Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-3786 LOW POC Monitor

SQL injection in EasyCMS up to version 1.6 via the _order parameter in the Request Parameter Handler allows authenticated remote attackers to execute arbitrary SQL queries with medium impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3785 LOW POC Monitor

SQL injection in EasyCMS versions up to 1.6 via the _order parameter in the Request Parameter Handler allows remote attackers with valid credentials to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early disclosure notification. The attack requires low complexity and can result in unauthorized data access, modification, and potential service disruption.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3771 LOW POC Monitor

SQL injection in SourceCodester Resort Reservation System 1.0 via the q parameter in /accommodation.php allows remote authenticated attackers to manipulate database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials could extract or modify sensitive reservation and user data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3767 LOW POC Monitor

College Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3766 LOW POC Monitor

Web-Based Pharmacy Product Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3765 MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 via the dt parameter in /att_single_view.php enables remote attackers to execute arbitrary SQL queries without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. The attack affects data confidentiality, integrity, and availability with a CVSS score of 7.3.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3764 MEDIUM POC This Month

Improper authorization in SourceCodester Client Database Management System 1.0 allows unauthenticated remote attackers to manipulate the /superadmin_user_update.php file, potentially gaining unauthorized access to sensitive functionality. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3763 LOW POC Monitor

Simple Flight Ticket Booking System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3762 MEDIUM POC This Month

Improper authorization in SourceCodester Client Database Management System 1.0/3.1 allows unauthenticated remote attackers to manipulate the manager_id parameter in the /superadmin_delete_manager.php endpoint to bypass access controls. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can leverage this to gain unauthorized access with limited confidentiality, integrity, and availability impact.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3761 LOW POC Monitor

Client Database Management System versions up to 1.0 contains a vulnerability that allows attackers to improper authorization (CVSS 5.4).

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3760 MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 via the seme parameter in /view_result.php allows unauthenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3759 MEDIUM POC This Month

SQL injection in projectworlds Online Art Gallery Shop 1.0 via the reach_nm parameter in /admin/adminHome.php allows unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify database contents. Public exploit code exists for this vulnerability, increasing exploitation risk. No patch is currently available for affected installations.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3758 MEDIUM POC This Month

SQL injection in projectworlds Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate the Info parameter in /admin/adminHome.php, potentially enabling unauthorized database access and data theft. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, requiring organizations to implement compensating controls or upgrade to a patched version when released.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3756 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System up to version 1.0 allows authenticated remote attackers to manipulate the stock_name1 parameter in /check_item_details.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but could enable data disclosure, modification, or deletion within the affected system.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3755 LOW POC Monitor

Sales And Inventory System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3754 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the cost parameter in /add_stock.php enables authenticated attackers to manipulate database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can result in unauthorized data access and modification.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3753 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System versions up to 1.0 via the sid parameter in /add_sales_print.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can leverage this to access, modify, or delete sensitive inventory and sales data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3752 LOW POC Monitor

SourceCodester Employee Task Management System through version 1.0 contains a SQL injection vulnerability in the /daily-task-report.php GET parameter handler that allows remote attackers with high privileges to extract or manipulate database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access but no user interaction, potentially compromising sensitive employee task data and system integrity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3751 LOW POC Monitor

SQL injection in SourceCodester Employee Task Management System 1.0 allows remote attackers to manipulate the Date parameter in /daily-attendance-report.php, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but can be executed over the network with minimal complexity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3747 MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 via the subject parameter in /add_result.php enables remote attackers to execute arbitrary database queries without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. Affected installations face potential data exfiltration, modification, or deletion through unauthenticated network-based attacks.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3746 MEDIUM POC This Month

SQL injection in SourceCodester Simple Responsive Tourism Website 1.0 via the Username parameter in the Login.php component enables unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify application state. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems exposed to active exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-3745 LOW POC Monitor

SQL injection in Student Web Portal 1.0's profile.php allows authenticated attackers to execute arbitrary SQL queries through improper input validation on the User parameter, potentially leading to unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3744 MEDIUM POC This Month

SQL injection in Student Web Portal 1.0's signup.php password validation function allows unauthenticated remote attackers to manipulate database queries through the reg_passwd parameter. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable unauthorized data access, modification, or deletion.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3743 LOW POC Monitor

A flaw has been found in YiFang CMS 2.0.5. This affects the function update of the file app/db/admin/D_singlePageGroup.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3742 LOW POC Monitor

A vulnerability was detected in YiFang CMS 2.0.5. The impacted element is the function update of the file app/db/admin/D_singlePage.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3741 LOW POC Monitor

A security vulnerability has been detected in YiFang CMS 2.0.5. The affected element is the function update of the file app/db/admin/D_friendLink.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3740 MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 allows remote attackers to manipulate the admin_search_student parameter in /admin_search_student.php without authentication, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3737 LOW POC Monitor

Pet Grooming Management Software versions up to 1.0 contains a vulnerability that allows attackers to improper authorization (CVSS 6.3).

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3736 MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0's SearchResultRoundtrip.php parameter handling enables unauthenticated remote attackers to manipulate database queries and potentially extract, modify, or delete sensitive data. Public exploit code exists for this vulnerability, increasing exploitation risk. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3735 MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0 allows unauthenticated remote attackers to manipulate the SearchResultOneway.php input parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network, enabling attackers to read, modify, or delete sensitive flight booking data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3734 MEDIUM POC This Month

Improper authorization in SourceCodester Client Database Management System 1.0 allows remote attackers to manipulate the manager_id parameter in /fetch_manager_details.php to access unauthorized data. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems can be compromised over the network without authentication or user interaction.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3730 MEDIUM POC This Month

SQL injection in Free Hotel Reservation System 1.0 allows remote attackers to manipulate the amen_id and rmtype_id parameters in the amenities management interface, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects PHP-based installations and requires no authentication or user interaction to exploit.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3724 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 contains a security vulnerability (CVSS 6.3).

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3723 MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0's /Admindelete.php endpoint allows unauthenticated remote attackers to manipulate the flightno parameter and execute arbitrary database queries, potentially leading to data theft or modification. Public exploit code is available for this vulnerability, and no patch has been released as of now.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3714 MEDIUM This Month

OpenCart 4.0.2.3 contains an incomplete fix for a template injection vulnerability in the admin template controller that allows high-privileged attackers to inject malicious code through improper neutralization of special template elements. An authenticated administrator can exploit this flaw to achieve arbitrary code execution on the affected system. No patch is currently available, and the vendor has not responded to disclosure attempts.

PHP Opencart
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-3711 LOW POC Monitor

SQL injection in Simple Flight Ticket Booking System 1.0's admin update function allows remote attackers with high privileges to manipulate flight parameters and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires administrative credentials but could enable data exfiltration or modification of flight booking records.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3710 LOW POC Monitor

SQL injection in Simple Flight Ticket Booking System 1.0's /Adminadd.php allows remote attackers with high privileges to manipulate flight parameters and execute arbitrary SQL queries, potentially compromising flight booking data. Public exploit code exists for this vulnerability, though patches are not yet available. The attack requires administrative credentials but can be exploited over the network without user interaction.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3709 MEDIUM POC This Month

Simple Flight Ticket Booking System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3708 MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0's login functionality allows unauthenticated attackers to manipulate the Username parameter and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. PHP installations running the affected application should be isolated until a security patch becomes available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3705 MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0 via the flightno parameter in /Adminsearch.php allows unauthenticated remote attackers to query or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users should immediately restrict access to the admin search functionality or upgrade if a patched version becomes available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3702 LOW POC Monitor

Reflected cross-site scripting (XSS) in SourceCodester Loan Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the page parameter in /index.php. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability enables attackers to perform actions on behalf of victims or steal sensitive information, though no patch is currently available.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3695 MEDIUM POC This Month

SourceCodester Modern Image Gallery App 1.0 contains a path traversal vulnerability in the /delete.php file that allows unauthenticated remote attackers to manipulate the filename parameter and access or delete arbitrary files. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability can lead to information disclosure or file deletion on affected systems.

PHP Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-30838 PHP MEDIUM PATCH This Month

The DisallowedRawHtml extension in PHP Commonmark (league/commonmark) versions prior to 2.8.1 can be bypassed by injecting whitespace characters between HTML tag names and closing brackets, allowing malicious scripts to pass sanitization filters and execute in user browsers. Applications relying solely on this extension to sanitize untrusted markdown input are vulnerable to cross-site scripting attacks, though those using additional HTML sanitizers are unaffected. No patch is currently available for affected versions.

PHP XSS Commonmark
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1073 MEDIUM This Month

Purchase Button For Affiliate Link (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress PHP CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14675 PHP HIGH PATCH This Week

The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. [CVSS 7.2 HIGH]

WordPress PHP RCE Path Traversal
NVD GitHub
CVSS 3.1
7.2
EPSS
0.7%
CVE-2026-30841 MEDIUM POC PATCH This Month

Reflected cross-site scripting (XSS) in Wallos password reset functionality before version 4.6.2 allows unauthenticated attackers to inject malicious scripts by manipulating token and email parameters that are output without sanitization. Public exploit code exists for this vulnerability, affecting self-hosted instances of Wallos. A patch is available in version 4.6.2 and later.

PHP XSS Wallos
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30839 MEDIUM POC PATCH This Month

Wallos versions prior to 4.6.2 contain a server-side request forgery (SSRF) vulnerability in the webhook notification testing function that fails to restrict requests to private IP ranges, allowing authenticated attackers to read internal server responses. Public exploit code exists for this vulnerability. The vulnerability affects Wallos and has been patched in version 4.6.2.

PHP SSRF Wallos
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3352 HIGH This Week

Arbitrary PHP code execution in the Easy PHP Settings WordPress plugin through versions 1.0.4 allows authenticated administrators to inject malicious code via inadequately sanitized memory limit configuration parameters that bypass quote filtering in wp-config.php. An attacker with administrator privileges can exploit insufficient input validation in the `update_wp_memory_constants()` method to break out of PHP string context and execute arbitrary commands that execute on every page request. No patch is currently available for this high-severity vulnerability.

WordPress PHP Code Injection RCE
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-2020 HIGH This Week

PHP object injection in the JS Archive List WordPress plugin (versions up to 6.1.7) allows authenticated contributors and above to deserialize untrusted data through the shortcode 'included' parameter. While no direct exploitation path exists in the plugin itself, attackers could leverage gadget chains from other installed plugins or themes to achieve arbitrary file deletion, information disclosure, or remote code execution. A patch is not currently available.

WordPress PHP Deserialization Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-30237 MEDIUM POC This Month

Reflected cross-site scripting in GroupOffice installer versions prior to 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attackers to inject arbitrary scripts through the license parameter in install/license.php. Public exploit code exists for this vulnerability, enabling attackers to execute malicious JavaScript in users' browsers with moderate impact to confidentiality and integrity. The vulnerability requires user interaction and affects the web-accessible installation endpoint.

PHP XSS Group Office
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-29789 CRITICAL Act Now

Missing authorization in Vito server management before 3.20.3. CVSS 9.9.

PHP Authentication Bypass Vito
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2018-25200 MEDIUM POC This Month

OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF Php Oop Cms Blog
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2018-25199 HIGH POC This Week

OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through multiple parameters. [CVSS 8.2 HIGH]

PHP SQLi Php Oop Cms Blog
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2018-25197 HIGH POC This Week

PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25196 HIGH POC This Week

ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2018-25194 HIGH POC This Week

Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. [CVSS 8.2 HIGH]

PHP SQLi Path Traversal
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25192 HIGH POC This Week

GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2018-25191 HIGH POC This Week

Facturation System 1.0 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'mod_id' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2018-25190 MEDIUM POC This Month

Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2018-25189 HIGH POC This Week

Data Center Audit 2.6.2 contains an SQL injection vulnerability in the username parameter of dca_login.php that allows unauthenticated attackers to execute arbitrary SQL queries. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25188 HIGH POC This Week

Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25184 MEDIUM POC This Month

Surreal ToDo 0.6.1.2 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the content parameter. [CVSS 6.2 MEDIUM]

PHP Path Traversal
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2018-25182 HIGH POC This Week

Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25178 HIGH POC This Week

Easyndexer 1.0 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the file parameter. [CVSS 7.5 HIGH]

PHP
NVD Exploit-DB VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2018-25177 MEDIUM POC This Month

Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to reset administrator passwords without authentication by submitting crafted POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2018-25175 HIGH POC This Week

Alienor Web Libre 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the identifiant parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25174 MEDIUM POC This Month

ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2018-25173 HIGH POC This Week

Rmedia SMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the gid parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25172 HIGH POC This Week

Pedidos 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25170 HIGH POC This Week

DoceboLMS 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id, idC, and idU parameters. [CVSS 8.2 HIGH]

PHP SQLi CSRF
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2018-25167 HIGH POC This Week

Net-Billetterie 2.9 contains an SQL injection vulnerability in the login parameter of login.inc.php that allows unauthenticated attackers to execute arbitrary SQL queries. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25166 HIGH POC This Week

Meneame English Pligg 5.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25165 HIGH POC This Week

Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'type' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2018-25163 HIGH POC This Week

BitZoom 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rollno and username parameters in forgot.php and login.php. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25162 HIGH POC This Week

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. [CVSS 6.5 MEDIUM]

PHP RCE File Upload
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2018-25161 HIGH POC This Week

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-28429 HIGH This Week

Remote unauthenticated attackers can read arbitrary files from Talishar (Flesh and Blood fan-made game) servers via path traversal in the ParseGamestate.php script's gameName parameter. The vulnerability affects all versions prior to commit 6be3871 and allows direct access to sensitive server files without authentication (CVSS 7.5, AV:N/PR:N). While EPSS exploitation probability is relatively low (0.47%, 64th percentile), the unauthenticated remote attack vector and confirmed patch availability make this a priority for exposed deployments. No active exploitation or public POC identified at time of analysis.

PHP Path Traversal
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-29093 PHP HIGH This Week

Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.

PHP Docker Authentication Bypass Avideo
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-28502 PHP HIGH This Week

Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.

PHP RCE File Upload Avideo
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-28501 PHP CRITICAL POC Act Now

Unauthenticated SQL injection in AVideo before 24.0.

PHP SQLi Avideo
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-3616 LOW Monitor

SQL injection in DefaultFunction Jeson CRM 1.0.0 allows authenticated attackers to manipulate the ID parameter in /modules/customers/edit.php and execute arbitrary SQL queries, potentially compromising data confidentiality and integrity. Public exploit code exists for this vulnerability, and no patch is currently available despite the identified fix commit hash.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3610 LOW Monitor

Reflected cross-site scripting in HSC Cybersecurity Mailinspector through version 5.3.2-3 allows remote attackers to inject malicious scripts via the error_description parameter in the URL handler component. Public exploit code exists for this vulnerability, which could enable attackers to steal session cookies or perform actions on behalf of authenticated users. Users should upgrade to version 5.4.0 or apply the available hotfix immediately.

PHP XSS
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2599 CRITICAL Act Now

PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.

WordPress PHP Deserialization Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28129 HIGH This Week

Local file inclusion in axiomthemes Little Birdies plugin version 1.3.16 and earlier enables unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this vulnerability to access sensitive configuration files, source code, or other data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28128 HIGH This Week

Local file inclusion in ThemeREX Verse PHP theme versions 1.7.0 and earlier allows unauthenticated attackers to read arbitrary files on the server through improper input validation on file inclusion functions. The vulnerability requires specific conditions for exploitation but carries high impact potential including confidentiality and integrity compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28125 HIGH This Week

Local file inclusion in AncoraThemes Midi through version 1.14 enables unauthenticated remote attackers to read arbitrary files on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing attackers to traverse directories and access sensitive data. Currently no patch is available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28124 HIGH This Week

AncoraThemes Notarius through version 1.9 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this high-severity flaw.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28123 HIGH This Week

AncoraThemes Veil through version 1.9 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the affected server. The vulnerability stems from improper input validation on file include/require statements, enabling attackers to manipulate filename parameters to access sensitive system files. While no patch is currently available, the exploit requires specific conditions (high complexity) to successfully leverage.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28121 HIGH This Week

Local and remote file inclusion in AncoraThemes Anderson through version 1.4.2 enables attackers to read arbitrary files or execute malicious code on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing unauthenticated attackers to manipulate input parameters over the network. No patch is currently available for this high-severity issue affecting PHP-based installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28120 HIGH This Week

Local file inclusion in ThemeREX Dr.Patterson plugin versions up to 1.3.2 enables unauthenticated attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. The vulnerability allows information disclosure and potential code execution depending on server configuration and accessible files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in EasyCMS up to version 1.6 via the _order parameter in the Request Parameter Handler allows authenticated remote attackers to execute arbitrary SQL queries with medium impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in EasyCMS versions up to 1.6 via the _order parameter in the Request Parameter Handler allows remote attackers with valid credentials to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early disclosure notification. The attack requires low complexity and can result in unauthorized data access, modification, and potential service disruption.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Resort Reservation System 1.0 via the q parameter in /accommodation.php allows remote authenticated attackers to manipulate database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials could extract or modify sensitive reservation and user data.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

College Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Web-Based Pharmacy Product Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 via the dt parameter in /att_single_view.php enables remote attackers to execute arbitrary SQL queries without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. The attack affects data confidentiality, integrity, and availability with a CVSS score of 7.3.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper authorization in SourceCodester Client Database Management System 1.0 allows unauthenticated remote attackers to manipulate the /superadmin_user_update.php file, potentially gaining unauthorized access to sensitive functionality. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Simple Flight Ticket Booking System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper authorization in SourceCodester Client Database Management System 1.0/3.1 allows unauthenticated remote attackers to manipulate the manager_id parameter in the /superadmin_delete_manager.php endpoint to bypass access controls. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can leverage this to gain unauthorized access with limited confidentiality, integrity, and availability impact.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Client Database Management System versions up to 1.0 contains a vulnerability that allows attackers to improper authorization (CVSS 5.4).

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 via the seme parameter in /view_result.php allows unauthenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in projectworlds Online Art Gallery Shop 1.0 via the reach_nm parameter in /admin/adminHome.php allows unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify database contents. Public exploit code exists for this vulnerability, increasing exploitation risk. No patch is currently available for affected installations.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in projectworlds Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate the Info parameter in /admin/adminHome.php, potentially enabling unauthorized database access and data theft. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, requiring organizations to implement compensating controls or upgrade to a patched version when released.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System up to version 1.0 allows authenticated remote attackers to manipulate the stock_name1 parameter in /check_item_details.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but could enable data disclosure, modification, or deletion within the affected system.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Sales And Inventory System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the cost parameter in /add_stock.php enables authenticated attackers to manipulate database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can result in unauthorized data access and modification.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System versions up to 1.0 via the sid parameter in /add_sales_print.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can leverage this to access, modify, or delete sensitive inventory and sales data.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SourceCodester Employee Task Management System through version 1.0 contains a SQL injection vulnerability in the /daily-task-report.php GET parameter handler that allows remote attackers with high privileges to extract or manipulate database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access but no user interaction, potentially compromising sensitive employee task data and system integrity.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in SourceCodester Employee Task Management System 1.0 allows remote attackers to manipulate the Date parameter in /daily-attendance-report.php, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but can be executed over the network with minimal complexity.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 via the subject parameter in /add_result.php enables remote attackers to execute arbitrary database queries without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. Affected installations face potential data exfiltration, modification, or deletion through unauthenticated network-based attacks.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Simple Responsive Tourism Website 1.0 via the Username parameter in the Login.php component enables unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify application state. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems exposed to active exploitation.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Student Web Portal 1.0's profile.php allows authenticated attackers to execute arbitrary SQL queries through improper input validation on the User parameter, potentially leading to unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Student Web Portal 1.0's signup.php password validation function allows unauthenticated remote attackers to manipulate database queries through the reg_passwd parameter. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable unauthorized data access, modification, or deletion.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A flaw has been found in YiFang CMS 2.0.5. This affects the function update of the file app/db/admin/D_singlePageGroup.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was detected in YiFang CMS 2.0.5. The impacted element is the function update of the file app/db/admin/D_singlePage.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A security vulnerability has been detected in YiFang CMS 2.0.5. The affected element is the function update of the file app/db/admin/D_friendLink.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 allows remote attackers to manipulate the admin_search_student parameter in /admin_search_student.php without authentication, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Pet Grooming Management Software versions up to 1.0 contains a vulnerability that allows attackers to improper authorization (CVSS 6.3).

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0's SearchResultRoundtrip.php parameter handling enables unauthenticated remote attackers to manipulate database queries and potentially extract, modify, or delete sensitive data. Public exploit code exists for this vulnerability, increasing exploitation risk. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0 allows unauthenticated remote attackers to manipulate the SearchResultOneway.php input parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network, enabling attackers to read, modify, or delete sensitive flight booking data.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper authorization in SourceCodester Client Database Management System 1.0 allows remote attackers to manipulate the manager_id parameter in /fetch_manager_details.php to access unauthorized data. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems can be compromised over the network without authentication or user interaction.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Free Hotel Reservation System 1.0 allows remote attackers to manipulate the amen_id and rmtype_id parameters in the amenities management interface, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects PHP-based installations and requires no authentication or user interaction to exploit.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 contains a security vulnerability (CVSS 6.3).

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0's /Admindelete.php endpoint allows unauthenticated remote attackers to manipulate the flightno parameter and execute arbitrary database queries, potentially leading to data theft or modification. Public exploit code is available for this vulnerability, and no patch has been released as of now.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

OpenCart 4.0.2.3 contains an incomplete fix for a template injection vulnerability in the admin template controller that allows high-privileged attackers to inject malicious code through improper neutralization of special template elements. An authenticated administrator can exploit this flaw to achieve arbitrary code execution on the affected system. No patch is currently available, and the vendor has not responded to disclosure attempts.

PHP Opencart
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in Simple Flight Ticket Booking System 1.0's admin update function allows remote attackers with high privileges to manipulate flight parameters and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires administrative credentials but could enable data exfiltration or modification of flight booking records.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in Simple Flight Ticket Booking System 1.0's /Adminadd.php allows remote attackers with high privileges to manipulate flight parameters and execute arbitrary SQL queries, potentially compromising flight booking data. Public exploit code exists for this vulnerability, though patches are not yet available. The attack requires administrative credentials but can be exploited over the network without user interaction.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Simple Flight Ticket Booking System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0's login functionality allows unauthenticated attackers to manipulate the Username parameter and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. PHP installations running the affected application should be isolated until a security patch becomes available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0 via the flightno parameter in /Adminsearch.php allows unauthenticated remote attackers to query or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users should immediately restrict access to the admin search functionality or upgrade if a patched version becomes available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting (XSS) in SourceCodester Loan Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the page parameter in /index.php. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability enables attackers to perform actions on behalf of victims or steal sensitive information, though no patch is currently available.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SourceCodester Modern Image Gallery App 1.0 contains a path traversal vulnerability in the /delete.php file that allows unauthenticated remote attackers to manipulate the filename parameter and access or delete arbitrary files. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability can lead to information disclosure or file deletion on affected systems.

PHP Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The DisallowedRawHtml extension in PHP Commonmark (league/commonmark) versions prior to 2.8.1 can be bypassed by injecting whitespace characters between HTML tag names and closing brackets, allowing malicious scripts to pass sanitization filters and execute in user browsers. Applications relying solely on this extension to sanitize untrusted markdown input are vulnerable to cross-site scripting attacks, though those using additional HTML sanitizers are unaffected. No patch is currently available for affected versions.

PHP XSS Commonmark
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Purchase Button For Affiliate Link (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress PHP CSRF
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. [CVSS 7.2 HIGH]

WordPress PHP RCE +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Reflected cross-site scripting (XSS) in Wallos password reset functionality before version 4.6.2 allows unauthenticated attackers to inject malicious scripts by manipulating token and email parameters that are output without sanitization. Public exploit code exists for this vulnerability, affecting self-hosted instances of Wallos. A patch is available in version 4.6.2 and later.

PHP XSS Wallos
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Wallos versions prior to 4.6.2 contain a server-side request forgery (SSRF) vulnerability in the webhook notification testing function that fails to restrict requests to private IP ranges, allowing authenticated attackers to read internal server responses. Public exploit code exists for this vulnerability. The vulnerability affects Wallos and has been patched in version 4.6.2.

PHP SSRF Wallos
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary PHP code execution in the Easy PHP Settings WordPress plugin through versions 1.0.4 allows authenticated administrators to inject malicious code via inadequately sanitized memory limit configuration parameters that bypass quote filtering in wp-config.php. An attacker with administrator privileges can exploit insufficient input validation in the `update_wp_memory_constants()` method to break out of PHP string context and execute arbitrary commands that execute on every page request. No patch is currently available for this high-severity vulnerability.

WordPress PHP Code Injection +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

PHP object injection in the JS Archive List WordPress plugin (versions up to 6.1.7) allows authenticated contributors and above to deserialize untrusted data through the shortcode 'included' parameter. While no direct exploitation path exists in the plugin itself, attackers could leverage gadget chains from other installed plugins or themes to achieve arbitrary file deletion, information disclosure, or remote code execution. A patch is not currently available.

WordPress PHP Deserialization +1
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected cross-site scripting in GroupOffice installer versions prior to 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attackers to inject arbitrary scripts through the license parameter in install/license.php. Public exploit code exists for this vulnerability, enabling attackers to execute malicious JavaScript in users' browsers with moderate impact to confidentiality and integrity. The vulnerability requires user interaction and affects the web-accessible installation endpoint.

PHP XSS Group Office
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

Missing authorization in Vito server management before 3.20.3. CVSS 9.9.

PHP Authentication Bypass Vito
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF Php Oop Cms Blog
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through multiple parameters. [CVSS 8.2 HIGH]

PHP SQLi Php Oop Cms Blog
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. [CVSS 8.2 HIGH]

PHP SQLi Path Traversal
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Facturation System 1.0 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'mod_id' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Data Center Audit 2.6.2 contains an SQL injection vulnerability in the username parameter of dca_login.php that allows unauthenticated attackers to execute arbitrary SQL queries. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Surreal ToDo 0.6.1.2 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the content parameter. [CVSS 6.2 MEDIUM]

PHP Path Traversal
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH POC This Week

Easyndexer 1.0 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the file parameter. [CVSS 7.5 HIGH]

PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to reset administrator passwords without authentication by submitting crafted POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Alienor Web Libre 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the identifiant parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Rmedia SMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the gid parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Pedidos 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

DoceboLMS 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id, idC, and idU parameters. [CVSS 8.2 HIGH]

PHP SQLi CSRF
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Net-Billetterie 2.9 contains an SQL injection vulnerability in the login parameter of login.inc.php that allows unauthenticated attackers to execute arbitrary SQL queries. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Meneame English Pligg 5.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'type' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

BitZoom 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rollno and username parameters in forgot.php and login.php. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. [CVSS 6.5 MEDIUM]

PHP RCE File Upload
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH This Week

Remote unauthenticated attackers can read arbitrary files from Talishar (Flesh and Blood fan-made game) servers via path traversal in the ParseGamestate.php script's gameName parameter. The vulnerability affects all versions prior to commit 6be3871 and allows direct access to sensitive server files without authentication (CVSS 7.5, AV:N/PR:N). While EPSS exploitation probability is relatively low (0.47%, 64th percentile), the unauthenticated remote attack vector and confirmed patch availability make this a priority for exposed deployments. No active exploitation or public POC identified at time of analysis.

PHP Path Traversal
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.

PHP Docker Authentication Bypass +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.

PHP RCE File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated SQL injection in AVideo before 24.0.

PHP SQLi Avideo
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in DefaultFunction Jeson CRM 1.0.0 allows authenticated attackers to manipulate the ID parameter in /modules/customers/edit.php and execute arbitrary SQL queries, potentially compromising data confidentiality and integrity. Public exploit code exists for this vulnerability, and no patch is currently available despite the identified fix commit hash.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting in HSC Cybersecurity Mailinspector through version 5.3.2-3 allows remote attackers to inject malicious scripts via the error_description parameter in the URL handler component. Public exploit code exists for this vulnerability, which could enable attackers to steal session cookies or perform actions on behalf of authenticated users. Users should upgrade to version 5.4.0 or apply the available hotfix immediately.

PHP XSS
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.

WordPress PHP Deserialization +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in axiomthemes Little Birdies plugin version 1.3.16 and earlier enables unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this vulnerability to access sensitive configuration files, source code, or other data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Verse PHP theme versions 1.7.0 and earlier allows unauthenticated attackers to read arbitrary files on the server through improper input validation on file inclusion functions. The vulnerability requires specific conditions for exploitation but carries high impact potential including confidentiality and integrity compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Midi through version 1.14 enables unauthenticated remote attackers to read arbitrary files on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing attackers to traverse directories and access sensitive data. Currently no patch is available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Notarius through version 1.9 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this high-severity flaw.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Veil through version 1.9 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the affected server. The vulnerability stems from improper input validation on file include/require statements, enabling attackers to manipulate filename parameters to access sensitive system files. While no patch is currently available, the exploit requires specific conditions (high complexity) to successfully leverage.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local and remote file inclusion in AncoraThemes Anderson through version 1.4.2 enables attackers to read arbitrary files or execute malicious code on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing unauthenticated attackers to manipulate input parameters over the network. No patch is currently available for this high-severity issue affecting PHP-based installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Dr.Patterson plugin versions up to 1.3.2 enables unauthenticated attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. The vulnerability allows information disclosure and potential code execution depending on server configuration and accessible files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
Prev Page 30 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy