold valid API credentials - constraining the realistic attack surface substantially. Publicly available exploit code exists per Project Black's research blog, though the vulnerability carries a CVSS 4.0 score of 2.3 and is absent from CISA KEV, reflecting its narrow exploitation prerequisites rather than widespread threat activity.

LFI Information Disclosure PHP Phpipam
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.4%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege retention in FOSSBilling before 0.8.0 allows a suspended or deactivated client, staff, or admin to keep full authenticated access because the session identity loaders in src/di.php never re-check account status. Suspending or deactivating a user does not terminate their live session - access persists until the session expires naturally. This is an authenticated (PR:L) session-management flaw with no public exploit identified at time of analysis and no CISA KEV listing; the vendor rates it 8.7 (CVSS 4.0).

Information Disclosure PHP Fossbilling
NVD GitHub VulDB
EPSS 0% CVSS 3.8
LOW PATCH Monitor

OS command injection in Coolify's settings module allows a highly privileged attacker in a development environment to execute arbitrary shell commands on the host server by injecting metacharacters into the dev_helper_version field, which is passed unsanitized into a Docker build command. All Coolify releases prior to 4.0.0-beta.474 are affected. No public exploit code exists and no CISA KEV listing has been issued; the provided CVSS score of 3.8 (Low) accurately reflects the highly constrained exploitation prerequisites, though the underlying command injection class warrants upgrade regardless.

Command Injection PHP Docker +1
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Unauthenticated payment bypass in FOSSBilling 0.6.0 through 0.7.2 lets a remote attacker mark any unpaid invoice as paid and credit the associated client's account balance with a single crafted HTTP request to the IPN callback endpoint (/ipn.php), provided the Custom payment adapter is enabled. The flaw stems from missing authentication (CWE-306) on a financially critical callback, so no credentials or user interaction are needed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates it 9.2 (CVSS 4.0) and a patched release (0.8.0) is available.

Authentication Bypass PHP Fossbilling
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

WordPress Command Injection PHP +4
NVD WPScan VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Authenticated remote code execution in the FileOrganizer WordPress plugin before 1.2.0 lets users granted file-manager access upload arbitrary PHP files because several file-management operations skip file-type validation. Publicly available exploit code exists, and the flaw is an incomplete fix of CVE-2024-7985, which only hardened the upload operation while leaving other file-management endpoints unvalidated. With CVSS 3.1 base 8.8 (PR:L) and a working PoC, any low-privileged account with file-manager rights - extendable to sub-administrator roles via the premium add-on - can achieve full site compromise.

WordPress RCE PHP +1
NVD WPScan
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

PHP Information Disclosure WordPress +1
NVD WPScan VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Ecommerce Website 1.0 exposes the `/customer/my_account.php?my_wishlist` endpoint to database manipulation via the unsanitized `delete_wishlist` parameter, allowing remote attackers with a valid customer account to read or modify backend database contents. The CVSS 4.0 vector (PR:L) confirms exploitation requires an authenticated customer session, constraining the attack surface to registered users. A public proof-of-concept exploit has been released, no public exploit identified as confirmed actively exploited (not in CISA KEV), though the low barrier to exploitation once authenticated elevates practical risk.

SQLi PHP Ecommerce Website
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the visname parameter in /apartment-visitor/visitor-entry.php. The flaw, classified as CWE-89, yields partial confidentiality, integrity, and availability impact against the vulnerable system. A publicly available proof-of-concept exploit exists on GitHub, lowering the skill bar for exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the application's database to remote authenticated attackers through the unsanitized `editid` parameter in `/apartment-visitor/edit-apartment.php`. Low-privilege authenticated users can manipulate this parameter to read, modify, or partially disrupt database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified in CISA KEV at time of analysis), making this a realistic risk for any internet-exposed deployment of this PHP application.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes backend database contents to authenticated low-privileged remote attackers via the unsanitized `fromdate` parameter in `/apartment-visitor/report.php`. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low-privilege credentials. Publicly available exploit code has been published on GitHub (github.com/lilukun337/cve/issues/7), though no active exploitation has been confirmed by CISA KEV. The injection enables read and limited write access to the underlying database, with a moderate combined impact score of 5.3.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate database queries through the `remark` parameter of `/apartment-visitor/action-visitor.php`. A low-privileged user can extract, modify, or delete underlying database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified as CISA KEV, but POC availability lowers the bar for exploitation).

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in Craft CMS up to 4.18.0.1 allows authenticated low-privileged users to access new user statistics for arbitrary user groups via the Charts endpoint. The flaw resides in the `actionGetNewUsersData` function within `src/controllers/ChartsController.php`, where the `userGroupId` parameter is not properly validated against the requesting user's authorization scope, enabling horizontal privilege escalation to read data across user group boundaries. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 4.18.1.

Authentication Bypass PHP Cms
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authorization bypass in Craft CMS up to 4.18.0.1 allows authenticated low-privilege users to invoke the reorder-sets endpoint and manipulate Global Set ordering outside their authorized scope. The flaw resides in the actionReorderSets function of GlobalsController.php and is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), an IDOR-class root cause where resource-level permission checks are absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; a vendor-released patch is available in version 4.18.1.

Authentication Bypass PHP Cms
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in Crater invoice application (up to v6.0.6) allows an authenticated attacker to inject malicious script payloads via the invoice notes field, executing in the browser of any user who subsequently views the crafted invoice. The vulnerable function getFormattedString in app/Http/Requests/InvoicesRequest.php performs insufficient neutralization of the notes argument, classified under CWE-79. A public proof-of-concept exploit exists; no vendor patch has been released as the project has not responded to the coordinated disclosure made via GitHub issue #1327.

XSS PHP Crater
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper authorization in SourceCodester Online Examination & Learning Management System 1.0 allows unauthenticated remote attackers to manipulate enrollment records by supplying arbitrary student_id, schedule_id, or action values to /ajax_enroll.php. The vulnerability is an Insecure Direct Object Reference (IDOR) - the application performs no ownership or privilege check before processing enrollment actions on behalf of any student. A public proof-of-concept has been disclosed (referenced by VulDB submission 850695 and GitHub advisory OE-LMS-IDOR-ajax_enroll.md); no active exploitation via CISA KEV has been confirmed at time of analysis.

Information Disclosure PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in SourceCodester's "Onlne Examination & Learning Management System" 1.0 (note: product name contains a known typo per CVE data) exposes the /announcements.php endpoint to arbitrary file upload by low-privileged authenticated users. A publicly available proof-of-concept, referenced under the title 'OE-LMS-RCE-3-announcements.md', demonstrates that the flaw can be leveraged for remote code execution - a significantly more severe real-world impact than the low CIA metrics in the provided CVSS 4.0 score suggest. No active exploitation (CISA KEV) has been confirmed, but the combination of low-complexity exploitation, a network-accessible vector, and a public POC elevates practical risk well above the 5.3 base score.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 (a PHP-based web application whose product name contains a documented typo - 'Onlne' rather than 'Online') permits remote low-privileged authenticated users to upload arbitrary files, including PHP webshells, via the /upload_files.php endpoint by exploiting inadequate extension validation in the pathinfo() function. Publicly available exploit code exists on GitHub, with the exploit document explicitly titled to reference remote code execution against this specific upload handler. No vendor-released patch has been identified, and the vulnerability is not listed in the CISA KEV catalog, though the public exploit materially lowers the barrier to exploitation.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 allows network-accessible, low-privilege attackers to upload arbitrary file types - including executable PHP webshells - via the `user_id` parameter in `/process_lesson.php`, with the publicly available proof-of-concept explicitly framed as a remote code execution chain. No CISA KEV listing exists, but a working exploit is publicly available on GitHub under the title 'OE-LMS-RCE-1'. The assigned CVSS 4.0 score of 2.1 with low-impact metrics materially understates the realistic impact; CWE-434 in PHP environments routinely enables full server compromise when uploads land in web-executable directories.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/paymentdischarge.php` endpoint to database manipulation via the unsanitized `patientid` parameter. Low-privileged authenticated attackers can exploit this remotely with no user interaction required, achieving limited read, write, and availability impact against the underlying database. No public KEV listing, but a proof-of-concept exploit is publicly disclosed on GitHub, meaningfully lowering the bar for opportunistic exploitation in any internet-exposed deployment.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the /edit_course1.php endpoint to remote, unauthenticated database manipulation via an unsanitized ID parameter. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required and the attack is trivially executable over the network. Exploit code has been publicly disclosed per VulDB submission and a GitHub issue report, with the E:P modifier in the CVSS 4.0 vector corroborating proof-of-concept availability - though no CISA KEV listing indicates confirmed active exploitation at time of analysis.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the /payment.php endpoint to database manipulation via an unsanitized `patientid` parameter, exploitable by any authenticated low-privilege user over the network. The CVSS 4.0 vector (PR:L, AV:N) confirms remote exploitation is feasible with only a basic account, and partial confidentiality, integrity, and availability impact is expected against the underlying database. Publicly available exploit code exists on GitHub, materially lowering the skill threshold for exploitation despite the moderate 5.3 CVSS score.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /edit_exam1.php to execute arbitrary SQL commands against the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, and the exploit has been publicly published on GitHub. Real-world impact is limited by the niche, educational-software footprint of this SourceCodester application, but any internet-exposed instance is trivially exploitable given the available POC.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized ID parameter in /edit_room.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or special conditions are required, and the E:P supplemental metric confirms public exploit code exists. An attacker can read, modify, or partially disrupt the underlying database without any prior access to the application.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/builderHome.php` endpoint to unauthenticated remote attackers who can manipulate database queries via the unsanitized `loc` parameter. A public proof-of-concept exploit exists (referenced via GitHub), lowering the exploitation barrier to script-kiddie level. No KEV listing exists, and the product's limited real-world deployment constrains overall population risk despite the trivial attack conditions.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in CodeAstro Ecommerce Website 1.0 exposes the order confirmation endpoint to authenticated remote attackers who can manipulate the unsanitized `invoice_no` POST parameter to alter backend SQL queries. Exploitation is constrained to authenticated customer accounts (PR:L per CVSS 4.0 vector) but requires no additional configuration or user interaction. A public proof-of-concept has been released via GitHub Gist (E:P), lowering the technical bar for abuse despite a low CVSS 4.0 score of 2.1; no confirmed active exploitation or CISA KEV listing exists at time of analysis.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/pay.php` endpoint to remote unauthenticated attackers who can manipulate the `Bankname` parameter to execute arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote reachability, though partial CIA impact scores indicate constrained blast radius rather than full database takeover; no public confirmation of active exploitation (CISA KEV) exists at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the `/apartment-visitor/search-result.php` endpoint to remote exploitation via the `searchdata` POST parameter, allowing low-privileged authenticated attackers to read, modify, or partially disrupt underlying database contents. A public proof-of-concept exploit exists on GitHub, lowering the skill barrier for opportunistic attacks against any internet-facing deployment. No CISA KEV listing has been confirmed, and the CVSS 4.0 score of 5.3 reflects a limited partial-impact scope; however, the POC's availability meaningfully elevates real-world exploitation probability above what the score alone suggests.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the backend database via the fdetails parameter in /admin/add_event.php. The flaw is reachable over the network with no authentication required per the CVSS 4.0 vector, enabling data extraction, modification, or disruption against the application's database. A public exploit has been disclosed on GitHub; no patch has been identified at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the backend database through the Room Management Page at /admin/rooms.php, where the `delete` parameter is passed unsanitized into SQL queries. Remote attackers can exploit this to read, modify, or potentially delete database records. Publicly available exploit code exists per the GitHub advisory by anubhavv106, raising the operational risk despite the moderate CVSS 4.0 score of 5.5 and absence of a CISA KEV listing.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the unsanitized `tour` parameter in /admin/tour_reserves.php, enabling arbitrary SQL query execution against the backend database. The CVSS 4.0 vector assigns PR:N (no privileges required), though the admin-panel endpoint raises questions about whether authentication is genuinely absent or misconfigured - a discrepancy worth verifying in deployments. A public proof-of-concept exploit has been published via GitHub, raising the practical risk despite the medium CVSS 4.0 score of 6.9 and absence of CISA KEV listing.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the reservation database to remote manipulation via the `delete_image` parameter in the admin Tour Management Page (`/admin/add_tour.php`). The CVSS 4.0 vector asserts no privileges required (PR:N), yet the vulnerable endpoint sits under an `/admin/` path - this conflict is unresolved in available data and defenders must verify whether the admin panel is publicly accessible without authentication. A public proof-of-concept is available on GitHub, elevating practical risk beyond the moderate base score, though no CISA KEV listing indicates confirmed widespread exploitation at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the admin panel endpoint /admin/add_room.php to database manipulation via multiple unsanitized parameters. A proof-of-concept exploit has been publicly documented in a Medium article, lowering the barrier for opportunistic exploitation. The CVSS 4.0 vector rates this as network-reachable with no authentication required (PR:N), though this conflicts with the admin-panel location of the endpoint - a discrepancy that should be verified, as exploitation scope depends entirely on whether the admin interface enforces access controls.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Authorization bypass in stumasy, a PHP-based student management system, exposes the Note Handler and Assignment Handler endpoints at /PHP/objects/notes to unauthenticated remote exploitation by manipulating the assignment_item_id parameter. The flaw (CWE-285: Improper Authorization) allows an attacker to read, modify, or otherwise interact with notes and assignment records belonging to other users without possessing the required authorization. Public exploit code exists per the CVSS 4.0 E:P threat metric, and the project maintainer has not responded to the disclosure, meaning no patch is available at time of analysis.

Authentication Bypass PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Cross-site scripting in stumasy's dictionary notes feature allows a low-privileged, remote attacker to inject malicious JavaScript via the unsanitized `reference` argument of the `add_definition` function. The vulnerability affects the PHP web application at commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be and earlier, with exploit code publicly disclosed via VulDB submission 849495. Real-world impact is constrained by the requirement for prior authentication and victim interaction, but no vendor patch exists and the project maintainer has not responded to the responsible disclosure.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the /admin/reservations.php endpoint to database manipulation via the unsanitized `delete` parameter. The vulnerability is reachable over the network with no confirmed complexity barriers, and a public proof-of-concept exploit has been disclosed. No vendor patch has been identified, leaving all deployments of version 1.0 exposed to database read, write, and potential full compromise of hosted reservation data.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in stumasy's notes search functionality exposes authenticated remote attackers to database manipulation via the unsanitized `field_name` parameter in `Notes_controller::search_scratch_data`. The affected PHP application by developer mjperpinosa has a publicly available proof-of-concept exploit filed as GitHub issue #7, and the maintainer has not responded to disclosure, leaving all users on any commit through 327d1b0f2915ba79d7ef8ebb74553e987609d9be without a remediation path. No public exploit identified at time of analysis meets the KEV threshold, but the confirmed POC and absence of vendor response meaningfully elevate operational risk.

SQLi PHP Stumasy
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in stumasy's Notes_controller grants remote unauthenticated attackers the ability to manipulate database queries through the unsanitized Password argument in the accessing_dictionary_authorization function. The affected codebase is an obscure PHP application maintained by mjperpinosa, pinned to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be as the last known vulnerable state. Publicly available exploit code exists via a GitHub issue report, and the project maintainer has not responded to disclosure, leaving no vendor-released patch at time of analysis.

SQLi PHP Stumasy
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Remote PHP code injection in stumasy's calculator module allows unauthenticated network attackers to execute arbitrary server-side code by manipulating the `mathematical_sentence` parameter passed unsanitized into PHP's `eval()` function in calculate.php. A public proof-of-concept exploit exists (GitHub issue #5), and no patch has been released - the project maintainer has not responded to the disclosure. The rolling release model means no fixed version can be cited; the vulnerability is present through at least commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be.

Code Injection PHP RCE +1
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the application's database to remote unauthenticated manipulation via the `amen` parameter in `/addprojectsale.php`. Any attacker with network access to the PHP web application can craft a malicious HTTP request to read, modify, or partially disrupt the underlying database without authentication. No active exploitation is confirmed in CISA KEV, but a GitHub issue filed under the researcher's CVE repository suggests reproduction steps or proof-of-concept detail is publicly accessible.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the backend database via the `amen` parameter in `/addprojectrent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no attack preconditions. A publicly available proof-of-concept exploit has been disclosed via GitHub, elevating the realistic threat beyond theoretical; however, this CVE is not currently listed in the CISA KEV catalog, and the product's limited enterprise footprint constrains broad impact.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the `id` parameter of `/single-list_rent.php` to read, modify, or corrupt backend database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction unauthenticated network exploitation against a standard installation. A public proof-of-concept exploit is available on GitHub (E:P confirmed in CVSS 4.0 supplemental metrics), raising realistic risk of opportunistic automated attacks against any internet-exposed instance; no CISA KEV listing and no patch are confirmed at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes unauthenticated remote attackers a direct path to manipulate the backend database via the `loc` parameter in `/normalHomeRent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special configuration are required against default deployments. A public proof-of-concept exploit has been released on GitHub, materially increasing opportunistic exploitation risk despite the moderate aggregate score; no CISA KEV listing has been identified at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/normalHomeSale.php` endpoint to unauthenticated remote database manipulation via the unsanitized `loc` parameter. Any internet-accessible deployment of this PHP real estate application is vulnerable to data extraction or modification without credentials. A public proof-of-concept exploit is available on GitHub, lowering the skill barrier for opportunistic attackers; however, no CISA KEV listing has been issued and no patch has been identified from the vendor.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Unrestricted file upload in Ruijie RG-UAC unified access controller appliances (all versions through 1.0-R1.8.2.p5) allows unauthenticated remote attackers to upload arbitrary files via the upload_image parameter in user_auth_commit.php. The combination of an authentication bypass (CWE-284) and unrestricted file type acceptance creates a pathway to persistent server-side code execution if uploaded content reaches an executable web path. A public proof-of-concept exploit exists, elevating the urgency of remediation despite the absence of a CISA KEV listing.

Authentication Bypass File Upload PHP
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Smart Parking System 1.0 exposes the `/parkings/parkings.php` endpoint to remote unauthenticated exploitation via unsanitized `street`, `city`, and `status` parameters. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier network access with no authentication or user interaction required. A public proof-of-concept has been disclosed via a Medium article specifically documenting escalation from SQL injection to arbitrary file read, materially increasing real-world risk beyond the moderate base score of 5.5.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to remote, unauthenticated attackers through the unsanitized ID parameter in /edit_product.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial remote access with no prerequisites, yielding low-rated but real confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is contradicted by the description and E:P supplemental metric - a public exploit exists, elevating the practical risk above what the 5.5 base score alone suggests for any internet-exposed instance.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers through the unsanitized 'ID' parameter in /edit_coursea.php. The CVSS 4.0 E:P modifier and the CVE description both confirm that public exploit code exists, lowering the bar for opportunistic exploitation. Impact is assessed as limited across confidentiality, integrity, and availability (all Low), but the absence of authentication requirements makes this accessible to any network-reachable attacker.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database through the unsanitized ID parameter in /edit_exam.php, reachable by unauthenticated remote attackers. The exploit has been publicly disclosed (CVSS 4.0 E:P), allowing any actor with network access to enumerate, read, or manipulate database contents. No KEV listing is present; exploitation appears opportunistic rather than targeted, consistent with the niche deployment footprint of this product.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientreport.php` endpoint to remote manipulation via the `editid` parameter, allowing an authenticated attacker to craft arbitrary SQL statements against the backend database. The CVSS 4.0 base score is 2.1 (Low), reflecting constrained confidentiality, integrity, and availability impact, with no scope change to adjacent systems. Publicly available exploit code exists (E:P per the CVSS 4.0 threat metric), though no active exploitation has been confirmed via CISA KEV.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the patient database to authenticated low-privilege attackers via the `patientname` parameter in `/patientprofile.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L) confirms network-accessible exploitation with no attack complexity, while the E:P supplemental metric confirms publicly available proof-of-concept exploit code. No vendor patch has been released, leaving deployments reliant on compensating controls; however, real-world risk is bounded by the product's extremely limited production footprint as an educational PHP project.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Privilege escalation in SourceCodester's Onlne Examination & Learning Management System 1.0 (the product name itself contains a typo - 'Onlne' instead of 'Online') exposes an unauthenticated registration endpoint at register.php where the role parameter is not server-side validated, allowing any remote actor to self-assign elevated privileges at account creation. A publicly available exploit has been published on Pastebin, confirming the attack is trivially reproducible. No CISA KEV listing exists, but the CVSS 4.0 E:P modifier and Pastebin reference corroborate working exploit availability; no vendor patch has been identified at time of analysis.

Privilege Escalation PHP Onlne Examination Learning Management System
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows remote attackers with low-level privileges to manipulate the `loginid` parameter in `/patientlogin.php`, enabling unauthorized database read, modification, or deletion operations. The vulnerability scores 5.3 on CVSS 4.0 and is compounded by a publicly available proof-of-concept exploit published on GitHub, materially lowering the barrier to opportunistic attack. No CISA KEV listing has been identified, but the public POC and low attack complexity make any internet-exposed deployment an actionable target.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 exposes the application to unauthenticated remote database compromise via the `id` parameter in `/admin/ajax.php?action=confirm_order`. The CVSS 4.0 vector (PR:N) indicates the vulnerable admin endpoint is reachable without authentication, compounding the severity of the unsanitized input. A publicly available exploit exists on GitHub, though the product is not listed in the CISA KEV catalog and has a very limited production deployment footprint.

SQLi PHP Pizzafy E Commerce System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Online Examination 1.0 allows authenticated remote attackers to manipulate database queries through multiple unsanitized parameters in the Quiz Creation Feature. The endpoint /update.php?q=addquiz accepts user-supplied input for the name, total, right, wrong, time, tag, and desc arguments without adequate sanitization, enabling read and write access to the underlying database. A public proof-of-concept exploit exists on GitHub, though the application's extremely limited deployment footprint constrains real-world impact.

SQLi PHP Online Examination
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Examination 1.0 exposes the login endpoint to unauthenticated remote attackers via the uname and password parameters in head.php. Manipulation of either parameter enables classic SQL injection, allowing database enumeration, authentication bypass, and potential data manipulation against any deployed instance. A public proof-of-concept exploit is available on GitHub (no public exploit identified as KEV), making weaponization trivial for low-skill attackers targeting this application.

SQLi PHP Online Examination
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows authenticated remote attackers to manipulate the `editid` parameter in `/patientorder.php`, potentially exposing or modifying patient order records and underlying database contents. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and that a public exploit has been disclosed via GitHub. While the base impact metrics are rated Low across confidentiality, integrity, and availability, the sensitivity of healthcare data in scope and the trivially available proof-of-concept raise practical risk above what the numeric score alone suggests.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Internship Management System 1.0 exposes authenticated employer accounts to database query manipulation via the `Current` parameter in the password change endpoint (`employer/details/change_password.php`). The flaw carries a CVSS 4.0 score of 5.3, is rooted in unsanitized PHP input passed directly into SQL queries (CWE-89), and has a publicly available proof-of-concept exploit on GitHub. No public exploit identified as confirmed in CISA KEV, but the combination of low attack complexity and public PoC meaningfully raises real-world exploitation likelihood against any internet-exposed deployment.

SQLi PHP Internship Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Internship Management System 1.0 permits unauthenticated remote attackers to manipulate the email and password parameters of employer/login.php, altering backend SQL query logic to bypass authentication or partially expose database contents. A proof-of-concept exploit has been publicly disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 score of 6.9 with PR:N and no attack complexity reflects straightforward unauthenticated access, though impact is bounded at Low across confidentiality, integrity, and availability - suggesting partial rather than full database compromise.

SQLi PHP Internship Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in SourceCodester Syllabus-Aligned Learning Management and Examination System 1.0 allows low-privileged remote attackers to upload arbitrary file types via the upload_files.php endpoint, with potential for remote code execution through PHP webshell deployment given the application's PHP runtime environment. The vulnerability is rooted in CWE-434 and carries a network-accessible attack vector with no special configuration required beyond a valid user account. A public proof-of-concept exploit is confirmed available on Pastebin; no CISA KEV listing has been identified at time of analysis.

PHP File Upload Syllabus Aligned Learning Management And Examination System
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows unauthenticated remote attackers to manipulate backend database queries via the Name argument in the save_client function of the registration handler. The vulnerability resides in classes/Users.php and is exploitable without any prior authentication, as it targets the public-facing user registration flow. A public proof-of-concept exploit has been published on GitHub, and no KEV listing exists, though the low-friction exploitation path and public PoC elevate urgency for any live deployment of this software.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a remote low-privileged attacker to manipulate database queries via the `ID` POST parameter in the `cancel_order` function of `classes/Master.php`. The flaw is a classic CWE-89 unsanitized parameter passed directly into a SQL statement, enabling data extraction, modification, or potential authentication bypass within the application database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references), raising the practical risk beyond the conservative CVSS 4.0 base score of 2.1.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a low-privileged remote attacker to invoke the cancel_order function in classes/Master.php against orders they do not own, enabling unauthorized order cancellation and limited disruption of platform integrity. The vulnerability stems from CWE-285 (Improper Authorization) - the application fails to verify that the requesting user has authority over the targeted order resource. A proof-of-concept exploit has been publicly disclosed on GitHub, lowering the bar for exploitation; however, no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System versions 1.0 and 5.7.26 allows remote authenticated attackers to manipulate backend database queries through unsanitized POST parameters passed to the `save_shop_type` function in `classes/Master.php`. A public proof-of-concept exploit is available via GitHub, lowering the exploitation barrier for any actor who has obtained application credentials. The CVSS 4.0 score of 2.1 reflects partial confidentiality, integrity, and availability impact rather than full database compromise, and no patch has been confirmed available at time of analysis.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Code injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote low-privileged attackers to execute arbitrary PHP code by manipulating the `content[]` argument passed to the `update_settings_info` function in `classes/SystemSettings.php`. A public proof-of-concept exploit has been disclosed on GitHub, and exploitation requires only a low-privileged authenticated session over the network. No CISA KEV listing exists, but the public exploit materially lowers the barrier for opportunistic attacks against any internet-exposed instance.

Code Injection PHP RCE +1
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to invoke the save_users function in classes/Users.php without valid authorization checks, enabling unauthorized user account creation or modification. The CVSS 4.0 vector confirms network-accessible, zero-privilege exploitation with low confidentiality, integrity, and availability impact on the vulnerable system. A public proof-of-concept exploit exists (GitHub), and no CISA KEV listing indicates active widespread exploitation has not been confirmed at time of analysis.

Authentication Bypass PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 enables remote, low-privilege authenticated attackers to manipulate backend database queries via the `apartmentno` parameter in `/apartment-visitor/add-apartment.php`. The CVSS 4.0 score of 2.1 reflects a constrained impact scope (low C/I/A on the vulnerable system, no downstream system impact), but the presence of a publicly available proof-of-concept lowers the exploitation bar significantly. Real-world impact could extend beyond the CVSS score if the database user holds elevated permissions, potentially enabling unauthorized data extraction or record manipulation across the application's dataset. No public exploit identified via CISA KEV; no vendor patch identified at time of analysis.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin login endpoint to remote unauthenticated exploitation via an unsanitized `email` parameter in `/admin/login.php`. A public proof-of-concept is available on GitHub (reflected in the CVSS 4.0 E:P metric), meaning exploitation requires minimal technical skill and is accessible to opportunistic attackers. No CISA KEV listing has been identified, but the zero-authentication barrier combined with available exploit code makes this a practical risk for any internet-exposed deployment.

SQLi PHP Online Hotel Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Job Portal 1.0 exposes the login.php endpoint to remote unauthenticated exploitation via the txtUser and txtPass parameters, enabling attackers to manipulate backend SQL queries without any credentials or user interaction. A public proof-of-concept exploit is documented on GitHub, significantly lowering the barrier to attack for any internet-exposed instance. No patch has been identified from the vendor at time of analysis; the wildcard CPE suggests all versions are affected.

SQLi PHP Online Job Portal
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient and appointment data to remote attackers holding low-privilege credentials via the `patiente` parameter in `/patientappointment.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation with no attack complexity, and the E:P modifier reflects a publicly disclosed proof-of-concept on GitHub. While not yet listed in CISA KEV, the combination of a live PoC, a healthcare data context, and trivial exploitation conditions makes this a credible risk for any organization running this application.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Assessment Management 1.0 allows authenticated remote attackers to execute arbitrary SQL queries by manipulating the smarksrange[] array parameter in /lecturer/marking-scheme.php. The CVSS 4.0 vector (PR:L) confirms low-privilege authentication is required, limiting the attack surface to registered users such as lecturers. A public exploit proof-of-concept is available on GitHub, elevating the practical risk despite the medium CVSS 4.0 score of 5.3 and no confirmed active exploitation in the CISA KEV catalog.

SQLi PHP Assessment Management
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Assessment Management 1.0 exposes database query handling in the lecturer marking-scheme feature to manipulation via the unsanitized `squestions[]` parameter at `/lecturer/marking-scheme.php`. Authenticated remote attackers with low-privilege access can alter SQL query logic to extract or modify student assessment data. A public proof-of-concept exploit is documented on GitHub, lowering the skill bar for exploitation; however, the application is not listed in CISA KEV and carries a CVSS 4.0 score of 2.1 reflecting its constrained impact and authentication prerequisite.

SQLi PHP Assessment Management
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in code-projects Assessment Management 1.0 allows remote unauthenticated attackers to inject malicious scripts via the unsanitized `ID` parameter in `/admin/remove-user.php`. A public proof-of-concept exploit is available on GitHub (E:P in the CVSS 4.0 supplemental metrics), lowering the bar for exploitation. The vulnerability is not listed in the CISA KEV catalog, so confirmed widespread active exploitation has not been established, though the admin-facing endpoint makes session hijacking of privileged users a realistic outcome.

XSS PHP Assessment Management
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the database to remote query manipulation via the `user_id` parameter in `/admin/girlsproductdeletequery.php`. The CVSS 4.0 vector rates this as network-exploitable with no authentication required (PR:N), though the `/admin/` path location raises questions about whether authentication is enforced in practice - a discrepancy worth verifying in deployment. A publicly available exploit exists per VulDB, though the vulnerability is not listed in CISA KEV and the overall CVSS 4.0 score of 5.5 reflects limited impact across confidentiality, integrity, and availability.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Cross-site scripting (XSS) in code-projects Assessment Management 1.0 allows a remote attacker with administrative credentials to inject malicious scripts via the User parameter in admin/view-users.php, executing arbitrary JavaScript in the browser context of users who view the affected admin page. The CVSS 4.0 vector (PR:H, UI:P) confirms exploitation is gated behind high-privilege authentication and requires a victim to load the tampered page. A public proof-of-concept exploit exists on GitHub, though no active exploitation or CISA KEV listing has been identified at time of analysis.

XSS PHP Assessment Management
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 enables remote, unauthenticated attackers to manipulate database queries through the user_id parameter in /admin/mensproductdeletequery.php, exposing partial confidentiality, integrity, and availability of the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication or special conditions are required for exploitation over the network. A public exploit has been disclosed on GitHub, elevating the practical risk above the raw score suggests - though this is not confirmed as actively exploited by CISA KEV at time of analysis.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the admin login interface to remote unauthenticated attackers through unsanitized input in the Username parameter of /admin/login.php. The CVSS 4.0 score of 6.9 (Medium) reflects limited per-request impact (VC:L/VI:L/VA:L), but a publicly available proof-of-concept exploit (E:P) on GitHub substantially lowers the exploitation bar for opportunistic attackers. No KEV listing exists at time of analysis; however, the trivial attack complexity (AC:L, AT:N, PR:N, UI:N) combined with public exploit code makes any internet-facing deployment of this script an immediate remediation priority.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in code-projects Online Voting System 1.0 exposes remote unauthenticated attackers a direct path to manipulate backend database queries through four parameters in the vote submission endpoint /saveVote.php. The test_input function - intended as a sanitization layer - fails to neutralize SQL metacharacters across voterName, voterEmail, voterID, and selectedCandidate, indicating a systemic rather than isolated input-handling failure. A publicly available proof-of-concept exists on GitHub, lowering the exploitation barrier, though real-world exposure is substantially constrained by the product's near-zero production deployment footprint as an educational PHP project.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated SQL injection in code-projects Online Voting System 0.x-1.0 exposes the admin login endpoint to full authentication bypass and database extraction. The vulnerability resides in the `test_input` function within `/authentication.php`, where the `adminUserName` and `adminPassword` parameters are passed unsanitized into SQL queries, enabling classic injection attacks against the login form. A public proof-of-concept exploit has been published on GitHub; no vendor patch has been identified at time of analysis.

SQLi PHP Online Voting System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the database to remote unauthenticated attackers via the unvalidated ID parameter in /edit_class2.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms trivial, unauthenticated remote exploitation requiring no special conditions. Publicly available exploit code (E:P) lowers the bar to exploitation further, though the product's niche deployment footprint significantly limits real-world blast radius. No KEV listing; no patch identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_course.php` endpoint to unauthenticated remote database manipulation via a malicious `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no authentication or user interaction required, and a public proof-of-concept exploit has been disclosed on GitHub. No active exploitation is confirmed in CISA KEV, though the combination of a public POC and fully unauthenticated attack path elevates practical risk for any internet-exposed deployment.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in CodeAstro Ecommerce Website 1.0 exposes authenticated customers to database manipulation via the c_name parameter on the account-editing endpoint. The vulnerability was publicly disclosed with a proof-of-concept exploit referenced on GitHub, meaning exploitation tooling is accessible. Impact is assessed as limited scope - low confidentiality, integrity, and availability - but network reachability and the public PoC raise opportunistic risk for unpatched deployments.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the login endpoint at /index.php to unauthenticated remote attackers who can manipulate the Username parameter to execute arbitrary SQL queries against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero prerequisites for exploitation, and the E:P modifier reflects a publicly available proof-of-concept on GitHub. No CISA KEV listing was found at time of analysis, but the combination of an exposed login surface, no authentication barrier, and live POC code materially elevates practical risk beyond the medium CVSS score of 6.9.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient records to partial disclosure and modification via the `editid` parameter in `/patient.php`. The CVSS 4.0 vector (PR:L) confirms exploitation requires a low-privilege authenticated session, limiting the immediate attack surface to users who can log in. A public proof-of-concept exploit exists (E:P), elevating practical risk above the base score of 5.3, though no CISA KEV listing confirms active exploitation at time of analysis.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

PHP object injection in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows remote unauthenticated attackers to pass attacker-controlled data into the getCartItems() function of application/libraries/ShoppingCart.php, which deserializes the shopping_cart argument (CWE-502). Depending on available gadget chains in the CodeIgniter application, this can lead to code execution or denial of service. Publicly available exploit code exists (VulDB, GHSA-9g5q-g6m3-v5cr), but there is no public exploit identified as being used in active attacks and the item is not in CISA KEV; EPSS was not provided.

Deserialization PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows authenticated remote attackers to manipulate filesystem paths via the unsanitized `folder` argument in the Vendor Image Manager's `do_upload_others_images` function. The flaw in `application/modules/vendor/controllers/AddProduct.php` permits directory traversal sequences to redirect file-write operations outside the intended upload directory, resulting in limited integrity and availability impact. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Path Traversal PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap exposes server-side files and upload directories to manipulation via the unsanitized `folder` parameter in the Vendor Multi-Image Endpoint (AddProduct.php), enabling remote attackers to read or write files outside the designated upload path. A public exploit has been released per GitHub Security Advisory GHSA-6whv-r5hm-vcjr and the CVSS 4.0 E:P modifier confirms proof-of-concept availability, with a base score of 6.9 reflecting low-complexity network exploitation. No CISA KEV listing was identified; however, all deployed instances cloned prior to patch commit 2a9497ff are exposed, as this is a rolling-release project with no discrete versioned releases.

Path Traversal PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Stored cross-site scripting in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows remote unauthenticated attackers to inject malicious scripts via the title or description arguments of the hidden REST API endpoint /index.php/api/product/set, executing arbitrary JavaScript in the browsers of users who subsequently view the affected product data. A public exploit has been disclosed (CVSS 4.0 E:P), though the low CVSS 4.0 score of 2.1 and the user-interaction requirement constrain practical impact. No active exploitation is confirmed by CISA KEV, and a patch commit is available in the project repository.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Reflected/stored cross-site scripting in the Subscribed Emails Admin Page of kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows an unauthenticated remote attacker to inject arbitrary JavaScript by crafting a malicious HTTP User-Agent header, which is rendered unencoded via the checkForPostRequests function in application/core/MY_Controller.php. When an administrator subsequently views the subscription management panel, the payload executes in their browser session. A public exploit exists (CVSS E:P); this is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis.

XSS PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Open redirect in kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows remote attackers to manipulate the href argument of the setReferrer() function in the Trusted Backend Interface, redirecting users to arbitrary attacker-controlled URLs. A publicly available proof-of-concept exploit exists (CVSS 4.0 E:P), lowering the exploitation barrier for phishing and credential harvesting campaigns. This vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis.

Open Redirect PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
EPSS 0% CVSS 2.3
LOW POC Monitor

PHP file inclusion in PHPIPAM allows authenticated API users to include and execute arbitrary PHP files from the web server's filesystem, with primary impact on application confidentiality through exposure of sensitive configuration data. Exploitation is gated behind two non-default conditions: the REST API must be deliberately enabled by an administrator, and the attacker must hold valid API credentials - constraining the realistic attack surface substantially. Publicly available exploit code exists per Project Black's research blog, though the vulnerability carries a CVSS 4.0 score of 2.3 and is absent from CISA KEV, reflecting its narrow exploitation prerequisites rather than widespread threat activity.

LFI Information Disclosure PHP +1
NVD GitHub VulDB
Prev Page 3 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy