Skip to main content

PHP

24730 CVEs product

Monthly

CVE-2025-15483 MEDIUM This Month

The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14873 MEDIUM This Month

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2469 PHP MEDIUM PATCH This Month

Versions of the package directorytree/imapengine versions up to 1.22.3 contains a vulnerability that allows attackers to read or delete victim's emails, terminate the victim's session or execute any va (CVSS 7.6).

PHP Code Injection
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2025-14608 MEDIUM This Month

The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the ...

WordPress PHP
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14067 MEDIUM This Month

Easy Form Builder (WordPress plugin) versions up to 3.9.3. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13973 MEDIUM This Month

The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contac...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13681 MEDIUM This Month

The BFG Tools - Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. [CVSS 4.9 MEDIUM]

WordPress PHP Path Traversal
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-69633 CRITICAL Act Now

SQL injection in Advanced Popup Creator PrestaShop module 1.1.26-1.2.6. Fixed in 1.2.7.

PHP SQLi
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-15157 HIGH This Week

The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm_restore_options_defaults' function in all versions up to, and including, 3.1.19. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15520 MEDIUM This Month

The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD WPScan
CVSS 3.1
4.3
EPSS
0.0%
CVE-2019-25342 HIGH POC This Week

Centova Cast 3.2.12 contains a denial of service vulnerability that allows attackers to overwhelm the system by repeatedly calling the database export API endpoint. Attackers can trigger 100% CPU load by sending multiple concurrent requests to the /api.php endpoint with crafted parameters. [CVSS 7.5 HIGH]

PHP Denial Of Service
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2019-25337 CRITICAL POC Act Now

Username enumeration in OwnCloud 8.1.8 via share.php endpoint. PoC available.

PHP
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2019-25325 HIGH POC This Week

Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.3%
CVE-2019-25320 MEDIUM POC This Month

E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. [CVSS 6.5 MEDIUM]

PHP Authentication Bypass
NVD GitHub Exploit-DB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24895 Go CRITICAL POC PATCH Act Now

CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI processing. PoC and patch available.

PHP Golang Frankenphp Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69634 CRITICAL Act Now

CSRF leading to privilege escalation in Dolibarr ERP & CRM v.22.0.9. Attackers can escalate privileges via the notes field in permission management.

PHP
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2025-14892 CRITICAL Act Now

Privilege escalation in Prime Listing Manager WordPress plugin through 1.1 allows unauthenticated administrative access.

WordPress PHP
NVD WPScan
CVSS 3.1
9.8
EPSS
0.0%
CVE-2020-37186 CRITICAL POC Act Now

RCE in Chevereto 3.13.4 image hosting via code injection during database configuration. Allows injecting code during installation/setup. PoC available.

PHP RCE
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2020-37173 HIGH POC This Week

Avideo versions up to 8.1 contains a vulnerability that allows attackers to enumerate user details through the playlistsFromUser (CVSS 7.5).

PHP Information Disclosure Avideo
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37156 MEDIUM POC This Month

login.php contains a vulnerability that allows attackers to access the dashboard without valid credentials (CVSS 6.5).

PHP Authentication Bypass
NVD GitHub Exploit-DB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-25869 MEDIUM This Month

MiniGal Nano 0.3.5 and earlier are vulnerable to a path traversal attack in the dir parameter that bypasses insufficient dot-dot sequence filtering, allowing unauthenticated remote attackers to access and enumerate image files from arbitrary filesystem locations readable by the web server. This results in confidential information disclosure from unintended directories. No patch is currently available.

PHP Path Traversal Information Disclosure Minigal Nano
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-25868 MEDIUM This Month

Reflected XSS in MiniGal Nano 0.3.5 and earlier allows unauthenticated remote attackers to inject malicious scripts through the dir parameter in index.php, enabling arbitrary JavaScript execution in victim browsers. The vulnerability stems from insufficient output encoding when constructing error messages with user-supplied input. No patch is currently available for affected installations.

PHP XSS Minigal Nano
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2019-25316 MEDIUM POC This Month

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. [CVSS 6.4 MEDIUM]

PHP XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0910 HIGH This Week

PHP object injection in wpForo Forum plugin versions up to 2.4.13 allows authenticated subscribers and above to deserialize untrusted data, potentially enabling arbitrary file deletion, data theft, or code execution if a POP chain exists in installed plugins or themes. The vulnerability requires an additional gadget chain to be exploitable, making its impact dependent on the broader plugin ecosystem of the target WordPress installation.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-15096 HIGH This Week

The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access t...

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15440 HIGH This Week

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1357 CRITICAL POC Act Now

Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%.

WordPress PHP OpenSSL RCE Path Traversal
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-1235 MEDIUM This Month

WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).

WordPress PHP Deserialization
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15524 MEDIUM This Month

The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14541 HIGH This Week

Lucky Wheel Giveaway (WordPress plugin) versions up to 1.0.22 is affected by code injection (CVSS 7.2).

WordPress RCE PHP
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-13431 MEDIUM This Month

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress Industrial SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25728 HIGH POC PATCH This Week

Arbitrary PHP code execution in ClipBucket v5 prior to 5.5.3-#40 through a race condition in file upload validation, where files are moved to a web-accessible directory before security checks are performed. An authenticated attacker can exploit the time window between file placement and validation deletion to execute malicious PHP code on the server. Public exploit code exists for this vulnerability.

PHP Race Condition Clipbucket
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14895 MEDIUM This Month

The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. [CVSS 5.4 MEDIUM]

WordPress Industrial PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-15147 MEDIUM This Month

WooCommerce Memberships for Multivendor Marketplace versions up to 2.11.8 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25923 CRITICAL Act Now

my little forum PHP forum software has an unrestricted file upload allowing authenticated users to upload dangerous file types.

PHP Deserialization File Upload My Little Forum
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25892 PHP HIGH POC PATCH This Week

Adminer versions 5.4.1 and earlier suffer from a post-message validation bypass that allows remote attackers to trigger denial of service affecting all users. By sending a crafted POST request with array parameters to the version endpoint, an attacker can cause openssl_verify() to receive malformed input, resulting in a TypeError that crashes the application and returns HTTP 500 errors. Public exploit code exists for this vulnerability; administrators should upgrade to version 5.4.2 immediately.

PHP OpenSSL Adminer Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
2.5%
CVE-2026-25498 PHP HIGH POC PATCH This Week

Craft is a platform for creating digital experiences. [CVSS 7.2 HIGH]

PHP RCE Craft Cms
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-2226 LOW POC Monitor

Unrestricted file upload in DouPHP versions up to 1.9 allows remote attackers with administrative privileges to bypass upload restrictions via manipulation of the sql_filename parameter in the ZIP File Handler component. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2225 MEDIUM POC This Month

SQL injection in the News Portal Project 1.0 administrator login interface allows unauthenticated remote attackers to manipulate the email parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker could exploit this to extract sensitive data, modify database contents, or potentially escalate privileges within the application.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2224 LOW POC Monitor

A vulnerability was detected in code-projects Online Reviewer System 1.0. This affects an unknown part of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2223 MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 via the ID parameter in the assessment module allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2222 LOW POC Monitor

A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2221 MEDIUM POC This Month

SQL injection in the login component of code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, which affects PHP-based installations of the Online Reviewer System. An attacker can exploit this to extract sensitive data, modify database contents, or potentially gain unauthorized system access.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2220 MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 via the difficulty_id parameter in /system/system/admins/assessments/pretest/btn_functions.php allows unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2217 MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0 via the ID parameter in /admin/manage_user.php allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available, putting all affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2214 LOW POC Monitor

A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2213 LOW POC Monitor

Unrestricted file upload in Online Music Site 1.0's AdminAddAlbum.php allows authenticated administrators with high privileges to upload arbitrary files via the txtimage parameter. Public exploit code exists for this vulnerability, enabling remote attackers to potentially execute malicious code or compromise the application. The affected component impacts both the PHP runtime and the vulnerable web application, with no patch currently available.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2212 MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in AdminEditCategory.php, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2211 MEDIUM POC This Month

Online Music Site versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2199 MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in the user deletion function, potentially leading to unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations vulnerable to active exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2198 MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 via the difficulty_id parameter in /system/system/admins/assessments/pretest/loaddata.php allows remote attackers to execute arbitrary SQL queries without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could result in unauthorized data access, modification, or deletion within the application database.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2197 MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 allows remote attackers to manipulate the test_id parameter in the exam-delete.php file, enabling unauthorized database access and modification without authentication. The vulnerability has public exploit code available and currently lacks a patch, posing an immediate risk to unpatched installations. Affected organizations using this system should prioritize mitigation strategies while awaiting official remediation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2196 MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the test_id parameter in the exam-update.php endpoint, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2195 MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 via the ID parameter in the questions-view.php file allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at active risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2190 MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /ramonsys/user/controller.php allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, requiring organizations to implement alternative mitigations or restrict access to vulnerable systems.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2189 MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 allows unauthenticated remote attackers to manipulate the 'ay' parameter in /ramonsys/report/index.php, potentially enabling data exfiltration, modification, or service disruption. Public exploit code exists for this vulnerability and no patch is currently available, creating immediate risk for deployed instances.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2184 HIGH POC This Week

OS command injection in Great Developers Certificate Generation System's CSV processing functionality allows unauthenticated remote attackers to execute arbitrary system commands through the photo parameter in /restructured/csv.php. Public exploit code exists for this vulnerability, and no patch is currently available, affecting systems using the abandoned project with a rolling release model.

PHP Command Injection Certificate
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-2183 MEDIUM POC This Month

Unrestricted file upload in Great Developers Certificate Generation System's CSV processing endpoint allows authenticated attackers to upload arbitrary files remotely. Public exploit code exists for this vulnerability, though no patch is available and the project is no longer actively maintained. The vulnerability affects PHP-based certificate generation functionality with medium severity (CVSS 6.3).

PHP Certificate
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-2179 LOW POC Monitor

SQL injection in PHPGurukul Hospital Management System 4.0's user management interface allows remote attackers with administrative privileges to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires high-level credentials but poses risks to data confidentiality, integrity, and availability within affected hospital deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2173 HIGH This Week

SQL injection in code-projects Online Examination System 1.0 allows unauthenticated remote attackers to manipulate the username and password parameters in login.php, potentially enabling unauthorized access to sensitive data or system compromise. The vulnerability requires no user interaction and can be exploited over the network with low complexity. No patch is currently available for this issue.

PHP SQLi Online Examination System
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-2172 MEDIUM This Month

Online Application System For Admission versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2171 MEDIUM This Month

SQL injection in the login function of code-projects Online Student Management System 1.0 allows unauthenticated attackers to manipulate username and password parameters in accounts.php, enabling unauthorized data access, modification, and potential service disruption. Public exploit code is available for this vulnerability, increasing exploitation risk. No patch is currently available.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2166 MEDIUM POC This Month

SQL injection in the Online Reviewer System 1.0 login function allows unauthenticated remote attackers to manipulate username and password parameters, potentially enabling unauthorized database access and data modification. With public exploit code available and no patch released, this vulnerability poses an immediate risk to deployed instances.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2165 MEDIUM POC This Month

Detronetdip E-commerce 1.0.0 contains an authentication bypass vulnerability in the seller account creation endpoint that allows unauthenticated remote attackers to manipulate the email parameter and gain unauthorized access. The vulnerability affects PHP-based e-commerce installations and has public exploit code available, though no patch is currently available from the vendor.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.2%
CVE-2026-2164 MEDIUM POC This Month

Unrestricted file upload in detronetdip E-commerce 1.0.0 via the /seller/assets/backend/profile/addadhar.php endpoint allows unauthenticated remote attackers to upload arbitrary files. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-2162 LOW POC Monitor

SQL injection in the News Portal Project 1.0 admin panel (/admin/aboutus.php) allows authenticated attackers with high privileges to manipulate the pagetitle parameter and execute arbitrary SQL queries, potentially compromising database integrity and confidentiality. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and valid administrative credentials but no user interaction.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2161 MEDIUM POC This Month

SQL injection in itsourcecode Directory Management System 1.0 allows unauthenticated remote attackers to manipulate the email parameter in /admin/forget-password.php and execute arbitrary database queries. Public exploit code exists for this vulnerability and no patch is currently available. An attacker can leverage this to extract sensitive data or modify database contents with minimal complexity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2160 LOW POC Monitor

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2159 LOW POC Monitor

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2158 HIGH POC This Week

SQL injection in the Student Web Portal 1.0 /check_user.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. The vulnerability enables attackers to read, modify, or delete sensitive data with public exploit code readily available. This affects PHP-based installations of the Student Web Portal with no patch currently available.

PHP SQLi Student Web Portal
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-2156 LOW POC Monitor

Online Student Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2154 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2152 HIGH POC This Week

Unauthenticated remote attackers can execute arbitrary OS commands on D-Link DIR-615 4.10 routers through manipulated routing parameters in the web configuration interface, requiring only network access and no user interaction. Public exploit code is available for this vulnerability, and D-Link has not released a patch for the end-of-life device.

D-Link PHP Command Injection Dir 615 Firmware
NVD VulDB
CVSS 3.1
7.2
EPSS
1.9%
CVE-2026-2151 HIGH POC This Week

Remote code execution in D-Link DIR-615 firmware through os command injection via the dmz_ipaddr parameter in the DMZ Host Feature allows authenticated attackers to execute arbitrary commands with high privileges. Public exploit code exists for this vulnerability, which affects unsupported product versions with no available patch. The attack requires high-level authentication but can be launched over the network without user interaction.

D-Link PHP Command Injection Dir 615 Firmware
NVD VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-2150 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2149 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2136 MEDIUM POC This Month

Online Food Ordering System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2134 LOW POC Monitor

PHPGurukul Hospital Management System 4.0 contains a SQL injection vulnerability in the doctor management interface that allows authenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with administrative credentials could potentially extract or modify sensitive hospital data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2133 MEDIUM POC This Month

Unrestricted file upload in Online Music Site 1.0's AdminUpdateCategory.php allows unauthenticated remote attackers to upload arbitrary files by manipulating the txtimage parameter. Public exploit code exists for this vulnerability, enabling potential remote code execution and system compromise. A security patch is not currently available, leaving affected installations vulnerable to active exploitation.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2132 MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminUpdateCategory.php allows unauthenticated remote attackers to manipulate the txtcat parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, with no patch currently available. The attack requires no user interaction and can compromise the confidentiality, integrity, and availability of the underlying database.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15100 HIGH This Week

The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15027 CRITICAL Act Now

Privilege escalation in JAY Login & Register WordPress plugin allows unauthenticated attackers to register as administrators. All versions up to 1.1.6 affected.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-2122 LOW Monitor

SQL injection in Xiaopi Panel's WAF Firewall component (up to version 20260126) allows authenticated remote attackers to manipulate the ID parameter in /demo.php and execute arbitrary SQL queries. Public exploit code is available and the vendor has not provided a patch despite early notification. This vulnerability requires valid credentials to exploit but enables attackers to access or modify sensitive database information.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2117 MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the activity_id parameter in /admin/edit_activity.php, enabling data exfiltration, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2116 MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0's expense editing functionality allows unauthenticated remote attackers to manipulate the expenses_id parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw enables attackers to access, modify, or delete sensitive financial data with minimal complexity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2115 MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the expenses_id parameter in /admin/delete_expenses.php, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2114 MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0 through the admin_id parameter in /admin/edit_admin.php allows unauthenticated remote attackers to manipulate the database. Public exploit code exists for this vulnerability, and no patch is currently available, putting all installations at immediate risk of data compromise.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2113 MEDIUM POC This Month

Unsafe deserialization in yuan1994 tpadmin versions up to 1.3.12 allows remote attackers to execute arbitrary code via the WebUploader preview.php component without authentication. Public exploit code exists for this vulnerability, and affected installations running unsupported versions face immediate risk. The flaw enables complete system compromise with no patch available from the maintainer.

PHP Deserialization
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2110 LOW POC Monitor

A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit has been released to the public and may be used for attacks. This pro...

PHP Information Disclosure
NVD VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-2090 MEDIUM This Month

Online Class Record System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
EPSS 0% CVSS 4.4
MEDIUM This Month

The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Versions of the package directorytree/imapengine versions up to 1.22.3 contains a vulnerability that allows attackers to read or delete victim's emails, terminate the victim's session or execute any va (CVSS 7.6).

PHP Code Injection
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the ...

WordPress PHP
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Easy Form Builder (WordPress plugin) versions up to 3.9.3. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contac...

WordPress Information Disclosure PHP
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

The BFG Tools - Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. [CVSS 4.9 MEDIUM]

WordPress PHP Path Traversal
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in Advanced Popup Creator PrestaShop module 1.1.26-1.2.6. Fixed in 1.2.7.

PHP SQLi
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm_restore_options_defaults' function in all versions up to, and including, 3.1.19. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD WPScan
EPSS 0% CVSS 7.5
HIGH POC This Week

Centova Cast 3.2.12 contains a denial of service vulnerability that allows attackers to overwhelm the system by repeatedly calling the database export API endpoint. Attackers can trigger 100% CPU load by sending multiple concurrent requests to the /api.php endpoint with crafted parameters. [CVSS 7.5 HIGH]

PHP Denial Of Service
NVD Exploit-DB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Username enumeration in OwnCloud 8.1.8 via share.php endpoint. PoC available.

PHP
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass
NVD Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. [CVSS 6.5 MEDIUM]

PHP Authentication Bypass
NVD GitHub Exploit-DB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI processing. PoC and patch available.

PHP Golang Frankenphp +1
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

CSRF leading to privilege escalation in Dolibarr ERP & CRM v.22.0.9. Attackers can escalate privileges via the notes field in permission management.

PHP
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in Prime Listing Manager WordPress plugin through 1.1 allows unauthenticated administrative access.

WordPress PHP
NVD WPScan
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

RCE in Chevereto 3.13.4 image hosting via code injection during database configuration. Allows injecting code during installation/setup. PoC available.

PHP RCE
NVD GitHub Exploit-DB
EPSS 0% CVSS 7.5
HIGH POC This Week

Avideo versions up to 8.1 contains a vulnerability that allows attackers to enumerate user details through the playlistsFromUser (CVSS 7.5).

PHP Information Disclosure Avideo
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

login.php contains a vulnerability that allows attackers to access the dashboard without valid credentials (CVSS 6.5).

PHP Authentication Bypass
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM This Month

MiniGal Nano 0.3.5 and earlier are vulnerable to a path traversal attack in the dir parameter that bypasses insufficient dot-dot sequence filtering, allowing unauthenticated remote attackers to access and enumerate image files from arbitrary filesystem locations readable by the web server. This results in confidential information disclosure from unintended directories. No patch is currently available.

PHP Path Traversal Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in MiniGal Nano 0.3.5 and earlier allows unauthenticated remote attackers to inject malicious scripts through the dir parameter in index.php, enabling arbitrary JavaScript execution in victim browsers. The vulnerability stems from insufficient output encoding when constructing error messages with user-supplied input. No patch is currently available for affected installations.

PHP XSS Minigal Nano
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. [CVSS 6.4 MEDIUM]

PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH This Week

PHP object injection in wpForo Forum plugin versions up to 2.4.13 allows authenticated subscribers and above to deserialize untrusted data, potentially enabling arbitrary file deletion, data theft, or code execution if a POP chain exists in installed plugins or themes. The vulnerability requires an additional gadget chain to be exploitable, making its impact dependent on the broader plugin ecosystem of the target WordPress installation.

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access t...

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%.

WordPress PHP OpenSSL +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).

WordPress PHP Deserialization
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM This Month

The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Lucky Wheel Giveaway (WordPress plugin) versions up to 1.0.22 is affected by code injection (CVSS 7.2).

WordPress RCE PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress Industrial SQLi +1
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Arbitrary PHP code execution in ClipBucket v5 prior to 5.5.3-#40 through a race condition in file upload validation, where files are moved to a web-accessible directory before security checks are performed. An authenticated attacker can exploit the time window between file placement and validation deletion to execute malicious PHP code on the server. Public exploit code exists for this vulnerability.

PHP Race Condition Clipbucket
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. [CVSS 5.4 MEDIUM]

WordPress Industrial PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

WooCommerce Memberships for Multivendor Marketplace versions up to 2.11.8 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

my little forum PHP forum software has an unrestricted file upload allowing authenticated users to upload dangerous file types.

PHP Deserialization File Upload +1
NVD GitHub VulDB
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Adminer versions 5.4.1 and earlier suffer from a post-message validation bypass that allows remote attackers to trigger denial of service affecting all users. By sending a crafted POST request with array parameters to the version endpoint, an attacker can cause openssl_verify() to receive malformed input, resulting in a TypeError that crashes the application and returns HTTP 500 errors. Public exploit code exists for this vulnerability; administrators should upgrade to version 5.4.2 immediately.

PHP OpenSSL Adminer +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Craft is a platform for creating digital experiences. [CVSS 7.2 HIGH]

PHP RCE Craft Cms
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload in DouPHP versions up to 1.9 allows remote attackers with administrative privileges to bypass upload restrictions via manipulation of the sql_filename parameter in the ZIP File Handler component. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the News Portal Project 1.0 administrator login interface allows unauthenticated remote attackers to manipulate the email parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker could exploit this to extract sensitive data, modify database contents, or potentially escalate privileges within the application.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was detected in code-projects Online Reviewer System 1.0. This affects an unknown part of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 via the ID parameter in the assessment module allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the login component of code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, which affects PHP-based installations of the Online Reviewer System. An attacker can exploit this to extract sensitive data, modify database contents, or potentially gain unauthorized system access.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 via the difficulty_id parameter in /system/system/admins/assessments/pretest/btn_functions.php allows unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0 via the ID parameter in /admin/manage_user.php allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available, putting all affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload in Online Music Site 1.0's AdminAddAlbum.php allows authenticated administrators with high privileges to upload arbitrary files via the txtimage parameter. Public exploit code exists for this vulnerability, enabling remote attackers to potentially execute malicious code or compromise the application. The affected component impacts both the PHP runtime and the vulnerable web application, with no patch currently available.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in AdminEditCategory.php, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Online Music Site versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in the user deletion function, potentially leading to unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations vulnerable to active exploitation.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 via the difficulty_id parameter in /system/system/admins/assessments/pretest/loaddata.php allows remote attackers to execute arbitrary SQL queries without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could result in unauthorized data access, modification, or deletion within the application database.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 allows remote attackers to manipulate the test_id parameter in the exam-delete.php file, enabling unauthorized database access and modification without authentication. The vulnerability has public exploit code available and currently lacks a patch, posing an immediate risk to unpatched installations. Affected organizations using this system should prioritize mitigation strategies while awaiting official remediation.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the test_id parameter in the exam-update.php endpoint, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Reviewer System 1.0 via the ID parameter in the questions-view.php file allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at active risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /ramonsys/user/controller.php allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, requiring organizations to implement alternative mitigations or restrict access to vulnerable systems.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 allows unauthenticated remote attackers to manipulate the 'ay' parameter in /ramonsys/report/index.php, potentially enabling data exfiltration, modification, or service disruption. Public exploit code exists for this vulnerability and no patch is currently available, creating immediate risk for deployed instances.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH POC This Week

OS command injection in Great Developers Certificate Generation System's CSV processing functionality allows unauthenticated remote attackers to execute arbitrary system commands through the photo parameter in /restructured/csv.php. Public exploit code exists for this vulnerability, and no patch is currently available, affecting systems using the abandoned project with a rolling release model.

PHP Command Injection Certificate
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM POC This Month

Unrestricted file upload in Great Developers Certificate Generation System's CSV processing endpoint allows authenticated attackers to upload arbitrary files remotely. Public exploit code exists for this vulnerability, though no patch is available and the project is no longer actively maintained. The vulnerability affects PHP-based certificate generation functionality with medium severity (CVSS 6.3).

PHP Certificate
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in PHPGurukul Hospital Management System 4.0's user management interface allows remote attackers with administrative privileges to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires high-level credentials but poses risks to data confidentiality, integrity, and availability within affected hospital deployments.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

SQL injection in code-projects Online Examination System 1.0 allows unauthenticated remote attackers to manipulate the username and password parameters in login.php, potentially enabling unauthorized access to sensitive data or system compromise. The vulnerability requires no user interaction and can be exploited over the network with low complexity. No patch is currently available for this issue.

PHP SQLi Online Examination System
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Online Application System For Admission versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in the login function of code-projects Online Student Management System 1.0 allows unauthenticated attackers to manipulate username and password parameters in accounts.php, enabling unauthorized data access, modification, and potential service disruption. Public exploit code is available for this vulnerability, increasing exploitation risk. No patch is currently available.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Online Reviewer System 1.0 login function allows unauthenticated remote attackers to manipulate username and password parameters, potentially enabling unauthorized database access and data modification. With public exploit code available and no patch released, this vulnerability poses an immediate risk to deployed instances.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Detronetdip E-commerce 1.0.0 contains an authentication bypass vulnerability in the seller account creation endpoint that allows unauthenticated remote attackers to manipulate the email parameter and gain unauthorized access. The vulnerability affects PHP-based e-commerce installations and has public exploit code available, though no patch is currently available from the vendor.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unrestricted file upload in detronetdip E-commerce 1.0.0 via the /seller/assets/backend/profile/addadhar.php endpoint allows unauthenticated remote attackers to upload arbitrary files. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in the News Portal Project 1.0 admin panel (/admin/aboutus.php) allows authenticated attackers with high privileges to manipulate the pagetitle parameter and execute arbitrary SQL queries, potentially compromising database integrity and confidentiality. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and valid administrative credentials but no user interaction.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Directory Management System 1.0 allows unauthenticated remote attackers to manipulate the email parameter in /admin/forget-password.php and execute arbitrary database queries. Public exploit code exists for this vulnerability and no patch is currently available. An attacker can leverage this to extract sensitive data or modify database contents with minimal complexity.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH POC This Week

SQL injection in the Student Web Portal 1.0 /check_user.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. The vulnerability enables attackers to read, modify, or delete sensitive data with public exploit code readily available. This affects PHP-based installations of the Student Web Portal with no patch currently available.

PHP SQLi Student Web Portal
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Online Student Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD VulDB
EPSS 2% CVSS 7.2
HIGH POC This Week

Unauthenticated remote attackers can execute arbitrary OS commands on D-Link DIR-615 4.10 routers through manipulated routing parameters in the web configuration interface, requiring only network access and no user interaction. Public exploit code is available for this vulnerability, and D-Link has not released a patch for the end-of-life device.

D-Link PHP Command Injection +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH POC This Week

Remote code execution in D-Link DIR-615 firmware through os command injection via the dmz_ipaddr parameter in the DMZ Host Feature allows authenticated attackers to execute arbitrary commands with high privileges. Public exploit code exists for this vulnerability, which affects unsupported product versions with no available patch. The attack requires high-level authentication but can be launched over the network without user interaction.

D-Link PHP Command Injection +1
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Online Food Ordering System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

PHPGurukul Hospital Management System 4.0 contains a SQL injection vulnerability in the doctor management interface that allows authenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with administrative credentials could potentially extract or modify sensitive hospital data.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unrestricted file upload in Online Music Site 1.0's AdminUpdateCategory.php allows unauthenticated remote attackers to upload arbitrary files by manipulating the txtimage parameter. Public exploit code exists for this vulnerability, enabling potential remote code execution and system compromise. A security patch is not currently available, leaving affected installations vulnerable to active exploitation.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminUpdateCategory.php allows unauthenticated remote attackers to manipulate the txtcat parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, with no patch currently available. The attack requires no user interaction and can compromise the confidentiality, integrity, and availability of the underlying database.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in JAY Login & Register WordPress plugin allows unauthenticated attackers to register as administrators. All versions up to 1.1.6 affected.

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in Xiaopi Panel's WAF Firewall component (up to version 20260126) allows authenticated remote attackers to manipulate the ID parameter in /demo.php and execute arbitrary SQL queries. Public exploit code is available and the vendor has not provided a patch despite early notification. This vulnerability requires valid credentials to exploit but enables attackers to access or modify sensitive database information.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the activity_id parameter in /admin/edit_activity.php, enabling data exfiltration, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0's expense editing functionality allows unauthenticated remote attackers to manipulate the expenses_id parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw enables attackers to access, modify, or delete sensitive financial data with minimal complexity.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the expenses_id parameter in /admin/delete_expenses.php, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0 through the admin_id parameter in /admin/edit_admin.php allows unauthenticated remote attackers to manipulate the database. Public exploit code exists for this vulnerability, and no patch is currently available, putting all installations at immediate risk of data compromise.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unsafe deserialization in yuan1994 tpadmin versions up to 1.3.12 allows remote attackers to execute arbitrary code via the WebUploader preview.php component without authentication. Public exploit code exists for this vulnerability, and affected installations running unsupported versions face immediate risk. The flaw enables complete system compromise with no patch available from the maintainer.

PHP Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit has been released to the public and may be used for attacks. This pro...

PHP Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Online Class Record System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
Prev Page 37 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy