Skip to main content

PHP

24709 CVEs product

Monthly

CVE-2026-13559 MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the `ID` parameter of `/single-list_sale.php?action=add` to remote, unauthenticated query manipulation, enabling attackers to read or modify database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or special conditions are required to reach the endpoint, and the E:P modifier confirms publicly available exploit code referenced via a GitHub CVE disclosure. No patch has been issued; this is not currently listed in CISA KEV, indicating no confirmed mass exploitation at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13566 MEDIUM POC This Month

Unauthenticated SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes backend database contents via the `course_year_section` parameter in `/preview3.php`. The CVSS 4.0 vector confirms network-accessible, no-authentication, no-interaction exploitation (AV:N/AC:L/PR:N/UI:N), and exploit code is publicly available (E:P on GitHub). No active exploitation is confirmed in CISA KEV, but the public POC lowers the bar for opportunistic attacks against any publicly exposed instance.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13565 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes database contents through the unsanitized ID parameter in /edit_class1.php, exploitable by unauthenticated remote attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required and the attack is fully remote with no user interaction. A public proof-of-concept has been disclosed on GitHub, lowering the exploitation barrier; the product is not currently listed in the CISA KEV catalog.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13557 LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject arbitrary JavaScript via the unsanitized `Name` parameter in POST requests to `/admin/mod_room/controller.php?action=add`. The CVSS 4.0 base score of 2.1 reflects constrained real-world impact: only vulnerable-system integrity is affected (VI:L), user interaction is required (UI:P), and no confidentiality or availability impact is assessed. A publicly available exploit exists (E:P per CVSS 4.0 supplemental vector), but no active exploitation has been confirmed via CISA KEV, consistent with the niche deployment footprint of this free PHP educational project.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-13556 LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject malicious JavaScript via the Name argument in a POST request to /admin/mod_users/controller.php?action=edit. The vulnerability requires a victim to interact with the crafted content (CVSS 4.0 UI:P), limiting its reach but not eliminating risk against administrative users. A publicly disclosed proof-of-concept exploit exists per VulDB submission 843586, though no public exploit identified at time of analysis in CISA KEV.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-13555 MEDIUM This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin user-management endpoint to remote database manipulation via the unsanitized Name parameter in /admin/mod_users/controller.php?action=add. The CVSS 4.0 vector assigns no privilege requirement (PR:N) and low complexity (AC:L), though the admin-panel path raises a discrepancy worth verifying - the endpoint may be accessible without authentication if the application does not enforce session controls on admin routes. A public proof-of-concept exploit exists (E:P in the CVSS 4.0 supplemental data), elevating immediate risk despite the absence of a CISA KEV listing.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13554 LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 enables remote attackers to inject arbitrary JavaScript via the Name parameter in the amenities management POST handler at /admin/mod_amenities/controller.php?action=add. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P) confirms no authentication or special attack conditions are required to submit the payload, but passive user interaction - an admin browsing the amenities panel - is needed to trigger execution. A proof-of-concept exploit has been publicly disclosed via GitHub (VulDB submission 843584), though no active exploitation has been confirmed by CISA KEV.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-13553 MEDIUM This Month

Unrestricted file upload in itsourcecode Online Hotel Management System 1.0 allows remote attackers to upload arbitrary files - including PHP webshells - via the `image` parameter of `/admin/mod_amenities/controller.php?action=add`. The CVSS 4.0 vector assigns PR:N (no privileges required), corroborated by the 'Authentication Bypass' tag, indicating the admin-facing endpoint is reachable without credentials. A published proof-of-concept exploit exists; no patch has been identified at time of analysis.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-13552 MEDIUM This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin amenities controller to remote database manipulation via the unsanitized amen_id parameter at /admin/mod_amenities/controller.php?action=edit. A publicly available proof-of-concept exploit has been confirmed (CVSS 4.0 E:P modifier; VulDB submission 843569; GitHub issue Hh-176/CVE#3), enabling unauthenticated or low-privileged remote attackers to read, modify, or corrupt hotel management database records. No vendor patch has been identified at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13551 MEDIUM POC This Month

SQL injection in itsourcecode Baptism Information Management System 1.0 exposes database contents to remote unauthenticated attackers via the ID parameter in /editBaptism.php. A publicly available proof-of-concept exploit exists on GitHub, enabling data exfiltration or modification without any credentials or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/E:P) confirms low-complexity remote exploitation with no special conditions required, and no vendor-released patch has been identified.

SQLi PHP Baptism Information Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13550 MEDIUM POC This Month

SQL injection in itsourcecode Baptism Information Management System 1.0 exposes the `/delbaptism.php` endpoint to remote database manipulation via an unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this requires no authentication or user interaction against any network-accessible instance. A public proof-of-concept exploit exists on GitHub, making this immediately weaponizable against any exposed deployment, though the application is not listed in CISA KEV and its niche footprint substantially limits aggregate exposure.

SQLi PHP Baptism Information Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13549 LOW POC Monitor

Authorization bypass in CodeAstro Complaint Management System 1.0 exposes the deletereport endpoint to unauthenticated arbitrary deletion of complaint reports and associated files. The deletereport function in application/controllers/Report.php accepts a caller-supplied report identifier without verifying ownership or authorization, enabling any remote user to delete any report by manipulating that identifier. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, indicating no confirmed widespread active exploitation.

Authentication Bypass PHP Complaint Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-13548 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctortimings.php` endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privilege authenticated attacker to read, modify, or partially disrupt backend database contents. The CVSS 4.0 vector (PR:L) confirms that some form of application authentication is required, limiting opportunistic mass exploitation, but a publicly available proof-of-concept exploit on GitHub materially lowers the barrier for targeted attacks. No patch has been released; the vulnerability is not listed in the CISA KEV catalog, but the sensitivity of healthcare data in scope makes it a meaningful risk for any production deployment.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13542 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctorprofile.php` endpoint to remote exploitation via the `doctorname` parameter, allowing an authenticated attacker to execute arbitrary SQL commands against the backend database. Affected systems risk unauthorized access to, modification of, or partial disruption of sensitive medical and staff records stored within the application. A public proof-of-concept exploit has been disclosed on GitHub (CVSS 4.0 E:P), significantly lowering the technical barrier for exploitation despite the moderate base score; no CISA KEV listing is present at time of analysis.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13541 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the backend database to authenticated remote attackers through the `newpassword` parameter of `/doctorchangepassword.php`. An attacker holding low-privilege credentials - such as a doctor account - can craft malicious SQL payloads to read, modify, or potentially delete database records. A public exploit exists per the CVSS 4.0 E:P modifier and a referenced GitHub issue; no active exploitation has been confirmed by CISA KEV.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13535 LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the ID argument passed to the GetFileInfo function within the View Endpoint. The vulnerability resides in hrsystem/application/models/Employee_model.php and can result in unauthorized read and write access to the underlying database. A public exploit has been published on GitHub, elevating practical risk despite the authentication requirement and moderate CVSS 4.0 score of 5.3.

SQLi PHP Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13532 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/departmentDoctor.php` endpoint to database manipulation via the unsanitized `deptid` parameter, allowing a remote low-privileged attacker to read, modify, or corrupt backend database records. The CVSS 4.0 vector (PR:L) confirms that a valid application account is required, limiting opportunistic exploitation. A public proof-of-concept exploit is available on GitHub (linked from VulDB), and no vendor patch has been identified at time of analysis, making compensating controls the only available remediation path.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13531 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the /department.php endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privileged authenticated attacker to read, modify, or delete hospital database contents. The CVSS 4.0 vector (PR:L) confirms a valid user account is required, constraining but not eliminating risk for internet-exposed instances. A public exploit has been released on GitHub, materially increasing the likelihood of opportunistic abuse against deployed instances.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13530 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the Appointment Handler endpoint `/appointmentdetail.php` to remote database manipulation via the unsanitized `editid` parameter. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and a public proof-of-concept exploit is available on GitHub, materially lowering the bar for exploitation. While not listed in CISA KEV, the combination of network reachability, trivial exploitation complexity, and live PoC code makes this a concrete risk for any organization running this codebase in production.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13529 LOW POC Monitor

SQL injection in YzmCMS up to version 7.5 allows network-based attackers to manipulate database queries by supplying crafted input to the siteurl argument within the installation endpoint /application/install/index.php. No authentication is required per the CVSS 4.0 vector (PR:N), though the attack is rated high complexity (AC:H), meaning exploitation is non-trivial despite a publicly available proof-of-concept on GitHub. The vendor did not respond to coordinated disclosure, leaving no official patch available; CVSS 4.0 scores this 6.3 with partial impact across confidentiality, integrity, and availability - no confirmed active exploitation (not in CISA KEV).

SQLi PHP Yzmcms
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.2%
CVE-2026-13527 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview4.php` endpoint to unauthenticated remote attackers via the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-prerequisite network exploitation against default deployments, with low-level impact across confidentiality, integrity, and availability of the backend database. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept has been disclosed on GitHub (E:P maturity confirmed), meaningfully lowering the barrier for opportunistic and automated attacks against academic institutions running this software.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13526 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_class.php` endpoint to unauthenticated remote database manipulation via the unsanitized `ID` parameter. Per the CVSS 4.0 vector (PR:N, UI:N, AC:L), no authentication or user interaction is required to initiate the attack, and a public proof-of-concept exploit is available on GitHub. No vendor patch has been identified at time of analysis, leaving deployments with no vendor-sanctioned remediation path.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13525 LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 allows a low-privileged authenticated remote attacker to manipulate the `emid` parameter in the Update_Earn_Leave endpoint, triggering time-based blind SQL injection against the underlying database. The vulnerability resides in the `emselectByCode` function within `application/models/Employee_model.php`, where unsanitized input is passed directly into SQL query construction. A public proof-of-concept exploit is available on GitHub; no active exploitation has been confirmed by CISA KEV at time of analysis.

SQLi PHP Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13521 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `course_year_section` parameter in /preview5.php. The input is passed directly into SQL queries without sanitization (CWE-89), enabling data extraction, modification, or availability disruption. A public proof-of-concept exploit is available on GitHub, and no patch has been identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13520 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/appointmentapproval.php` Appointment Handler endpoint to database manipulation via the `editid` parameter, allowing low-privileged remote attackers to read, modify, or delete backend data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-exploitability with minimal attack complexity once credentials are obtained, and a public proof-of-concept has been disclosed on GitHub, substantially lowering the attacker skill threshold. No active exploitation is confirmed by CISA KEV, but the medical context of the affected system - which likely stores sensitive patient and appointment records - amplifies the potential impact of even a limited SQL injection.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-37637 CRITICAL Act Now

Remote code execution in Alexantr filemanager v1.0 lets remote attackers run arbitrary code through the filemanager.php component, mapped to CWE-94 (code injection). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw requiring no authentication or user interaction, and publicly available exploit code exists (GitHub POC by SLO-CYBER-SEC). SSVC rates exploitation as proof-of-concept with total technical impact and automatable=yes, but it is not on CISA KEV and no EPSS score was provided.

Code Injection PHP RCE N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-13504 LOW POC Monitor

Cross-site scripting in code-projects Project Management System 1.0 allows a remote authenticated attacker to inject malicious scripts via the /mail.php Mail Compose Page, targeting other users who interact with the crafted mail content. The CVSS 4.0 vector (PR:L/UI:P) confirms exploitation requires a low-privileged authenticated session and passive victim interaction, limiting scope but not eliminating risk in shared environments. A public proof-of-concept exploit has been disclosed on GitHub; no KEV listing and no vendor patch have been identified at time of analysis.

XSS PHP Project Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-13499 LOW POC Monitor

Cross-site scripting in yashpokharna2555/restaurent-management-system allows remote unauthenticated attackers to inject arbitrary client-side script via the Username argument in login_register.php's Registration Handler. The payload executes in the browser of any user who subsequently views the tainted data - most likely an administrator reviewing registered accounts. A public exploit exists per VulDB and GitHub issue #4; no public exploit identified as confirmed actively exploited (CISA KEV). The CVSS 4.0 base score of 2.1 reflects the limited scope and required victim interaction, but the availability of a POC elevates practical risk for any deployment.

XSS PHP Restaurent Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-13498 MEDIUM POC This Month

SQL injection in yashpokharna2555's restaurent-management-system exposes the /forgotpassword.php endpoint to unauthenticated remote exploitation via the POST email parameter, allowing attackers to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required, and a public exploit is referenced in GitHub issue #3. The project has no versioning scheme and the maintainer has not responded to the disclosure, meaning no patch is available and all deployed instances remain vulnerable.

SQLi PHP Restaurent Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13497 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the appointment management endpoint to remote database manipulation via the unsanitized `editid` parameter in `/appointment.php`. Authenticated low-privileged users can craft malicious SQL payloads to read, modify, or corrupt appointment and patient records in the underlying database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references); no CISA KEV listing at time of analysis.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13496 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/ajaxmedicine.php` endpoint to database manipulation via the unsanitized `medicineid` parameter, exploitable by any low-privilege authenticated user over the network. A public proof-of-concept has been published on GitHub, materially lowering the barrier to exploitation. No active exploitation has been confirmed by CISA KEV, but the combination of public exploit code, a medical data context, and low attack complexity makes this a credible risk for any organization running this software.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13495 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated administrators to database manipulation via the `loginid` parameter in `/adminprofile.php`. The CVSS 4.0 vector (PR:H) confirms exploitation is constrained to authenticated high-privilege sessions, limiting mass exploitation risk despite network accessibility. A public proof-of-concept exploit has been disclosed on GitHub, lowering the technical barrier for targeted abuse by insiders or credential-compromised actors.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-13490 MEDIUM This Month

Authorization bypass in GLPI 11.0.5 through 11.0.7 exposes restricted documents to unauthorized network-based access via a manipulable docid parameter in the document download handler. The vulnerability resides in the Document::canViewFile authorization check within front/document.send.php, where an attacker can tamper with the docid argument to circumvent document-level access controls and retrieve files they are not permitted to view. No public exploit has been identified at time of analysis, and EPSS data was not provided; however, the remote network vector with no required privileges raises concern for exposed GLPI deployments.

Authentication Bypass PHP Glpi
NVD VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-13488 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview7.php` endpoint to unauthenticated remote exploitation via unsanitized input in the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote exploitation with no authentication or user interaction required. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists (GitHub issue referenced in references), elevating urgency despite the absence of a CISA KEV listing.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13487 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes any publicly reachable deployment to unauthenticated database manipulation via the unsanitized `sy` parameter in /archive.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation with no prerequisites, yielding low-to-moderate impact across confidentiality, integrity, and availability of the underlying database. A publicly available proof-of-concept exploit exists on GitHub (referenced via VulDB submission 838189), lowering attacker skill requirements, though no CISA KEV listing indicates mass exploitation has not been confirmed at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13486 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate the `course_year_section` parameter on the `/preview6.php` endpoint, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no special conditions, and a public proof-of-concept has been disclosed on GitHub. While not listed in CISA KEV, the trivially low attack complexity combined with POC availability raises the realistic exploitation risk above what the 5.5 medium score alone implies.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13485 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview.php` endpoint to remote unauthenticated exploitation via the unsanitized `course_year_section` parameter, allowing arbitrary SQL query execution against the backend database. A public proof-of-concept exploit has been published on GitHub, materially lowering the barrier to exploitation. Impact is rated low-to-partial across confidentiality, integrity, and availability, bounded by the database account's privileges, and no vendor patch has been identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-8095 HIGH This Week

Authenticated arbitrary file deletion in the Frontend File Manager Plugin (nmedia-user-file-uploader) for WordPress versions through 23.6 lets Subscriber-level users delete any file on the server, including wp-config.php, which can cascade into full site takeover. The flaw stems from a case-sensitivity gap in input sanitization within the wpfm_file_meta_update AJAX handler that allows attacker-controlled paths to reach unlink() unchecked. Reported by Wordfence with a CVSS of 8.1; no public exploit identified at time of analysis and the issue is not on CISA KEV.

WordPress Information Disclosure PHP
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-57518 HIGH POC This Week

Privilege escalation to remote code execution in Pagekit CMS 1.0.18 lets an authenticated user holding the 'user: manage users' permission grant themselves arbitrary custom roles via an unprotected UserApiController::saveAction(), then assign a role carrying 'system: manage packages' to upload a malicious PHP package through the admin installer and run arbitrary code. Publicly available exploit code exists (gist by sermikr0, reported by VulnCheck), and the chain converts a limited management permission into full server compromise. No public evidence of active exploitation has been confirmed (not in CISA KEV).

Authentication Bypass RCE Privilege Escalation PHP Pagekit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-57647 HIGH This Week

Local File Inclusion in the Panorama Viewer - 360 Degree Image + Video Viewer WordPress plugin (versions 1.6.1 and earlier) allows authenticated users with Contributor-level access to coerce the application into including arbitrary local files on the server. Cataloged under CWE-98 and reported by Patchstack, the flaw can expose sensitive files (e.g., wp-config.php credentials) and, depending on server conditions, escalate toward code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.

LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-56057 CRITICAL Act Now

PHP Object Injection in the Uncanny Automator Pro WordPress plugin (versions <= 7.3.0.6) allows authenticated users holding only the low-privileged Subscriber role to inject crafted serialized PHP objects into an unsafe deserialization sink (CWE-502). Depending on the gadget chains present in the plugin or co-installed software, this can escalate to remote code execution, arbitrary file operations, or database tampering. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the input-supplied CVSS of 9.8 likely overstates privileges since the title explicitly scopes the flaw to the Subscriber role.

Deserialization PHP
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-56055 HIGH This Week

Authenticated PHP object injection in the RealHomes WordPress theme (versions 4.5.3 and earlier) lets a low-privileged Subscriber-level account inject crafted serialized objects into an unsafe deserialization sink (CWE-502). Because WordPress applications and plugins commonly contain POP gadget chains, this can escalate to arbitrary file operations, SQL injection, or remote code execution, which is reflected in the high CVSS 8.8 (C:H/I:H/A:H). Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization PHP
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-56032 CRITICAL Act Now

PHP Object Injection in the BuddyBoss Platform WordPress plugin (versions 3.0.4 and earlier) allows attackers with low-privilege Subscriber access to inject crafted serialized objects that are deserialized unsafely, potentially leading to remote code execution, data tampering, or denial of service depending on available gadget chains. The flaw was reported by Patchstack and carries a CVSS base score of 9.8; however, the 'Subscriber' qualifier implies authenticated access is required, which conflicts with the PR:N in the published vector. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Deserialization PHP
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-56031 HIGH This Week

PHP Object Injection in the Uncanny Automator WordPress plugin (versions 7.3.1.2 and earlier) lets unauthenticated remote attackers submit crafted serialized PHP objects that the application deserializes, potentially leading to full WordPress site compromise. The flaw is rooted in unsafe deserialization of untrusted data (CWE-502) and carries high confidentiality, integrity, and availability impact (CVSS 8.1). No public exploit identified at time of analysis and it is not in CISA KEV; the high attack complexity reflects the need for a usable POP gadget chain in the target environment.

Deserialization PHP
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-68064 HIGH PATCH This Week

Local File Inclusion in the Goya Core WordPress plugin (versions before 1.0.9.4) lets authenticated Contributor-level users coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and PHP source. Reported by Patchstack and classified CWE-98, the flaw carries a CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:L), and no public exploit identified at time of analysis. Exploitation requires a valid low-privilege account and the high attack complexity reflects non-trivial preconditions.

LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-68063 HIGH This Week

Local File Inclusion in the Splash - Sport Club WordPress theme (versions 4.4.3 and earlier) lets an authenticated Contributor-level user supply a controlled filename to a PHP include/require sink, exposing local server files and potentially escalating to code execution. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis, and it is not listed in CISA KEV. Exploitation requires an existing low-privilege account and overcomes elevated attack complexity, narrowing realistic abuse to multi-author sites.

WordPress LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57940 LOW Monitor

Server-Side Request Forgery in HTMLy 3.1.1 allows authenticated administrators to coerce the server into issuing arbitrary outbound HTTP or local filesystem requests via the RSS feed import feature. The vulnerable `get_feed()` function at `system/admin/admin.php` lines 1549-1551 passes the admin-supplied URL directly to PHP's `file_get_contents()` with no scheme filtering or allowlist validation, enabling access to cloud metadata endpoints (e.g., 169.254.169.254), internal network services, or local files via `file://` wrappers. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 2.1 reflects the high privilege prerequisite and limited confidentiality impact.

SSRF PHP Htmly
NVD GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-50745 MEDIUM This Month

Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary JavaScript into victim browsers by delivering a crafted URL. The Smarty template engine's custom `url` helper function emits attacker-controlled values without HTML encoding or sanitization, and the URL construction pattern for this endpoint exposes user input directly in rendered output. No active exploitation has been confirmed (not in CISA KEV), but the vulnerability is reachable without authentication and requires only victim interaction with a malicious link.

XSS PHP Adserver
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-50740 MEDIUM This Month

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the `refresh` parameter in the zone-include.php iFrame invocation script. The CVSS scope change (S:C) indicates that attacker-controlled script executes in the victim's browser security context, enabling session hijacking, credential theft, or malicious redirects against targeted users who click a crafted URL. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity makes this straightforward for any attacker with XSS capability.

XSS PHP Adserver
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-50742 MEDIUM This Month

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent XSS payloads via entity names that render unescaped within the maintenance-acl-check.php and maintenance-banners-check.php tools. When an administrator later runs these maintenance utilities and inconsistencies are detected, the malicious payload executes in the admin's browser context, potentially enabling session hijacking or unauthorized administrative actions. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the AC:H vector reflects that payload execution is partially outside attacker control, contingent on admin use of the specific maintenance tools.

XSS PHP Adserver
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-50739 MEDIUM This Month

Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link their own trackers to campaigns belonging to other managers on the same instance via the `tracker-campaigns.php` script. This is a bypass of the fix introduced for CVE-2026-34913, which applied ownership checks only to the forward linking operation but omitted the reverse direction. The impact is confined to integrity - specifically, creation of inconsistent cross-manager ownership relationships - with no confidentiality or availability consequences. No public exploit identified at time of analysis.

Authentication Bypass PHP Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-45233 HIGH POC This Week

Arbitrary file relocation in HTMLy CMS through version 3.1.1 allows low-privileged authenticated users to move any web-server-writable file by injecting directory traversal sequences into the oldfile parameter of the admin autosave endpoint. Reported by VulnCheck with publicly available exploit code, the flaw stems from passing unsanitized input directly to file_exists() and rename() in admin.php. It is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis despite the available POC.

Path Traversal PHP Htmly
NVD GitHub
CVSS 4.0
7.2
EPSS
0.6%
CVE-2026-48945 MEDIUM This Month

Unrestricted file upload in K2 Extension for Joomla (versions 1.0 through 2.26) permits attackers to embed PHP scripts inside zip or tar archives uploaded via the article gallery feature, which are then extracted as-is into the publicly accessible `/media/k2/galleries/<id>/` directory and remain directly executable via HTTP. The extension applies renaming sanitization only to recognized image types, leaving PHP, shell, and other dangerous file types completely unfiltered post-extraction - a textbook CWE-434 flaw. No public exploit has been identified at time of analysis, but the reported CVSS base vector (AV:N/AC:L/PR:N/UI:N) and the nature of the flaw indicate trivial exploitability; notably, the reported CVSS impact metrics (C:L/I:N/A:N) appear to significantly understate the actual consequence of achieving arbitrary PHP code execution on the server.

PHP File Upload K2 Extension For Joomla
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-48946 MEDIUM This Month

Unrestricted PHP file upload in K2 extension for Joomla (versions 1.0–2.26) enables any authenticated K2 Author to achieve remote code execution by uploading a PHP webshell via the frontend article-attachment upload endpoint and executing it through Apache mod_php. Because the upload handler performs no extension filtering, a `.php` file is written to `/media/k2/attachments/` and served by Apache's standard `\.php$` handler, executing arbitrary code as the web server process user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the attack path is elementary once Author-level access is obtained.

PHP Apache File Upload K2 Extension For Joomla
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-48944 MEDIUM This Month

Path traversal in the K2 extension for Joomla (versions 1.0-2.26) allows authenticated Authors to copy arbitrary web-readable files - including Joomla's database credential file `configuration.php` and OS files such as `/etc/passwd` - into a publicly accessible directory for retrieval. The article-save handler's `attachment[N][existing]` POST parameter is concatenated with `JPATH_SITE/` and passed directly to `JFile::copy()` without stripping `../` sequences or enforcing a source-path allow-list, making traversal trivial. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the confidentiality impact is severe on multi-author Joomla sites where Author accounts may be widely distributed.

Path Traversal PHP K2 Extension For Joomla
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-56053 HIGH This Week

PHP Object Injection in the EventPrime event-calendar-management WordPress plugin (versions 4.3.4.1 and earlier) allows an authenticated attacker holding only a low-privilege Subscriber account to inject crafted serialized objects into an unsafe deserialization sink. Depending on the PHP gadget chains present in WordPress core, the plugin, or other installed plugins, this can escalate to data tampering, information disclosure, or remote code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported by Patchstack.

Deserialization PHP Eventprime
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-54845 HIGH This Week

Unauthenticated local file inclusion in the WordPress 'Meta Data and Taxonomy Filter' (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.8, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Per its CVSS:3.1 vector (AV:N/PR:N), exploitation is network-reachable and unauthenticated, though the high attack complexity (AC:H) implies non-trivial preconditions. This is classified as information disclosure but rated 8.1 with full C/I/A impact; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.

LFI Information Disclosure PHP Mdtf
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-37149 HIGH This Week

SQL injection in the open-source Grocery Store Management System (PHP/MySQL, v1.0 by anirudhkannanvp) lets attackers read arbitrary database contents by injecting a crafted SQL payload through the unsanitized 'scost' parameter of /grocery/search_products.php. The flaw (CWE-89) carries a CVSS of 7.7 and exposes credentials, customer records, and other sensitive data; publicly available exploit code exists in a dedicated GitHub repository, though it is not listed in CISA KEV and its EPSS exploitation probability is low (0.24%, 16th percentile).

SQLi PHP N A
NVD GitHub
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-9773 HIGH This Week

Remote authenticated command injection in Unraid's web management server allows attackers to execute arbitrary OS commands as the www-data user by abusing unsanitized input in ToggleState.php. Any user with low-privilege authenticated web access can chain this CWE-78 flaw into full code execution on the underlying NAS host. Discovered and reported through ZDI (ZDI-CAN-30134 / ZDI-26-386); no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection RCE PHP Unraid
NVD
CVSS 3.0
8.8
EPSS
1.1%
CVE-2026-9772 HIGH This Week

Authenticated remote code execution in Unraid stems from OS command injection in the web server's FileUpload.php, where a user-supplied string is passed to a system call without validation, letting any logged-in attacker run arbitrary commands as the www-data user. Tracked as ZDI-CAN-30116 and disclosed via the Zero Day Initiative, it carries a CVSS 8.8 rating; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Command Injection RCE PHP Unraid
NVD
CVSS 3.0
8.8
EPSS
1.1%
CVE-2026-47110 HIGH PATCH This Week

Persistent denial of service in the Tiptap for PHP library before 2.1.1 lets authenticated users crash the server-side rendering pipeline by submitting Tiptap JSON whose attrs.href is an array rather than a string. The malformed value reaches preg_match() inside Link::isAllowedUri() and triggers an unhandled TypeError; because the bad record is stored, every later attempt to render that content fails for all viewers until the database row is manually fixed. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Denial Of Service PHP Tiptap Php
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-12242 HIGH This Week

Authenticated PHP code injection in the AdRotate Banner Manager WordPress plugin (versions ≤5.17.7) allows Contributor-level users to execute arbitrary PHP on the server by abusing the 'banner' attribute of the [adrotate] shortcode. Exploitation requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings, where unsanitized input is concatenated into a PHP string wrapped in mfunc/fragment cache markers. Reported by Wordfence; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection WordPress PHP RCE Adrotate Banner Manager
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-10749 HIGH POC PATCH This Week

PHP Object Injection in the Post Duplicator WordPress plugin before 3.0.15 lets authenticated users with Contributor-level access or higher inject arbitrary serialized PHP objects by abusing the plugin's post-duplication routine, which copies attacker-controlled custom meta-data without the WordPress meta API's double-serialization safeguard. Successful exploitation can lead to property-oriented programming attacks and, with a suitable gadget chain present, full compromise of the site. Publicly available exploit code exists (WPScan), though the flaw is not listed in CISA KEV and carries a low EPSS score (0.15%, 5th percentile).

WordPress Code Injection PHP Post Duplicator
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-9612 MEDIUM This Month

Unauthenticated mass PII harvesting is possible on any WordPress site running the WhatsOrder - Instant Checkout for WooCommerce plugin (all versions through 1.0.1) because the plugin writes customer invoice HTML files to a publicly accessible directory with no access restrictions. The `yapacdev_generate_order_pdf` function deposits invoices under `wp-content/uploads/whatsorder_invoices/` without generating an `.htaccess` deny rule or `index.php` guard, and because WooCommerce uses predictable sequential order IDs, any remote attacker can enumerate and download every customer invoice with no authentication. Exposed data includes full name, email, phone number, billing address, itemized order contents with pricing, applied coupon codes, shipping method, and order total. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure PHP WordPress Whatsorder Instant Checkout For Woocommerce
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12417 CRITICAL POC Act Now

Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed.

Authentication Bypass PHP Privilege Escalation WordPress Signup Signin
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-9643 HIGH This Week

Unauthenticated stored cross-site scripting in the WP Meta SEO WordPress plugin (versions ≤ 4.5.18 by Joomunited) lets remote attackers persist arbitrary JavaScript into the `wp_wpms_links.link_url` database column by sending HTTP requests with a malicious URI to any 404 path. The payload executes in the browser of any administrator who opens the plugin's '404 & Redirects' admin page, enabling session hijacking or admin-on-behalf actions. No public exploit identified at time of analysis; no KEV listing.

PHP XSS WordPress Wp Meta Seo
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-8705 HIGH This Week

Unauthenticated SQL injection in the ClearSale Total WordPress plugin (all versions through 3.4.2) allows remote attackers to extract sensitive database contents via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action. The flaw is reachable without authentication because the nopriv AJAX handler ships with a commented-out die() in the nonce-failure branch, and on PHP < 8.0 loose type juggling bypasses the switch/case integer guard. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi PHP WordPress Clearsale Total
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-8628 MEDIUM This Month

Reflected Cross-Site Scripting in the EntreDroppers WordPress plugin (all versions through 1.1.2) allows unauthenticated attackers to inject arbitrary JavaScript into victim browsers by embedding script payloads in the URL path-info segment, which PHP reflects unsanitized through the PHP_SELF server variable into the form action attribute at EntreDroppers.php line 223. Successful exploitation requires tricking an authenticated WordPress administrator into clicking a crafted link pointing to the /wp-admin/ context, making this a social-engineering-dependent attack. No public exploit code or active exploitation has been identified at time of analysis; no patch has been confirmed from available data.

PHP XSS WordPress Entredroppers
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-55542 PHP LOW PATCH GHSA Monitor

Signature image retrieval in Snipe-IT's S3-backed deployments bypasses authorization, allowing any authenticated user to obtain a 5-minute pre-signed S3 URL for acceptance signature images they are not permitted to view. The flaw exists in ActionlogController.php where the S3 code path returns a signed URL before the authorize() call is reached - a call that is correctly enforced only in the local-file code path. Affected are all Snipe-IT deployments on versions <= 8.5.0 configured to use S3 storage; no public exploit code exists and this CVE is not listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.4%
CVE-2026-49976 PHP MEDIUM PATCH GHSA This Month

Account takeover in Snipe-IT (versions prior to 8.6.0) is achievable by any user holding the `import` permission via a logic flaw in the CSV user-import update path. The `UserImporter.php` code correctly unsets auth fields from the Eloquent model object, but `sanitizeItemForUpdating()` rebuilds its update payload from the raw CSV row (`$this->item`) - not from the model - rendering the unset calls entirely ineffective. An authenticated user with only `import` rights can overwrite any non-admin, non-superuser account's email address and then trigger a password reset to complete a full account takeover. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, though the vendor-published advisory includes precise source code and a working reproduction path.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
CVE-2026-49870 PHP MEDIUM PATCH GHSA This Month

Unrestricted TOTP brute-forcing on Snipe-IT versions prior to 8.6.0 allows an attacker holding valid password credentials to bypass two-factor authentication by submitting unlimited guesses against the `POST /two-factor` endpoint, which enforces no rate limit, lockout, or attempt counter. With the `google2fa` window configured at 1, three of one million possible codes are valid at any instant, making statistical exhaustion feasible via scripted requests. Successful exploitation yields full session-level account takeover; in optional-2FA deployments the attacker can additionally call `POST /account/profile` to permanently disable 2FA with no re-verification, and admin-privileged attackers can clear other users' 2FA secrets via `POST /api/v1/users/two_factor_reset`. No public exploit has been identified at time of analysis.

PHP Denial Of Service
NVD GitHub
CVSS 3.1
5.9
CVE-2026-55173 PHP HIGH PATCH GHSA This Week

{, } and stripped doubled && but left the single & background operator intact at the same execAsync() sh -c sink. Publicly available exploit code exists (a PHP PoC harness is included in the advisory), but the vulnerability is not in CISA KEV at time of analysis.

Command Injection PHP
NVD GitHub
CVSS 3.1
8.1
CVE-2026-34913 MEDIUM This Month

Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their own trackers to advertising campaigns owned by other managers on the same instance via campaign-trackers.php. The flaw enables unauthorized manipulation of campaign-tracker ownership relationships, corrupting attribution data and potentially introducing unauthorized tracking into other managers' campaigns. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-44956 NONE Awaiting Data

Stored XSS in Revive Adserver allows a low-privileged user to inject malicious JavaScript through their Full Name field, which propagates via system-generated emails into the userlog table and executes in an administrator's browser when viewing userlog-details.php. The attack crosses privilege boundaries - a standard user account becomes a vector for admin-context script execution, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis; a fix adding proper output escaping has been confirmed via HackerOne report #3669623.

XSS PHP Adserver
NVD VulDB
EPSS
0.3%
CVE-2026-34916 HIGH This Week

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to embed arbitrary PHP into the compiledlimitations database field via the logical parameter of delivery limitations, with execution occurring later during banner delivery. The flaw is exploitable over the network with low complexity and yields full confidentiality, integrity, and availability impact (CVSS 8.8), though no public exploit identified at time of analysis.

PHP RCE Code Injection Revive Adserver
NVD
CVSS 3.0
8.8
EPSS
0.4%
CVE-2026-34914 HIGH This Week

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary SQL through the clientid parameter of zone-include.php due to missing input sanitisation. The flaw, rated CVSS 8.3 with PR:L, enables attackers with any valid account to exfiltrate or tamper with ad-server data; no public exploit identified at time of analysis, though a HackerOne report describing the issue is publicly referenced.

SQLi PHP Adserver
NVD
CVSS 3.0
8.3
EPSS
0.3%
CVE-2026-44958 MEDIUM This Month

Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or deactivate banner ads regardless of whether those permissions were explicitly granted. The banner-edit.php script evaluated banner status changes based solely on banner edit permissions, treating status modification as implicitly authorized whenever edit access existed. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it straightforward for any credentialed advertiser to abuse.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2026-34912 MEDIUM This Month

Revive Adserver 6.0.6 and earlier fails to enforce ownership validation when linking banners or campaigns to ad zones via the zone-include.php script or the platform API, allowing any authenticated low-privileged user to associate their zones with advertising assets owned by other managers on the same installation. This breaks the intended multi-tenant ownership isolation, producing inconsistent cross-account zone-to-banner and zone-to-campaign relationships that disrupt legitimate advertiser operations. No public exploit has been identified and there is no CISA KEV listing; however, the low attack complexity and network accessibility via both the web interface and API make exploitation straightforward for any authenticated platform user.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-44959 HIGH This Week

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpected parameter into the delivery limitations save flow, planting attacker-controlled PHP into the compiledlimitations field that is then evaluated when banners are served. With CVSS 8.8 and a CWE-94 root cause, successful exploitation yields full code execution under the web/ad-delivery process, though there is no public exploit identified at time of analysis and the vulnerability is not in CISA KEV.

PHP RCE Code Injection Adserver
NVD
CVSS 3.0
8.8
EPSS
0.4%
CVE-2026-34915 MEDIUM This Month

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate database contents via the unsanitized clientid parameter in zone-include.php. The vulnerability is compounded by a concurrent input validation failure that also enables cross-site scripting, reflected in the CWE-79 assignment and CVSS scope-change vector - suggesting the zone-include.php endpoint contains at least two distinct injection classes. No public exploit has been identified at time of analysis, and a fix is available in versions beyond 6.0.6 per the vendor advisory on HackerOne.

SQLi XSS PHP Adserver
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2026-11772 MEDIUM Monitor

Reflected XSS in DRIMO CMS search functionality allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL containing a malicious payload in the `q` parameter. All versions are affected via the CPE wildcard (cpe:2.3:a:drimo:drimo_cms:*), and the product has been declared End of Life - no security patch will be issued. The sole vendor-acknowledged mitigation, confirmed by CERT-PL, is deletion of the `info.php` file; no public exploit code or KEV listing has been identified at time of analysis.

XSS PHP Drimo Cms
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-55599 PHP MEDIUM POC PATCH This Month

Server-side request forgery in phpseclib's X.509 validation allows unauthenticated network attackers to force the validating server to open arbitrary outbound connections to attacker-controlled hosts, including internal loopback addresses (127.0.0.1) and cloud metadata endpoints (169.254.169.254). The flaw exists because X509::validateSignature() unconditionally fetches URLs embedded in the Authority Information Access extension of untrusted certificates with no blocklist or destination filtering - and this behavior is enabled by default across all three maintained release branches. No CISA KEV listing exists at time of analysis, and no weaponized public exploit was referenced, though the GitHub advisory provides exact file and line references making the trigger path immediately reproducible.

SSRF PHP Phpseclib
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-33731 PHP MEDIUM PATCH GHSA This Month

Wallet balance inflation in AVideo's Authorize.Net payment plugin (versions <= 28.0) allows a low-privileged attacker to credit arbitrary amounts to any user account by forging webhook requests. Three code flaws chain together: a logical OR in the signature check lets a real transaction ID bypass HMAC validation entirely, attacker-controlled payload fields take precedence over authoritative API-fetched amounts and user IDs, and the payment approval status is never verified before crediting the wallet. A detailed proof-of-concept with working curl commands is publicly documented in GitHub Advisory GHSA-95jh-7r58-xmxw. No confirmed active exploitation (CISA KEV) at time of analysis, but the PoC lowers the bar to exploitation significantly.

RCE PHP
NVD GitHub
CVSS 3.1
6.5
CVE-2026-33684 PHP MEDIUM POC PATCH GHSA This Month

Unauthenticated privilege escalation in AVideo (composer/wwbn/avideo) versions below 29.0 allows any user who can solve a CAPTCHA to self-grant upload, streaming, meeting-creation, and email-verified status during account registration. The root cause is that `set_api_signUp` in `plugin/API/API.php` applies admin-controlled permission parameters (`emailVerified`, `canUpload`, `canStream`, `canCreateMeet`) unconditionally across both its authenticated (APISecret) and anonymous (CAPTCHA) code paths, bypassing the `isAPISecretValid()` guard that correctly protects equivalent admin operations elsewhere in the codebase. A working proof-of-concept curl sequence is publicly documented in the GitHub security advisory GHSA-8j8m-p79x-g4jm; no active exploitation has been confirmed by CISA KEV at time of analysis.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
CVE-2026-56446 HIGH PATCH This Week

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configuration to write attacker-controlled content to a PHP file under the webroot, yielding code execution as the web server user. No public exploit identified at time of analysis, but a vendor patch is available via the MISP GitHub repository.

RCE PHP Code Injection Misp
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56425 CRITICAL PATCH Act Now

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.

Session Fixation PHP CSRF Microsoft Misp
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-56382 PHP HIGH POC PATCH This Week

Authenticated remote code execution in Craft CMS versions 5.5.0 through 5.9.13 allows admin users to execute arbitrary PHP by injecting Yii2 event handlers via the fieldLayoutConfig POST parameter to FieldsController::actionRenderCardPreview(). The flaw stems from missing Component::cleanseConfig() sanitization, enabling disclosure of environment variables including database credentials and CRAFT_SECURITY_KEY. No public exploit identified at time of analysis, though VulnCheck has published a detailed advisory describing the attack technique.

Code Injection RCE PHP Cms
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-12789 LOW Monitor

SQL injection in ILIAS Learning Management System 11.0 allows a remote, high-privileged attacker to manipulate database queries via the Learning Progress Tracking component. The `troup_table_nav` argument passed to `ilTrQuery::executeQueries` in `components/ILIAS/Tracking/classes/class.ilTrQuery.php` is incorporated into SQL statements without adequate sanitization, enabling low-impact reads and writes against the underlying database. Publicly available exploit code exists (CVSS 4.0 E:P), and the vendor did not respond to pre-disclosure contact, meaning no official patch has been issued.

SQLi PHP Learning Management System
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-12776 LOW POC Monitor

SQL injection in Montodel House-Rental-Management exposes database contents and integrity to authenticated remote attackers via the unsanitized ID parameter at /index.php?page=houses. All tracked commits up to 90010017b81265eb1ef3810268909f7719a33863 are affected, with no patched release available as the vendor did not respond to coordinated disclosure. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), lowering the bar for exploitation; however, the required authenticated context and limited per-query impact keep the overall risk score low at CVSS 4.0 2.1.

SQLi PHP House Rental Management
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12775 MEDIUM POC This Month

SQL injection in Montodel House-Rental-Management's /login.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and interact with the underlying database without credentials. A public proof-of-concept exploit is available on GitHub, and the vendor was unresponsive to pre-disclosure contact, leaving no patch path. Any internet-exposed deployment of this PHP application should be treated as immediately at risk given the zero-barrier exploitation prerequisites and available exploit code.

SQLi PHP House Rental Management
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the `ID` parameter of `/single-list_sale.php?action=add` to remote, unauthenticated query manipulation, enabling attackers to read or modify database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or special conditions are required to reach the endpoint, and the E:P modifier confirms publicly available exploit code referenced via a GitHub CVE disclosure. No patch has been issued; this is not currently listed in CISA KEV, indicating no confirmed mass exploitation at time of analysis.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes backend database contents via the `course_year_section` parameter in `/preview3.php`. The CVSS 4.0 vector confirms network-accessible, no-authentication, no-interaction exploitation (AV:N/AC:L/PR:N/UI:N), and exploit code is publicly available (E:P on GitHub). No active exploitation is confirmed in CISA KEV, but the public POC lowers the bar for opportunistic attacks against any publicly exposed instance.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes database contents through the unsanitized ID parameter in /edit_class1.php, exploitable by unauthenticated remote attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required and the attack is fully remote with no user interaction. A public proof-of-concept has been disclosed on GitHub, lowering the exploitation barrier; the product is not currently listed in the CISA KEV catalog.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject arbitrary JavaScript via the unsanitized `Name` parameter in POST requests to `/admin/mod_room/controller.php?action=add`. The CVSS 4.0 base score of 2.1 reflects constrained real-world impact: only vulnerable-system integrity is affected (VI:L), user interaction is required (UI:P), and no confidentiality or availability impact is assessed. A publicly available exploit exists (E:P per CVSS 4.0 supplemental vector), but no active exploitation has been confirmed via CISA KEV, consistent with the niche deployment footprint of this free PHP educational project.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject malicious JavaScript via the Name argument in a POST request to /admin/mod_users/controller.php?action=edit. The vulnerability requires a victim to interact with the crafted content (CVSS 4.0 UI:P), limiting its reach but not eliminating risk against administrative users. A publicly disclosed proof-of-concept exploit exists per VulDB submission 843586, though no public exploit identified at time of analysis in CISA KEV.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin user-management endpoint to remote database manipulation via the unsanitized Name parameter in /admin/mod_users/controller.php?action=add. The CVSS 4.0 vector assigns no privilege requirement (PR:N) and low complexity (AC:L), though the admin-panel path raises a discrepancy worth verifying - the endpoint may be accessible without authentication if the application does not enforce session controls on admin routes. A public proof-of-concept exploit exists (E:P in the CVSS 4.0 supplemental data), elevating immediate risk despite the absence of a CISA KEV listing.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 enables remote attackers to inject arbitrary JavaScript via the Name parameter in the amenities management POST handler at /admin/mod_amenities/controller.php?action=add. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P) confirms no authentication or special attack conditions are required to submit the payload, but passive user interaction - an admin browsing the amenities panel - is needed to trigger execution. A proof-of-concept exploit has been publicly disclosed via GitHub (VulDB submission 843584), though no active exploitation has been confirmed by CISA KEV.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unrestricted file upload in itsourcecode Online Hotel Management System 1.0 allows remote attackers to upload arbitrary files - including PHP webshells - via the `image` parameter of `/admin/mod_amenities/controller.php?action=add`. The CVSS 4.0 vector assigns PR:N (no privileges required), corroborated by the 'Authentication Bypass' tag, indicating the admin-facing endpoint is reachable without credentials. A published proof-of-concept exploit exists; no patch has been identified at time of analysis.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin amenities controller to remote database manipulation via the unsanitized amen_id parameter at /admin/mod_amenities/controller.php?action=edit. A publicly available proof-of-concept exploit has been confirmed (CVSS 4.0 E:P modifier; VulDB submission 843569; GitHub issue Hh-176/CVE#3), enabling unauthenticated or low-privileged remote attackers to read, modify, or corrupt hotel management database records. No vendor patch has been identified at time of analysis.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Baptism Information Management System 1.0 exposes database contents to remote unauthenticated attackers via the ID parameter in /editBaptism.php. A publicly available proof-of-concept exploit exists on GitHub, enabling data exfiltration or modification without any credentials or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/E:P) confirms low-complexity remote exploitation with no special conditions required, and no vendor-released patch has been identified.

SQLi PHP Baptism Information Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Baptism Information Management System 1.0 exposes the `/delbaptism.php` endpoint to remote database manipulation via an unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this requires no authentication or user interaction against any network-accessible instance. A public proof-of-concept exploit exists on GitHub, making this immediately weaponizable against any exposed deployment, though the application is not listed in CISA KEV and its niche footprint substantially limits aggregate exposure.

SQLi PHP Baptism Information Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Authorization bypass in CodeAstro Complaint Management System 1.0 exposes the deletereport endpoint to unauthenticated arbitrary deletion of complaint reports and associated files. The deletereport function in application/controllers/Report.php accepts a caller-supplied report identifier without verifying ownership or authorization, enabling any remote user to delete any report by manipulating that identifier. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, indicating no confirmed widespread active exploitation.

Authentication Bypass PHP Complaint Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctortimings.php` endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privilege authenticated attacker to read, modify, or partially disrupt backend database contents. The CVSS 4.0 vector (PR:L) confirms that some form of application authentication is required, limiting opportunistic mass exploitation, but a publicly available proof-of-concept exploit on GitHub materially lowers the barrier for targeted attacks. No patch has been released; the vulnerability is not listed in the CISA KEV catalog, but the sensitivity of healthcare data in scope makes it a meaningful risk for any production deployment.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctorprofile.php` endpoint to remote exploitation via the `doctorname` parameter, allowing an authenticated attacker to execute arbitrary SQL commands against the backend database. Affected systems risk unauthorized access to, modification of, or partial disruption of sensitive medical and staff records stored within the application. A public proof-of-concept exploit has been disclosed on GitHub (CVSS 4.0 E:P), significantly lowering the technical barrier for exploitation despite the moderate base score; no CISA KEV listing is present at time of analysis.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the backend database to authenticated remote attackers through the `newpassword` parameter of `/doctorchangepassword.php`. An attacker holding low-privilege credentials - such as a doctor account - can craft malicious SQL payloads to read, modify, or potentially delete database records. A public exploit exists per the CVSS 4.0 E:P modifier and a referenced GitHub issue; no active exploitation has been confirmed by CISA KEV.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the ID argument passed to the GetFileInfo function within the View Endpoint. The vulnerability resides in hrsystem/application/models/Employee_model.php and can result in unauthorized read and write access to the underlying database. A public exploit has been published on GitHub, elevating practical risk despite the authentication requirement and moderate CVSS 4.0 score of 5.3.

SQLi PHP Human Resource Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/departmentDoctor.php` endpoint to database manipulation via the unsanitized `deptid` parameter, allowing a remote low-privileged attacker to read, modify, or corrupt backend database records. The CVSS 4.0 vector (PR:L) confirms that a valid application account is required, limiting opportunistic exploitation. A public proof-of-concept exploit is available on GitHub (linked from VulDB), and no vendor patch has been identified at time of analysis, making compensating controls the only available remediation path.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the /department.php endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privileged authenticated attacker to read, modify, or delete hospital database contents. The CVSS 4.0 vector (PR:L) confirms a valid user account is required, constraining but not eliminating risk for internet-exposed instances. A public exploit has been released on GitHub, materially increasing the likelihood of opportunistic abuse against deployed instances.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the Appointment Handler endpoint `/appointmentdetail.php` to remote database manipulation via the unsanitized `editid` parameter. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and a public proof-of-concept exploit is available on GitHub, materially lowering the bar for exploitation. While not listed in CISA KEV, the combination of network reachability, trivial exploitation complexity, and live PoC code makes this a concrete risk for any organization running this codebase in production.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

SQL injection in YzmCMS up to version 7.5 allows network-based attackers to manipulate database queries by supplying crafted input to the siteurl argument within the installation endpoint /application/install/index.php. No authentication is required per the CVSS 4.0 vector (PR:N), though the attack is rated high complexity (AC:H), meaning exploitation is non-trivial despite a publicly available proof-of-concept on GitHub. The vendor did not respond to coordinated disclosure, leaving no official patch available; CVSS 4.0 scores this 6.3 with partial impact across confidentiality, integrity, and availability - no confirmed active exploitation (not in CISA KEV).

SQLi PHP Yzmcms
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview4.php` endpoint to unauthenticated remote attackers via the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-prerequisite network exploitation against default deployments, with low-level impact across confidentiality, integrity, and availability of the backend database. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept has been disclosed on GitHub (E:P maturity confirmed), meaningfully lowering the barrier for opportunistic and automated attacks against academic institutions running this software.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_class.php` endpoint to unauthenticated remote database manipulation via the unsanitized `ID` parameter. Per the CVSS 4.0 vector (PR:N, UI:N, AC:L), no authentication or user interaction is required to initiate the attack, and a public proof-of-concept exploit is available on GitHub. No vendor patch has been identified at time of analysis, leaving deployments with no vendor-sanctioned remediation path.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 allows a low-privileged authenticated remote attacker to manipulate the `emid` parameter in the Update_Earn_Leave endpoint, triggering time-based blind SQL injection against the underlying database. The vulnerability resides in the `emselectByCode` function within `application/models/Employee_model.php`, where unsanitized input is passed directly into SQL query construction. A public proof-of-concept exploit is available on GitHub; no active exploitation has been confirmed by CISA KEV at time of analysis.

SQLi PHP Human Resource Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `course_year_section` parameter in /preview5.php. The input is passed directly into SQL queries without sanitization (CWE-89), enabling data extraction, modification, or availability disruption. A public proof-of-concept exploit is available on GitHub, and no patch has been identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/appointmentapproval.php` Appointment Handler endpoint to database manipulation via the `editid` parameter, allowing low-privileged remote attackers to read, modify, or delete backend data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-exploitability with minimal attack complexity once credentials are obtained, and a public proof-of-concept has been disclosed on GitHub, substantially lowering the attacker skill threshold. No active exploitation is confirmed by CISA KEV, but the medical context of the affected system - which likely stores sensitive patient and appointment records - amplifies the potential impact of even a limited SQL injection.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote code execution in Alexantr filemanager v1.0 lets remote attackers run arbitrary code through the filemanager.php component, mapped to CWE-94 (code injection). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw requiring no authentication or user interaction, and publicly available exploit code exists (GitHub POC by SLO-CYBER-SEC). SSVC rates exploitation as proof-of-concept with total technical impact and automatable=yes, but it is not on CISA KEV and no EPSS score was provided.

Code Injection PHP RCE +1
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in code-projects Project Management System 1.0 allows a remote authenticated attacker to inject malicious scripts via the /mail.php Mail Compose Page, targeting other users who interact with the crafted mail content. The CVSS 4.0 vector (PR:L/UI:P) confirms exploitation requires a low-privileged authenticated session and passive victim interaction, limiting scope but not eliminating risk in shared environments. A public proof-of-concept exploit has been disclosed on GitHub; no KEV listing and no vendor patch have been identified at time of analysis.

XSS PHP Project Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in yashpokharna2555/restaurent-management-system allows remote unauthenticated attackers to inject arbitrary client-side script via the Username argument in login_register.php's Registration Handler. The payload executes in the browser of any user who subsequently views the tainted data - most likely an administrator reviewing registered accounts. A public exploit exists per VulDB and GitHub issue #4; no public exploit identified as confirmed actively exploited (CISA KEV). The CVSS 4.0 base score of 2.1 reflects the limited scope and required victim interaction, but the availability of a POC elevates practical risk for any deployment.

XSS PHP Restaurent Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in yashpokharna2555's restaurent-management-system exposes the /forgotpassword.php endpoint to unauthenticated remote exploitation via the POST email parameter, allowing attackers to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required, and a public exploit is referenced in GitHub issue #3. The project has no versioning scheme and the maintainer has not responded to the disclosure, meaning no patch is available and all deployed instances remain vulnerable.

SQLi PHP Restaurent Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the appointment management endpoint to remote database manipulation via the unsanitized `editid` parameter in `/appointment.php`. Authenticated low-privileged users can craft malicious SQL payloads to read, modify, or corrupt appointment and patient records in the underlying database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references); no CISA KEV listing at time of analysis.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/ajaxmedicine.php` endpoint to database manipulation via the unsanitized `medicineid` parameter, exploitable by any low-privilege authenticated user over the network. A public proof-of-concept has been published on GitHub, materially lowering the barrier to exploitation. No active exploitation has been confirmed by CISA KEV, but the combination of public exploit code, a medical data context, and low attack complexity makes this a credible risk for any organization running this software.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated administrators to database manipulation via the `loginid` parameter in `/adminprofile.php`. The CVSS 4.0 vector (PR:H) confirms exploitation is constrained to authenticated high-privilege sessions, limiting mass exploitation risk despite network accessibility. A public proof-of-concept exploit has been disclosed on GitHub, lowering the technical barrier for targeted abuse by insiders or credential-compromised actors.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Authorization bypass in GLPI 11.0.5 through 11.0.7 exposes restricted documents to unauthorized network-based access via a manipulable docid parameter in the document download handler. The vulnerability resides in the Document::canViewFile authorization check within front/document.send.php, where an attacker can tamper with the docid argument to circumvent document-level access controls and retrieve files they are not permitted to view. No public exploit has been identified at time of analysis, and EPSS data was not provided; however, the remote network vector with no required privileges raises concern for exposed GLPI deployments.

Authentication Bypass PHP Glpi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview7.php` endpoint to unauthenticated remote exploitation via unsanitized input in the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote exploitation with no authentication or user interaction required. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists (GitHub issue referenced in references), elevating urgency despite the absence of a CISA KEV listing.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes any publicly reachable deployment to unauthenticated database manipulation via the unsanitized `sy` parameter in /archive.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation with no prerequisites, yielding low-to-moderate impact across confidentiality, integrity, and availability of the underlying database. A publicly available proof-of-concept exploit exists on GitHub (referenced via VulDB submission 838189), lowering attacker skill requirements, though no CISA KEV listing indicates mass exploitation has not been confirmed at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate the `course_year_section` parameter on the `/preview6.php` endpoint, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no special conditions, and a public proof-of-concept has been disclosed on GitHub. While not listed in CISA KEV, the trivially low attack complexity combined with POC availability raises the realistic exploitation risk above what the 5.5 medium score alone implies.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview.php` endpoint to remote unauthenticated exploitation via the unsanitized `course_year_section` parameter, allowing arbitrary SQL query execution against the backend database. A public proof-of-concept exploit has been published on GitHub, materially lowering the barrier to exploitation. Impact is rated low-to-partial across confidentiality, integrity, and availability, bounded by the database account's privileges, and no vendor patch has been identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated arbitrary file deletion in the Frontend File Manager Plugin (nmedia-user-file-uploader) for WordPress versions through 23.6 lets Subscriber-level users delete any file on the server, including wp-config.php, which can cascade into full site takeover. The flaw stems from a case-sensitivity gap in input sanitization within the wpfm_file_meta_update AJAX handler that allows attacker-controlled paths to reach unlink() unchecked. Reported by Wordfence with a CVSS of 8.1; no public exploit identified at time of analysis and the issue is not on CISA KEV.

WordPress Information Disclosure PHP
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Privilege escalation to remote code execution in Pagekit CMS 1.0.18 lets an authenticated user holding the 'user: manage users' permission grant themselves arbitrary custom roles via an unprotected UserApiController::saveAction(), then assign a role carrying 'system: manage packages' to upload a malicious PHP package through the admin installer and run arbitrary code. Publicly available exploit code exists (gist by sermikr0, reported by VulnCheck), and the chain converts a limited management permission into full server compromise. No public evidence of active exploitation has been confirmed (not in CISA KEV).

Authentication Bypass RCE Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Panorama Viewer - 360 Degree Image + Video Viewer WordPress plugin (versions 1.6.1 and earlier) allows authenticated users with Contributor-level access to coerce the application into including arbitrary local files on the server. Cataloged under CWE-98 and reported by Patchstack, the flaw can expose sensitive files (e.g., wp-config.php credentials) and, depending on server conditions, escalate toward code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP Object Injection in the Uncanny Automator Pro WordPress plugin (versions <= 7.3.0.6) allows authenticated users holding only the low-privileged Subscriber role to inject crafted serialized PHP objects into an unsafe deserialization sink (CWE-502). Depending on the gadget chains present in the plugin or co-installed software, this can escalate to remote code execution, arbitrary file operations, or database tampering. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the input-supplied CVSS of 9.8 likely overstates privileges since the title explicitly scopes the flaw to the Subscriber role.

Deserialization PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP object injection in the RealHomes WordPress theme (versions 4.5.3 and earlier) lets a low-privileged Subscriber-level account inject crafted serialized objects into an unsafe deserialization sink (CWE-502). Because WordPress applications and plugins commonly contain POP gadget chains, this can escalate to arbitrary file operations, SQL injection, or remote code execution, which is reflected in the high CVSS 8.8 (C:H/I:H/A:H). Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization PHP
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

PHP Object Injection in the BuddyBoss Platform WordPress plugin (versions 3.0.4 and earlier) allows attackers with low-privilege Subscriber access to inject crafted serialized objects that are deserialized unsafely, potentially leading to remote code execution, data tampering, or denial of service depending on available gadget chains. The flaw was reported by Patchstack and carries a CVSS base score of 9.8; however, the 'Subscriber' qualifier implies authenticated access is required, which conflicts with the PR:N in the published vector. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Deserialization PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Object Injection in the Uncanny Automator WordPress plugin (versions 7.3.1.2 and earlier) lets unauthenticated remote attackers submit crafted serialized PHP objects that the application deserializes, potentially leading to full WordPress site compromise. The flaw is rooted in unsafe deserialization of untrusted data (CWE-502) and carries high confidentiality, integrity, and availability impact (CVSS 8.1). No public exploit identified at time of analysis and it is not in CISA KEV; the high attack complexity reflects the need for a usable POP gadget chain in the target environment.

Deserialization PHP
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local File Inclusion in the Goya Core WordPress plugin (versions before 1.0.9.4) lets authenticated Contributor-level users coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and PHP source. Reported by Patchstack and classified CWE-98, the flaw carries a CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:L), and no public exploit identified at time of analysis. Exploitation requires a valid low-privilege account and the high attack complexity reflects non-trivial preconditions.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Splash - Sport Club WordPress theme (versions 4.4.3 and earlier) lets an authenticated Contributor-level user supply a controlled filename to a PHP include/require sink, exposing local server files and potentially escalating to code execution. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis, and it is not listed in CISA KEV. Exploitation requires an existing low-privilege account and overcomes elevated attack complexity, narrowing realistic abuse to multi-author sites.

WordPress LFI Information Disclosure +1
NVD
EPSS 0% CVSS 2.1
LOW Monitor

Server-Side Request Forgery in HTMLy 3.1.1 allows authenticated administrators to coerce the server into issuing arbitrary outbound HTTP or local filesystem requests via the RSS feed import feature. The vulnerable `get_feed()` function at `system/admin/admin.php` lines 1549-1551 passes the admin-supplied URL directly to PHP's `file_get_contents()` with no scheme filtering or allowlist validation, enabling access to cloud metadata endpoints (e.g., 169.254.169.254), internal network services, or local files via `file://` wrappers. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 2.1 reflects the high privilege prerequisite and limited confidentiality impact.

SSRF PHP Htmly
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary JavaScript into victim browsers by delivering a crafted URL. The Smarty template engine's custom `url` helper function emits attacker-controlled values without HTML encoding or sanitization, and the URL construction pattern for this endpoint exposes user input directly in rendered output. No active exploitation has been confirmed (not in CISA KEV), but the vulnerability is reachable without authentication and requires only victim interaction with a malicious link.

XSS PHP Adserver
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the `refresh` parameter in the zone-include.php iFrame invocation script. The CVSS scope change (S:C) indicates that attacker-controlled script executes in the victim's browser security context, enabling session hijacking, credential theft, or malicious redirects against targeted users who click a crafted URL. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity makes this straightforward for any attacker with XSS capability.

XSS PHP Adserver
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent XSS payloads via entity names that render unescaped within the maintenance-acl-check.php and maintenance-banners-check.php tools. When an administrator later runs these maintenance utilities and inconsistencies are detected, the malicious payload executes in the admin's browser context, potentially enabling session hijacking or unauthorized administrative actions. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the AC:H vector reflects that payload execution is partially outside attacker control, contingent on admin use of the specific maintenance tools.

XSS PHP Adserver
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link their own trackers to campaigns belonging to other managers on the same instance via the `tracker-campaigns.php` script. This is a bypass of the fix introduced for CVE-2026-34913, which applied ownership checks only to the forward linking operation but omitted the reverse direction. The impact is confined to integrity - specifically, creation of inconsistent cross-manager ownership relationships - with no confidentiality or availability consequences. No public exploit identified at time of analysis.

Authentication Bypass PHP Adserver
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

Arbitrary file relocation in HTMLy CMS through version 3.1.1 allows low-privileged authenticated users to move any web-server-writable file by injecting directory traversal sequences into the oldfile parameter of the admin autosave endpoint. Reported by VulnCheck with publicly available exploit code, the flaw stems from passing unsanitized input directly to file_exists() and rename() in admin.php. It is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis despite the available POC.

Path Traversal PHP Htmly
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Unrestricted file upload in K2 Extension for Joomla (versions 1.0 through 2.26) permits attackers to embed PHP scripts inside zip or tar archives uploaded via the article gallery feature, which are then extracted as-is into the publicly accessible `/media/k2/galleries/<id>/` directory and remain directly executable via HTTP. The extension applies renaming sanitization only to recognized image types, leaving PHP, shell, and other dangerous file types completely unfiltered post-extraction - a textbook CWE-434 flaw. No public exploit has been identified at time of analysis, but the reported CVSS base vector (AV:N/AC:L/PR:N/UI:N) and the nature of the flaw indicate trivial exploitability; notably, the reported CVSS impact metrics (C:L/I:N/A:N) appear to significantly understate the actual consequence of achieving arbitrary PHP code execution on the server.

PHP File Upload K2 Extension For Joomla
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Unrestricted PHP file upload in K2 extension for Joomla (versions 1.0–2.26) enables any authenticated K2 Author to achieve remote code execution by uploading a PHP webshell via the frontend article-attachment upload endpoint and executing it through Apache mod_php. Because the upload handler performs no extension filtering, a `.php` file is written to `/media/k2/attachments/` and served by Apache's standard `\.php$` handler, executing arbitrary code as the web server process user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the attack path is elementary once Author-level access is obtained.

PHP Apache File Upload +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Path traversal in the K2 extension for Joomla (versions 1.0-2.26) allows authenticated Authors to copy arbitrary web-readable files - including Joomla's database credential file `configuration.php` and OS files such as `/etc/passwd` - into a publicly accessible directory for retrieval. The article-save handler's `attachment[N][existing]` POST parameter is concatenated with `JPATH_SITE/` and passed directly to `JFile::copy()` without stripping `../` sequences or enforcing a source-path allow-list, making traversal trivial. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the confidentiality impact is severe on multi-author Joomla sites where Author accounts may be widely distributed.

Path Traversal PHP K2 Extension For Joomla
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP Object Injection in the EventPrime event-calendar-management WordPress plugin (versions 4.3.4.1 and earlier) allows an authenticated attacker holding only a low-privilege Subscriber account to inject crafted serialized objects into an unsafe deserialization sink. Depending on the PHP gadget chains present in WordPress core, the plugin, or other installed plugins, this can escalate to data tampering, information disclosure, or remote code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported by Patchstack.

Deserialization PHP Eventprime
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the WordPress 'Meta Data and Taxonomy Filter' (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.8, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Per its CVSS:3.1 vector (AV:N/PR:N), exploitation is network-reachable and unauthenticated, though the high attack complexity (AC:H) implies non-trivial preconditions. This is classified as information disclosure but rated 8.1 with full C/I/A impact; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 7.7
HIGH This Week

SQL injection in the open-source Grocery Store Management System (PHP/MySQL, v1.0 by anirudhkannanvp) lets attackers read arbitrary database contents by injecting a crafted SQL payload through the unsanitized 'scost' parameter of /grocery/search_products.php. The flaw (CWE-89) carries a CVSS of 7.7 and exposes credentials, customer records, and other sensitive data; publicly available exploit code exists in a dedicated GitHub repository, though it is not listed in CISA KEV and its EPSS exploitation probability is low (0.24%, 16th percentile).

SQLi PHP N A
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Remote authenticated command injection in Unraid's web management server allows attackers to execute arbitrary OS commands as the www-data user by abusing unsanitized input in ToggleState.php. Any user with low-privilege authenticated web access can chain this CWE-78 flaw into full code execution on the underlying NAS host. Discovered and reported through ZDI (ZDI-CAN-30134 / ZDI-26-386); no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection RCE PHP +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Authenticated remote code execution in Unraid stems from OS command injection in the web server's FileUpload.php, where a user-supplied string is passed to a system call without validation, letting any logged-in attacker run arbitrary commands as the www-data user. Tracked as ZDI-CAN-30116 and disclosed via the Zero Day Initiative, it carries a CVSS 8.8 rating; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Command Injection RCE PHP +1
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Persistent denial of service in the Tiptap for PHP library before 2.1.1 lets authenticated users crash the server-side rendering pipeline by submitting Tiptap JSON whose attrs.href is an array rather than a string. The malformed value reaches preg_match() inside Link::isAllowedUri() and triggers an unhandled TypeError; because the bad record is stored, every later attempt to render that content fails for all viewers until the database row is manually fixed. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Denial Of Service PHP Tiptap Php
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP code injection in the AdRotate Banner Manager WordPress plugin (versions ≤5.17.7) allows Contributor-level users to execute arbitrary PHP on the server by abusing the 'banner' attribute of the [adrotate] shortcode. Exploitation requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings, where unsanitized input is concatenated into a PHP string wrapped in mfunc/fragment cache markers. Reported by Wordfence; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection WordPress PHP +2
NVD
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

PHP Object Injection in the Post Duplicator WordPress plugin before 3.0.15 lets authenticated users with Contributor-level access or higher inject arbitrary serialized PHP objects by abusing the plugin's post-duplication routine, which copies attacker-controlled custom meta-data without the WordPress meta API's double-serialization safeguard. Successful exploitation can lead to property-oriented programming attacks and, with a suitable gadget chain present, full compromise of the site. Publicly available exploit code exists (WPScan), though the flaw is not listed in CISA KEV and carries a low EPSS score (0.15%, 5th percentile).

WordPress Code Injection PHP +1
NVD WPScan VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated mass PII harvesting is possible on any WordPress site running the WhatsOrder - Instant Checkout for WooCommerce plugin (all versions through 1.0.1) because the plugin writes customer invoice HTML files to a publicly accessible directory with no access restrictions. The `yapacdev_generate_order_pdf` function deposits invoices under `wp-content/uploads/whatsorder_invoices/` without generating an `.htaccess` deny rule or `index.php` guard, and because WooCommerce uses predictable sequential order IDs, any remote attacker can enumerate and download every customer invoice with no authentication. Exposed data includes full name, email, phone number, billing address, itemized order contents with pricing, applied coupon codes, shipping method, and order total. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure PHP WordPress +1
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed.

Authentication Bypass PHP Privilege Escalation +2
NVD VulDB GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated stored cross-site scripting in the WP Meta SEO WordPress plugin (versions ≤ 4.5.18 by Joomunited) lets remote attackers persist arbitrary JavaScript into the `wp_wpms_links.link_url` database column by sending HTTP requests with a malicious URI to any 404 path. The payload executes in the browser of any administrator who opens the plugin's '404 & Redirects' admin page, enabling session hijacking or admin-on-behalf actions. No public exploit identified at time of analysis; no KEV listing.

PHP XSS WordPress +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Unauthenticated SQL injection in the ClearSale Total WordPress plugin (all versions through 3.4.2) allows remote attackers to extract sensitive database contents via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action. The flaw is reachable without authentication because the nopriv AJAX handler ships with a commented-out die() in the nonce-failure branch, and on PHP < 8.0 loose type juggling bypasses the switch/case integer guard. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi PHP WordPress +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the EntreDroppers WordPress plugin (all versions through 1.1.2) allows unauthenticated attackers to inject arbitrary JavaScript into victim browsers by embedding script payloads in the URL path-info segment, which PHP reflects unsanitized through the PHP_SELF server variable into the form action attribute at EntreDroppers.php line 223. Successful exploitation requires tricking an authenticated WordPress administrator into clicking a crafted link pointing to the /wp-admin/ context, making this a social-engineering-dependent attack. No public exploit code or active exploitation has been identified at time of analysis; no patch has been confirmed from available data.

PHP XSS WordPress +1
NVD VulDB
EPSS 0% CVSS 1.3
LOW PATCH Monitor

Signature image retrieval in Snipe-IT's S3-backed deployments bypasses authorization, allowing any authenticated user to obtain a 5-minute pre-signed S3 URL for acceptance signature images they are not permitted to view. The flaw exists in ActionlogController.php where the S3 code path returns a signed URL before the authorize() call is reached - a call that is correctly enforced only in the local-file code path. Affected are all Snipe-IT deployments on versions <= 8.5.0 configured to use S3 storage; no public exploit code exists and this CVE is not listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 6.5
MEDIUM PATCH This Month

Account takeover in Snipe-IT (versions prior to 8.6.0) is achievable by any user holding the `import` permission via a logic flaw in the CSV user-import update path. The `UserImporter.php` code correctly unsets auth fields from the Eloquent model object, but `sanitizeItemForUpdating()` rebuilds its update payload from the raw CSV row (`$this->item`) - not from the model - rendering the unset calls entirely ineffective. An authenticated user with only `import` rights can overwrite any non-admin, non-superuser account's email address and then trigger a password reset to complete a full account takeover. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, though the vendor-published advisory includes precise source code and a working reproduction path.

PHP Authentication Bypass
NVD GitHub
CVSS 5.9
MEDIUM PATCH This Month

Unrestricted TOTP brute-forcing on Snipe-IT versions prior to 8.6.0 allows an attacker holding valid password credentials to bypass two-factor authentication by submitting unlimited guesses against the `POST /two-factor` endpoint, which enforces no rate limit, lockout, or attempt counter. With the `google2fa` window configured at 1, three of one million possible codes are valid at any instant, making statistical exhaustion feasible via scripted requests. Successful exploitation yields full session-level account takeover; in optional-2FA deployments the attacker can additionally call `POST /account/profile` to permanently disable 2FA with no re-verification, and admin-privileged attackers can clear other users' 2FA secrets via `POST /api/v1/users/two_factor_reset`. No public exploit has been identified at time of analysis.

PHP Denial Of Service
NVD GitHub
CVSS 8.1
HIGH PATCH This Week

{, } and stripped doubled && but left the single & background operator intact at the same execAsync() sh -c sink. Publicly available exploit code exists (a PHP PoC harness is included in the advisory), but the vulnerability is not in CISA KEV at time of analysis.

Command Injection PHP
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their own trackers to advertising campaigns owned by other managers on the same instance via campaign-trackers.php. The flaw enables unauthorized manipulation of campaign-tracker ownership relationships, corrupting attribution data and potentially introducing unauthorized tracking into other managers' campaigns. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

PHP Authentication Bypass Adserver
NVD
EPSS 0%
NONE Awaiting Data

Stored XSS in Revive Adserver allows a low-privileged user to inject malicious JavaScript through their Full Name field, which propagates via system-generated emails into the userlog table and executes in an administrator's browser when viewing userlog-details.php. The attack crosses privilege boundaries - a standard user account becomes a vector for admin-context script execution, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis; a fix adding proper output escaping has been confirmed via HackerOne report #3669623.

XSS PHP Adserver
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to embed arbitrary PHP into the compiledlimitations database field via the logical parameter of delivery limitations, with execution occurring later during banner delivery. The flaw is exploitable over the network with low complexity and yields full confidentiality, integrity, and availability impact (CVSS 8.8), though no public exploit identified at time of analysis.

PHP RCE Code Injection +1
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary SQL through the clientid parameter of zone-include.php due to missing input sanitisation. The flaw, rated CVSS 8.3 with PR:L, enables attackers with any valid account to exfiltrate or tamper with ad-server data; no public exploit identified at time of analysis, though a HackerOne report describing the issue is publicly referenced.

SQLi PHP Adserver
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or deactivate banner ads regardless of whether those permissions were explicitly granted. The banner-edit.php script evaluated banner status changes based solely on banner edit permissions, treating status modification as implicitly authorized whenever edit access existed. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it straightforward for any credentialed advertiser to abuse.

PHP Authentication Bypass Adserver
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Revive Adserver 6.0.6 and earlier fails to enforce ownership validation when linking banners or campaigns to ad zones via the zone-include.php script or the platform API, allowing any authenticated low-privileged user to associate their zones with advertising assets owned by other managers on the same installation. This breaks the intended multi-tenant ownership isolation, producing inconsistent cross-account zone-to-banner and zone-to-campaign relationships that disrupt legitimate advertiser operations. No public exploit has been identified and there is no CISA KEV listing; however, the low attack complexity and network accessibility via both the web interface and API make exploitation straightforward for any authenticated platform user.

PHP Authentication Bypass Adserver
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpected parameter into the delivery limitations save flow, planting attacker-controlled PHP into the compiledlimitations field that is then evaluated when banners are served. With CVSS 8.8 and a CWE-94 root cause, successful exploitation yields full code execution under the web/ad-delivery process, though there is no public exploit identified at time of analysis and the vulnerability is not in CISA KEV.

PHP RCE Code Injection +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate database contents via the unsanitized clientid parameter in zone-include.php. The vulnerability is compounded by a concurrent input validation failure that also enables cross-site scripting, reflected in the CWE-79 assignment and CVSS scope-change vector - suggesting the zone-include.php endpoint contains at least two distinct injection classes. No public exploit has been identified at time of analysis, and a fix is available in versions beyond 6.0.6 per the vendor advisory on HackerOne.

SQLi XSS PHP +1
NVD
EPSS 0% CVSS 5.1
MEDIUM Monitor

Reflected XSS in DRIMO CMS search functionality allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL containing a malicious payload in the `q` parameter. All versions are affected via the CPE wildcard (cpe:2.3:a:drimo:drimo_cms:*), and the product has been declared End of Life - no security patch will be issued. The sole vendor-acknowledged mitigation, confirmed by CERT-PL, is deletion of the `info.php` file; no public exploit code or KEV listing has been identified at time of analysis.

XSS PHP Drimo Cms
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM POC PATCH This Month

Server-side request forgery in phpseclib's X.509 validation allows unauthenticated network attackers to force the validating server to open arbitrary outbound connections to attacker-controlled hosts, including internal loopback addresses (127.0.0.1) and cloud metadata endpoints (169.254.169.254). The flaw exists because X509::validateSignature() unconditionally fetches URLs embedded in the Authority Information Access extension of untrusted certificates with no blocklist or destination filtering - and this behavior is enabled by default across all three maintained release branches. No CISA KEV listing exists at time of analysis, and no weaponized public exploit was referenced, though the GitHub advisory provides exact file and line references making the trigger path immediately reproducible.

SSRF PHP Phpseclib
NVD GitHub VulDB
CVSS 6.5
MEDIUM PATCH This Month

Wallet balance inflation in AVideo's Authorize.Net payment plugin (versions <= 28.0) allows a low-privileged attacker to credit arbitrary amounts to any user account by forging webhook requests. Three code flaws chain together: a logical OR in the signature check lets a real transaction ID bypass HMAC validation entirely, attacker-controlled payload fields take precedence over authoritative API-fetched amounts and user IDs, and the payment approval status is never verified before crediting the wallet. A detailed proof-of-concept with working curl commands is publicly documented in GitHub Advisory GHSA-95jh-7r58-xmxw. No confirmed active exploitation (CISA KEV) at time of analysis, but the PoC lowers the bar to exploitation significantly.

RCE PHP
NVD GitHub
CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated privilege escalation in AVideo (composer/wwbn/avideo) versions below 29.0 allows any user who can solve a CAPTCHA to self-grant upload, streaming, meeting-creation, and email-verified status during account registration. The root cause is that `set_api_signUp` in `plugin/API/API.php` applies admin-controlled permission parameters (`emailVerified`, `canUpload`, `canStream`, `canCreateMeet`) unconditionally across both its authenticated (APISecret) and anonymous (CAPTCHA) code paths, bypassing the `isAPISecretValid()` guard that correctly protects equivalent admin operations elsewhere in the codebase. A working proof-of-concept curl sequence is publicly documented in the GitHub security advisory GHSA-8j8m-p79x-g4jm; no active exploitation has been confirmed by CISA KEV at time of analysis.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configuration to write attacker-controlled content to a PHP file under the webroot, yielding code execution as the web server user. No public exploit identified at time of analysis, but a vendor patch is available via the MISP GitHub repository.

RCE PHP Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.

Session Fixation PHP CSRF +2
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Authenticated remote code execution in Craft CMS versions 5.5.0 through 5.9.13 allows admin users to execute arbitrary PHP by injecting Yii2 event handlers via the fieldLayoutConfig POST parameter to FieldsController::actionRenderCardPreview(). The flaw stems from missing Component::cleanseConfig() sanitization, enabling disclosure of environment variables including database credentials and CRAFT_SECURITY_KEY. No public exploit identified at time of analysis, though VulnCheck has published a detailed advisory describing the attack technique.

Code Injection RCE PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in ILIAS Learning Management System 11.0 allows a remote, high-privileged attacker to manipulate database queries via the Learning Progress Tracking component. The `troup_table_nav` argument passed to `ilTrQuery::executeQueries` in `components/ILIAS/Tracking/classes/class.ilTrQuery.php` is incorporated into SQL statements without adequate sanitization, enabling low-impact reads and writes against the underlying database. Publicly available exploit code exists (CVSS 4.0 E:P), and the vendor did not respond to pre-disclosure contact, meaning no official patch has been issued.

SQLi PHP Learning Management System
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Montodel House-Rental-Management exposes database contents and integrity to authenticated remote attackers via the unsanitized ID parameter at /index.php?page=houses. All tracked commits up to 90010017b81265eb1ef3810268909f7719a33863 are affected, with no patched release available as the vendor did not respond to coordinated disclosure. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), lowering the bar for exploitation; however, the required authenticated context and limited per-query impact keep the overall risk score low at CVSS 4.0 2.1.

SQLi PHP House Rental Management
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Montodel House-Rental-Management's /login.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and interact with the underlying database without credentials. A public proof-of-concept exploit is available on GitHub, and the vendor was unresponsive to pre-disclosure contact, leaving no patch path. Any internet-exposed deployment of this PHP application should be treated as immediately at risk given the zero-barrier exploitation prerequisites and available exploit code.

SQLi PHP House Rental Management
NVD VulDB GitHub
Prev Page 5 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy