Skip to main content

PHP

24724 CVEs product

Monthly

CVE-2026-12175 LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 enables authenticated administrators to manipulate the `admissionNumber` parameter in `/attendance-php/Admin/createStudents.php`, allowing arbitrary SQL commands to be passed to the underlying database. Exploitation is constrained to actors who already hold high-privilege admin credentials (PR:H per the CVSS 4.0 vector), but impact spans database confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub; the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

PHP SQLi Student Attendance Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-12183 CRITICAL Act Now

Remote unauthenticated authentication bypass in Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux allows any HTTP client to obtain administrator-level access by POSTing arbitrary credentials to /php/ajax-login.php, which unconditionally returns userid=1. Downstream privileged endpoints under /php/ajax-main.php and /modules/* fail to validate a server-side session, exposing full control over fuel dispensers, tank gauges, pricing, POS, bank terminals, and relays. No public exploit identified at time of analysis, but a public reference to a proof-of-concept repository (ciprobe/bukts_auth_bypass) suggests trivially reproducible exploitation against ICS/OT infrastructure.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-9062 LOW POC PATCH Monitor

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.

PHP WordPress Store Locator Wordpress Path Traversal
NVD WPScan VulDB
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-12131 LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 enables authenticated remote attackers to manipulate the unsanitized `ID` parameter within the `Invoice` function of `application/controllers/Payroll.php`, allowing arbitrary database reads and writes against the underlying HR and payroll data store. A public proof-of-concept exploit is hosted on GitHub, confirming the vulnerability is actively weaponizable by any attacker holding a low-privilege account. No vendor patch has been identified; the CVE is not in CISA KEV, but the CVSS 4.0 vector carries E:P (exploit published), reflecting confirmed public exploit availability.

PHP SQLi Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-54360 HIGH PATCH This Week

Mass assignment in MISP's sharing group creation endpoint allows authenticated users with add-sharing-group permission to hijack arbitrary existing sharing groups by submitting the target group's primary key in the add() request. The CakePHP create()+save() pattern treats a supplied id as an update, bypassing the normal edit ACL on app/Controller/SharingGroupsController.php and exposing confidentiality and integrity of shared threat intelligence. No public exploit identified at time of analysis, though a fix commit is publicly visible on GitHub.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-54362 MEDIUM PATCH This Month

Incorrect authorization in MISP's event template builder exposes organisation-private galaxy definitions to any authenticated user due to a PHP operator-precedence bug that silently voids the intended access-control filter. In multi-tenant MISP deployments, authenticated non-site-admin users can enumerate all enabled galaxies - including organisation-only custom galaxies belonging to other organisations - through the template builder galaxy list. No active exploitation is confirmed (not listed in CISA KEV), but the low exploitation barrier (any valid account, no special privileges) makes this a meaningful metadata-disclosure risk wherever multiple organisations share a MISP instance.

Authentication Bypass PHP Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-54133 CRITICAL POC PATCH Act Now

Remote code execution in jmespath.php versions prior to 2.9.1 allows attackers controlling JMESPath expressions to inject arbitrary PHP into compiler-generated cache files, which are then loaded and executed by JmesPath\CompilerRuntime. The flaw stems from insufficient escaping of parsed function names when the compiler emits PHP source, enabling code execution whenever an application evaluates untrusted expressions through the compiler runtime. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects unauthenticated network-reachable RCE in any web app that pipes user input into the compiler.

PHP Information Disclosure Jmespath Php
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-53787 CRITICAL POC PATCH Act Now

Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension.

Adobe RCE XSS File Upload Path Traversal +2
NVD VulDB GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-12066 MEDIUM POC This Month

Weak password recovery in PbootCMS up to 3.2.12 allows remote unauthenticated attackers to take over user accounts by manipulating the `checkcode`, `username`, `password`, and `email` parameters in the `retrieve` function of `apps/home/controller/MemberController.php`. The recovery mechanism fails to adequately validate or protect the verification token, enabling bypass of the intended authentication challenge during the password reset flow. A public proof-of-concept exploit explicitly titled 'Account-Takeover' is available on GitHub, elevating the realistic risk beyond the conservative base score of 6.9.

PHP Information Disclosure Pbootcms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-45060 CRITICAL Act Now

Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate arbitrary database contents via the ids parameter of the actions/progress_video.php endpoint. The flaw carries a critical CVSS 9.8 score and no public exploit identified at time of analysis, but the trivial network-reachable attack surface on a public-facing video sharing platform makes opportunistic scanning likely. Vendor patch is available in 5.5.3 - #129 per the GHSA advisory.

PHP SQLi Information Disclosure Clipbucket V5
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-45418 HIGH This Week

Authenticated SQL injection in ClipBucket v5 prior to release 5.5.3 - #132 allows any user with video-upload privileges to exfiltrate database contents via the POST /actions/subtitle_edit.php endpoint. The vulnerable 'number' parameter handling enables boolean-based blind SQLi, and no public exploit is identified at time of analysis though the GitHub Security Advisory (GHSA-q233-m544-6jqr) documents the issue in detail.

PHP SQLi Information Disclosure Clipbucket V5
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-48062 PHP CRITICAL PATCH GHSA Act Now

Arbitrary file upload leading to remote code execution in CodeIgniter4 framework versions prior to 4.7.3 occurs because the `ext_in` validation rule inspects the MIME-derived guessed extension rather than the client-supplied filename extension. Applications that accept user uploads, rely on `ext_in` for extension allow-listing, persist files under their original client filename inside a web-accessible directory, and permit PHP execution in that directory can be coerced into writing and executing attacker-controlled PHP. No public exploit identified at time of analysis, though the patch commit and tests publicly demonstrate the bypass technique (a polyglot file named `shell.php` carrying GIF magic bytes).

File Upload PHP RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-46697 HIGH PATCH This Week

Server-side request forgery in the Fediverse Embeds WordPress plugin before 1.5.8 lets any unauthenticated visitor coerce the WordPress host into issuing arbitrary outbound HTTP requests and returns the full response body to the caller, turning the site into a full-read open proxy. The flaw stems from the ftf/media-proxy REST route being registered with permission_callback => __return_true and a dead allowlist check whose result was never honored before wp_remote_get was invoked on a base64-decoded attacker-supplied URL. No public exploit identified at time of analysis, but the bug is trivial to weaponize against internal cloud metadata endpoints and intranet services from any reachable WordPress install.

PHP WordPress SSRF
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46698 MEDIUM PATCH This Month

Server-Side Request Forgery in the Fediverse Embeds WordPress plugin (versions prior to 1.5.9) allows any unauthenticated visitor to cause the WordPress server to fetch an arbitrary URL by abusing a publicly exposed AJAX endpoint. The nonce mechanism guarding the endpoint (`ftf-fediverse-embeds-nonce`) is not an authentication boundary - the same nonce is embedded into every public page containing a fediverse embed, making it trivially obtainable by any site visitor. Once obtained, the nonce can be replayed to invoke `file_get_html($site_url)` with an attacker-controlled URL, potentially exposing internal services such as cloud provider metadata endpoints. No active exploitation has been confirmed (CVE is not in CISA KEV) and no public proof-of-concept has been identified at time of analysis.

PHP WordPress SSRF
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8406 HIGH This Week

Authenticated information disclosure in openSIS Classic 9.3 lets any logged-in user with messaging-module access read other users' sent messages by tampering with the mail_id parameter sent to modules/messaging/SentMail.php. The flaw is a textbook insecure direct object reference (CWE-639) with no public exploit identified at time of analysis, though the upstream commit fixing it is published on GitHub, effectively documenting the vulnerable code path.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-38581 CRITICAL Act Now

SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-53723 PHP MEDIUM PATCH GHSA This Month

XML injection in guzzlehttp/guzzle-services allows unauthenticated remote attackers to smuggle arbitrary XML elements into outgoing API requests by embedding the CDATA terminator `]]>` in attacker-controlled input. The PHP XMLWriter::writeCData() call used by the request serializer for values containing `<`, `>`, or `&` terminates the CDATA section prematurely when the payload contains `]]>`, causing the remainder to be interpreted as raw XML markup by the downstream service. Depending on downstream service behavior, this can enable privilege escalation, parameter boundary bypass, or operation semantic manipulation — the advisory's canonical example shows injection of a `<Role>admin</Role>` element that a receiving service may honor. No public exploit has been identified at time of analysis, and this vulnerability is not in the CISA KEV catalog.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-10721 HIGH This Week

PHP Object Injection in Concrete CMS versions below 9.5.2 allows arbitrary PHP object instantiation through unsafe unserialize() calls in the Permission, Cache, and Search components. The flaw is triggered when a malicious serialized payload has already been written to the database, meaning the unauthenticated trigger depends on a prior write primitive existing in the deployment. No public exploit identified at time of analysis, and CVSS 4.0 base scores it 8.4 with high confidentiality, integrity, and availability impact.

PHP Deserialization
NVD VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-48030 PHP CRITICAL PATCH GHSA Act Now

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().

PHP RCE CSRF Command Injection
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-25557 MEDIUM This Month

Reflected XSS in Evoluted PHP Directory Listing Script through version 4.0.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL. The `dir` parameter in `index.php` is rendered unsanitized in two distinct HTML contexts: the page `<title>` element and breadcrumb `<a href>` attributes, each enabling distinct injection techniques — title context breakout and event handler injection respectively. No public exploit has been confirmed via CISA KEV, though a proof-of-concept gist is referenced in the NVD advisory data, indicating exploit code may be publicly accessible.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-34417 MEDIUM POC This Month

Reflected cross-site scripting in OSCAL-GUI allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting payloads through the unsanitized `project` parameter in `oscal-forms.php`. The parameter is URL-decoded and passed without sanitization into an error message via the `Messages()` function in `oscal-functions.php`, which is then reflected directly into the HTML response body when the supplied project ID does not match any existing record. A publicly available proof-of-concept exploit exists; the vulnerability is not confirmed in CISA KEV, and real-world impact is constrained by the CVSS UI:A requirement for victim interaction, making targeted phishing the primary delivery mechanism.

PHP XSS Oscal Gui
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-38615 CRITICAL Act Now

DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.

PHP Command Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2017-20251 CRITICAL POC PATCH Monitor

WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP WordPress Code Injection
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2017-20250 HIGH POC This Week

Mac Photo Gallery 3.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the albid parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2017-20248 HIGH POC This Week

Apptha Slider Gallery 1.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the imgname parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2017-20246 HIGH POC Monitor

KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20245 HIGH POC This Week

Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20244 HIGH POC This Week

Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2016-20065 HIGH POC Monitor

Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2016-20064 MEDIUM POC This Month

WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Path Traversal PHP LFI
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2016-20062 HIGH POC This Week

Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-49740 PHP MEDIUM PATCH GHSA This Month

PHP Object Injection in TYPO3 CMS's cache frontend (VariableFrontend) and persistent key-value store (Registry) exposes TYPO3 installations to potential Remote Code Execution when an attacker controls write access to the underlying storage layer. The root cause is bare PHP `unserialize()` calls on storage-retrieved data without HMAC integrity validation or class allowlists, meaning attacker-controlled data in the `sys_registry` table or cache backend can trigger deserialization of crafted PHP objects through a gadget chain. No public exploit has been identified at time of analysis and no CISA KEV listing exists; however, the CVSS 4.0 Subsequent impact scores (SC:H/SI:H/SA:H) confirm that successful exploitation yields full system-level impact despite the local access prerequisite.

PHP Deserialization RCE
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-8365 HIGH This Week

Authenticated PHP Object Injection in the Blocksy WordPress theme (versions ≤ 2.1.35) allows contributor-level users to escalate to remote code execution by storing a malicious serialized object in post meta that is later deserialized during the V200 database migration. Wordfence-reported flaw chains weak input sanitization in blocksy_sanitize_post_meta_options() with an unconditional @unserialize() call in SearchReplacer::run_recursively(), triggering RaiiPattern::__destruct() to invoke arbitrary callables via call_user_func(). No public exploit identified at time of analysis, but the low-privilege requirement and high impact make this a meaningful priority for sites running upgraded Blocksy installations.

PHP Deserialization WordPress RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-8895 MEDIUM This Month

Stored Cross-Site Scripting in the kk Blog Card WordPress plugin (all versions ≤ 1.3) allows authenticated contributors to inject persistent JavaScript payloads via unsanitized 'href' and 'type' attributes of the [blog-card] shortcode. The flaw, rooted in direct attribute concatenation without sanitization or escaping in kk-blog-card-shortcode.php, executes injected scripts in the browser of any visitor loading an affected page - including administrators. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector elevates potential impact beyond the plugin boundary.

PHP XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-11603 MEDIUM This Month

Reflected Cross-Site Scripting in the Product Filter Widget for Elementor WordPress plugin (versions up to and including 1.0.6) enables unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session. The vulnerability stems from unsanitized output of the 'args[filterFormArray]' parameter in a publicly accessible AJAX endpoint registered via wp_ajax_nopriv_ with no nonce verification or capability check, meaning any unauthenticated request to admin-ajax.php can carry the payload. Exploitation is delivered via a CSRF-style auto-submitting form, requiring the attacker to social-engineer a victim into visiting an attacker-controlled page; no public exploit code or CISA KEV listing has been identified at time of analysis.

PHP XSS CSRF WordPress Elementor
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-8499 MEDIUM This Month

Unauthenticated settings manipulation in Helpfulcrowd Product Reviews plugin for WordPress (versions up to and including 1.2.9) allows any remote attacker to overwrite arbitrary plugin configuration values in the WordPress database. The vulnerability stems from a PHP type juggling flaw in the token validation function combined with an openly accessible REST endpoint registered with `__return_true` as its permission callback. By submitting a JSON boolean `true` as the token value, an attacker bypasses the loose-comparison check (`!=`) in `helpfulcrowd_validate_token()` and gains full write access to the `helpfulcrowd_options` database option with no sanitization or allowlist enforcement. No public exploit or CISA KEV listing is identified at time of analysis.

PHP Memory Corruption WordPress RCE
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9662 HIGH This Week

Local File Inclusion in the Recover Exit For WooCommerce WordPress plugin (versions up to and including 1.0.3) allows remote unauthenticated attackers to include arbitrary local PHP files via the unsanitized `tpf` POST parameter passed to `include()` in the `recover_exit()` function. Successful exploitation can disclose sensitive files such as `wp-config.php` and, when combined with file upload primitives or log poisoning, escalate to remote code execution. No public exploit identified at time of analysis, though the vulnerable sink is documented in the plugin source on plugins.trac.wordpress.org.

Information Disclosure WordPress Path Traversal PHP RCE +2
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-8940 MEDIUM This Month

Cross-Site Request Forgery in WP Meta Sort Posts WordPress plugin (all versions ≤ 0.9) allows unauthenticated remote attackers to modify plugin settings by tricking a logged-in administrator into clicking a crafted link, due to missing nonce validation in msp-options.php. The CVSS vector (PR:N, UI:R) confirms the attacker requires no authentication but must social-engineer an administrator, with impact limited to changing the msp_loop_file and msp_nav_location settings. No active exploitation confirmed - this CVE is not listed in CISA KEV, no public exploit code has been identified, and EPSS data was not provided in available intelligence.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11619 LOW Monitor

Dolibarr ERP CRM's Legacy Filemanager component exposes its configuration endpoint without any authorization gate, allowing authenticated users holding only low-level privileges to interact with filemanager functionality reserved for website administrators. Affecting all releases through 23.0.2, the missing permission check in htdocs/core/filemanagerdol/connectors/php/config.inc.php means any valid account - regardless of role - can reach this endpoint. Publicly available exploit code exists (CVSS E:P); no CISA KEV listing is confirmed in the available data.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-39169 HIGH This Week

Unauthorized access in SEMCMS 5.0 allows remote attackers to reach the SEMCMS_copy.php endpoint without authentication, exposing sensitive functionality intended to be restricted. The CVSS 7.5 score reflects high confidentiality impact with no integrity or availability effect, and no public exploit identified at time of analysis beyond a referenced gist. The flaw stems from improper access control (CWE-284) in a PHP-based content management system.

PHP Authentication Bypass N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-39170 MEDIUM This Month

Cross-site request forgery in SemCms 5.0 allows a remote attacker to perform unauthorized actions against the admin user management endpoint at /admin/semcms_user.php by tricking an authenticated administrator into triggering a crafted POST request. The affected product is a PHP-based CMS and the vulnerability stems from a missing or bypassable CSRF token on a privileged administrative function. Publicly available exploit code exists per SSVC data, though the vulnerability has not been added to the CISA KEV catalog and is not confirmed as actively exploited in the wild.

CSRF PHP N A
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-47693 PHP MEDIUM PATCH GHSA This Month

CSV Injection in Poweradmin's log export functionality allows a high-privileged attacker to embed spreadsheet formulas in usernames that execute when an administrator exports activity logs and opens the resulting CSV in Excel, LibreOffice Calc, or Google Sheets. All four log export controllers pass username fields directly to PHP's fputcsv() without neutralizing formula trigger characters (=, +, -, @), enabling phishing via rendered hyperlinks and silent data exfiltration via =IMPORTXML() or similar functions targeting victim administrators. Publicly available exploit code exists per GHSA-3h6h-67x3-cv5x; the vulnerability is not listed in CISA KEV.

Google PHP Information Disclosure Microsoft Docker
NVD GitHub
CVSS 3.1
6.9
EPSS
0.0%
CVE-2026-45034 PHP CRITICAL PATCH GHSA Act Now

Phar deserialization in PhpSpreadsheet (PHPOffice) is reachable on PHP 7.x because the `File::prohibitWrappers` helper added to patch CVE-2026-34084 can be bypassed with a three-slash phar URI such as `phar:///path/file.phar/inner`, where `parse_url` returns false and the wrapper check is skipped. Remote attackers who can supply a file path to `IOFactory::load()` achieve full RCE on PHP 7.x branches (1.x up to 1.30.4) and a phar file-read primitive on PHP 8.x branches up to 5.7.0; publicly available exploit code exists with a working Docker reproducer, though EPSS is only 0.04% (12th percentile).

PHP Docker Deserialization
NVD GitHub
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-11585 LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 exposes the backend database to manipulation by authenticated remote attackers via the `classId` parameter in `/attendance-php/Admin/createClassArms.php`. An attacker with low-privilege authenticated access to the admin panel can craft malicious SQL payloads to read, alter, or delete database records - impacting confidentiality, integrity, and availability (C:L/I:L/A:L per CVSS). A public proof-of-concept exploit exists (GitHub issue, VulDB reference), elevating practical risk beyond the moderate CVSS score of 6.3 alone. No CISA KEV listing has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11584 LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 exposes the /attendance-php/Admin/createClass.php?action=edit endpoint to database manipulation via an unsanitized ID parameter. Authenticated remote attackers with low-privilege access can exploit this to read, modify, or partially disrupt database contents. A public exploit exists (reported via GitHub), though the CVSS 4.0 score of 2.1 reflects constrained real-world impact due to limited scope change and low-severity confidentiality/integrity/availability ratings - no public exploit identified in CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11583 LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized `className` parameter in `/attendance-php/Admin/createClass.php`. A publicly available proof-of-concept exploit (CVSS E:P) lowers the barrier to exploitation, though the CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - all confidentiality, integrity, and availability impacts are rated Low with no scope change. No confirmed active exploitation (not in CISA KEV) has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11582 MEDIUM POC This Month

SQL injection in CodeAstro Student Attendance Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter at /attendance-php/index.php to inject arbitrary SQL. Publicly available exploit code exists per VulDB reference, raising the practical risk despite the moderate 7.3 CVSS score. No CISA KEV listing and no EPSS score were supplied, so exploitation appears opportunistic against this small-vendor PHP application rather than mass-targeted.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11559 LOW POC Monitor

SQL injection in CodeAstro Payroll System 1.0 exposes database records to manipulation via the ID parameter in /view_account.php, allowing a low-privileged authenticated remote attacker to read, alter, or partially disrupt payroll data. A public proof-of-concept exploit is available via GitHub, as reported by VulDB. Despite network accessibility and public PoC, the CVSS 4.0 score of 2.1 reflects constrained impact - limited to the vulnerable component with no lateral scope - and a mandatory low-privilege authentication prerequisite that tempers broad exploitation risk.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11558 LOW POC Monitor

SQL injection in CodeAstro Payroll System 1.0 exposes payroll data to manipulation by authenticated low-privilege users via unsanitized input in the salary calculation endpoint. The vulnerability affects the `rate` and `salary_rate` parameters of `/home_salary.php`, where attacker-controlled values are passed directly into SQL queries without sanitization. Publicly available exploit code exists per GitHub references, though the vulnerability is not listed in the CISA KEV catalog and carries a CVSS 4.0 base score of only 2.1, reflecting constrained real-world impact due to authentication requirements and limited CIA impact ratings.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-52778 PHP CRITICAL POC PATCH GHSA Act Now

Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar CalcField formula evaluator, which sanitizes input with a recursive regex before passing it to eval(). The same flawed regex is also vulnerable to ReDoS/stack overflow, enabling denial of service against the server. No public exploit identified at time of analysis, but the commit diff in 4.6.6 fully documents the vulnerable code path, lowering the bar for exploit development.

PHP Code Injection Denial Of Service RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-11552 MEDIUM This Month

Hard-coded credential exposure in SourceCodester's Online Examination & Learning Management System 1.0 (also distributed as Syllabus-aligned Learning Management and Examination System 1.0) allows remote unauthenticated attackers to exploit a statically embedded password ('CICT_2026') in the import_users.php file without any authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated remote exploitation at low complexity, and the E:P exploit maturity modifier alongside the CVE description's explicit statement of public disclosure confirm that publicly available exploit code exists. Impact is constrained to low confidentiality exposure against the vulnerable component with no confirmed integrity or availability consequences.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11534 LOW POC Monitor

Cross-site scripting in imvks786/student_management_system allows a low-privileged remote attacker to inject malicious scripts via the name, address, or fname parameters in /add.php. The payload executes in a victim's browser when the affected page is viewed, enabling session hijacking, credential theft, or UI redress attacks against other users of the application. A public exploit is available via a GitHub issue report; the vendor has not responded to the coordinated disclosure.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-11533 LOW POC Monitor

Improper authorization in the imvks786 student_management_system PHP application allows authenticated low-privileged remote attackers to delete student records they are not authorized to remove via manipulation of the `del` parameter at the /see.php Student Deletion Endpoint. The vulnerability (CWE-285) stems from the application failing to verify that the requesting user holds sufficient privileges to perform the deletion action, effectively enabling horizontal or vertical privilege escalation within the data management scope. No public exploit identified at time of analysis via CISA KEV, though publicly available exploit code exists per the referenced GitHub issue disclosure.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11532 LOW POC Monitor

Improper access control in imvks786's Student Management System PHP application exposes the /add.php Student Record Handler endpoint to unauthorized manipulation by authenticated remote attackers. The vulnerability, classified under CWE-284, allows a low-privileged user to perform actions beyond their intended authorization scope - consistent with the 'Authentication Bypass' tag suggesting role-boundary violations rather than full pre-auth access. Public exploit code exists per the GitHub issue report, though the CVSS 4.0 score of 2.1 reflects limited impact scope (low confidentiality, integrity, and availability impact, no downstream system effect). The vendor has not responded to the coordinated disclosure.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11531 MEDIUM POC This Month

SQL injection at the Administrator Login Endpoint of imvks786's student_management_system (PHP) allows unauthenticated remote attackers to manipulate the a_usr and a_pwd parameters in admin/admin_login.php to inject arbitrary SQL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no privileges or user interaction required. A public proof-of-concept exploit has been released via GitHub issue tracker; the project maintainer has not responded to disclosure, and no patch is available at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11520 LOW Monitor

Reflected cross-site scripting in SourceCodester Inventory System 1.0 allows remote authenticated attackers to inject arbitrary JavaScript into victim browsers via unsanitized parameters in header.php. The attack requires low-level authentication and victim interaction with a crafted URL, limiting scope to integrity impact only (no confidentiality or availability impact per CVSS). Publicly available exploit code exists (CVSS E:P), though no active exploitation has been confirmed via CISA KEV, and the overall CVSS score of 3.5 (Low) reflects the constrained attack conditions.

PHP XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-11519 LOW Monitor

Improper authorization in SourceCodester Inventory System 1.0 allows authenticated remote attackers to manipulate the ROLE parameter in the account creation API endpoint, bypassing role-based access controls to create or modify accounts with elevated privileges beyond what is authorized. The affected component is /Product_Inventory/api/users_handler.php, a PHP endpoint that fails to enforce server-side authorization on the ROLE argument during account creation. A publicly available proof-of-concept exploit exists (CVSS temporal E:P), lowering the barrier for opportunistic abuse. No patch has been identified at time of analysis.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11518 LOW POC Monitor

Stored cross-site scripting in SourceCodester Inventory System 1.0 allows remote unauthenticated attackers to inject persistent malicious scripts via the fullname and username parameters in /users.php on the User Management Page. When an authenticated user - likely an administrator - visits the affected page, the injected script executes in their browser session, enabling session hijacking, credential theft, or unauthorized UI manipulation. Publicly available exploit code exists (GitHub PoC by Xmyronn); this is not listed in CISA KEV but the low-complexity, no-authentication submission path elevates practical risk above the CVSS 4.3 score suggests.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11515 MEDIUM This Month

Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11514 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient database records to authenticated remote attackers via the unsanitized `admissiontme` parameter in `/addpatient.php`. A publicly available proof-of-concept (published on GitHub) lowers the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects constrained impact - limited to partial data read/write with no scope change to subsequent systems. No active exploitation has been confirmed (not in CISA KEV), but the healthcare context amplifies regulatory significance even for low-severity data exposure.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11513 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows remote low-privileged attackers to manipulate backend database queries via the 'Date' parameter in /adminaccount.php. The vulnerability is PHP-based (CWE-89) and publicly exploitable code exists via a GitHub submission linked through VulDB. Despite remote reachability, the CVSS 4.0 score of 2.1 reflects constrained real-world impact: low privileges are required, and the scope is fully contained with only low-level confidentiality, integrity, and availability consequences. No public patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11512 LOW POC Monitor

Cross-site scripting in itsourcecode Hospital Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `patientid` parameter in `/billing.php`, executing in the context of a victim user's browser session upon interaction with a crafted URL. A publicly available proof-of-concept exploit exists, referenced in GitHub issue #13 of the ltranquility/vuln_submit repository, lowering the barrier for opportunistic exploitation. This CVE is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.1 reflects limited impact scope - low integrity effect only, no confidentiality or availability loss - constrained further by the passive user interaction requirement.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11511 LOW Monitor

HTML injection in Bolt CMS 3.7.5 and earlier allows authenticated remote attackers to inject arbitrary HTML by manipulating the `style` argument within the HTML Attribute Handler component (`src/Storage/Field/Type/TextType.php`). The vulnerability requires low-privilege credentials and passive victim interaction for injected content to render, producing low-severity but persistent integrity exposure. Publicly available exploit code exists (CVSS E:P confirmed), and because the project repository has been archived as read-only by the maintainer, no vendor patch will ever be released - any remaining deployment faces permanent unpatched exposure.

PHP XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-11510 LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 exposes the application's database to remote authenticated attackers via the `type_of_leave` parameter in `/admin/add_leave.php`. The vulnerability (CWE-89) allows manipulation of backend SQL queries, potentially enabling data extraction, modification, or destruction. A publicly available exploit exists per VulDB report and a referenced GitHub proof-of-concept, elevating practical risk despite the low CVSS 4.0 base score of 2.1.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11509 MEDIUM This Month

SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate database queries via the Name parameter in /admin/search_staff_for_updation.php. The vulnerability enables read, write, and denial-of-service impact against the underlying database with low complexity and no user interaction required. No public exploit code or active exploitation has been identified at time of analysis.

PHP SQLi
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11508 LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `Name` parameter in the admin endpoint `/admin/search_staff_to_assign_pc.php`. Per the CVSS 4.0 vector, impact is limited to low confidentiality, integrity, and availability on the vulnerable system (VC:L/VI:L/VA:L) with no scope change to subsequent systems. Publicly available exploit code exists via a GitHub issue, though no active exploitation is confirmed in CISA KEV, and no vendor-released patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11507 LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 exposes the /admin/delete_leave_type.php endpoint to arbitrary database query manipulation via the unsanitized leave_type parameter. The CVSS 4.0 vector (PR:L) confirms that a low-privileged authenticated user can remotely trigger the injection without user interaction or additional attack complexity. A publicly available exploit exists on GitHub (no public exploit identified in CISA KEV), and the CVSS 4.0 score of 2.1 reflects limited confidentiality, integrity, and availability impact confined to the vulnerable component with no lateral scope change.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11506 LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 allows remote authenticated attackers to manipulate database queries via the Name parameter in /admin/search_staff_for_deletion.php. The vulnerability is a classic CWE-89 unsanitized input flaw in a PHP-based web application, enabling read, write, and limited availability impact against the underlying database. Publicly available exploit code exists per VulDB disclosure; no KEV listing indicates opportunistic rather than targeted exploitation at this time.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11501 MEDIUM POC This Month

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive patient data to remote, unauthenticated attackers via the `ID` parameter in the `/classes/Master.php?f=save_patient` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, attack prerequisites, or user interaction are required, making this trivially exploitable from the network. A publicly available exploit exists (CVSS E:P), elevating real-world risk beyond what the moderate base score of 5.5 suggests; no public exploit identified at time of analysis rises to KEV level, but the POC lowers the barrier for opportunistic attackers targeting healthcare data.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11495 LOW POC Monitor

SQL injection in CodeAstro Ingredients Stock Management System 1.0 exposes the `/Ingredients-Stock/add_stock.php` endpoint to authenticated remote attackers who can manipulate the `ID` parameter to execute arbitrary SQL commands against the backend database. The attack is network-accessible with low complexity, enabling unauthorized data exfiltration, record manipulation, and potential escalation within the database tier. Publicly available exploit code exists (E:P in CVSS temporal vector), materially lowering the barrier to exploitation; no CISA KEV listing has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11490 MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the Category parameter in /Frontend/Search.php to execute arbitrary SQL commands against the backend database. Publicly available exploit code exists (disclosed via GitHub), increasing the practical risk despite the small footprint of this PHP application. No active exploitation has been confirmed in CISA KEV at the time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11489 MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 allows remote attackers to manipulate the ID parameter in /Administrator/PHP/AdminDeleteAlbum.php to execute arbitrary database queries. Publicly available exploit code exists (published via GitHub and tracked by VulDB), and the flaw is reachable over the network without authentication per the CVSS vector. There is no public exploit identified as actively used in the wild (not CISA KEV), but the combination of trivial attack complexity and public PoC raises the practical exploitation risk for any exposed deployment.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11488 MEDIUM POC This Month

SQL injection in code-projects Simple Flight Ticket Booking System 1.0 allows remote unauthenticated attackers to manipulate database queries via the Username POST parameter in checkUser.php. Publicly available exploit code exists (disclosed via GitHub), increasing the likelihood of opportunistic attacks against exposed instances, though the issue is not listed in CISA KEV. The CVSS 3.1 base score of 7.3 reflects network-reachable, low-complexity exploitation with no privileges or user interaction required.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11486 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive1.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists per VulDB submission 369106, raising the practical risk despite the moderate CVSS 7.3 score. No KEV listing and no public exploitation campaigns identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11485 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive2.php to execute arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub), though there is no confirmed active exploitation in CISA KEV. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial impact across confidentiality, integrity, and availability.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11484 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive3.php to execute arbitrary database queries. Publicly available exploit code exists, increasing immediate risk to any exposed deployment, though no CISA KEV listing or EPSS data has been provided to indicate widespread active exploitation. The flaw carries a CVSS 7.3 rating reflecting network reachability with no authentication or user interaction required.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11482 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `sy` parameter in `/archive5.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and exploit code is publicly available (E:P), lowering the bar for opportunistic exploitation. Impact is assessed as low across confidentiality, integrity, and availability - consistent with a partial data-disclosure or limited-manipulation SQL injection rather than full database takeover.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11480 LOW Monitor

Second-order SQL injection in BeikeShop's Admin Design Builder endpoint (versions up to 1.6.0.22) allows authenticated admin-panel users to manipulate the `settings.value` argument in `beike/Admin/Routes/admin.php` to inject arbitrary SQL. The root cause spans multiple PHP repository classes - `DesignService.php`, `BrandRepo.php`, and `ProductRepo.php` - where brand and product ID arrays were passed to database queries without integer casting or sanitization. A public proof-of-concept exploit exists; the CVSS 4.0 score of 2.1 reflects the administrative authentication prerequisite that meaningfully constrains real-world exposure.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11483 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive4.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the risk of opportunistic exploitation against exposed deployments, though no active exploitation has been confirmed via CISA KEV.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2024-58348 CRITICAL POC Act Now

WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress PHP
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2023-54352 CRITICAL POC Act Now

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress Authentication Bypass
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2023-54351 MEDIUM POC This Month

WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2023-54350 HIGH POC This Week

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress Authentication Bypass
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2022-50953 MEDIUM POC This Month

WordPress Plugin admin-word-count-column 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Path Traversal
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2021-47984 MEDIUM POC This Month

WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47983 MEDIUM POC This Month

WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-11476 LOW POC Monitor

Privilege escalation in Kushan2k student-management-system allows authenticated remote attackers to grant themselves administrator rights by manipulating the `isadmin` parameter in the Profile Update Endpoint. The `edit-admin` function in `controllers/AdminController.php` performs no server-side authorization check on this parameter, enabling any low-privileged account holder to self-elevate to admin. A publicly available exploit exists per VulDB and a GitHub issue disclosure; the vendor has not yet responded, and no patch has been released under the rolling-release model.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11475 LOW POC Monitor

SQL injection in the `getStatus` function of `controllers/GradeController.php` within Kushan2k's student-management-system exposes the Certificate Verification Endpoint to database manipulation by low-privileged remote attackers via the `nic` parameter. A publicly available exploit (proof-of-concept via GitHub issue) lowers the practical bar for abuse despite the CVSS 4.0 base score of 2.1. No patch has been released, and the maintainer has not responded to responsible disclosure, leaving all deployments through commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a unprotected.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11474 MEDIUM POC This Month

Unrestricted file upload in Kushan2k's student-management-system exposes the registration endpoint to unauthenticated remote attackers who can upload arbitrary files - including PHP webshells - by manipulating the `stimg` argument in `service/RegisterService.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no complexity, and no user interaction are required, making this trivially exploitable by any network-reachable attacker. Publicly available exploit code exists (E:P confirmed), and the vendor has not responded to responsible disclosure as of analysis time, leaving all installations unpatched.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11472 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index1.php to unauthenticated remote exploitation via an unsanitized Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier indicates a publicly available proof-of-concept - confirmed via a GitHub issue disclosure. An attacker can manipulate the Password argument to inject arbitrary SQL, potentially bypassing authentication or exfiltrating database contents. No CISA KEV listing is present, and no vendor patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 enables authenticated administrators to manipulate the `admissionNumber` parameter in `/attendance-php/Admin/createStudents.php`, allowing arbitrary SQL commands to be passed to the underlying database. Exploitation is constrained to actors who already hold high-privilege admin credentials (PR:H per the CVSS 4.0 vector), but impact spans database confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub; the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

PHP SQLi Student Attendance Management System
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote unauthenticated authentication bypass in Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux allows any HTTP client to obtain administrator-level access by POSTing arbitrary credentials to /php/ajax-login.php, which unconditionally returns userid=1. Downstream privileged endpoints under /php/ajax-main.php and /modules/* fail to validate a server-side session, exposing full control over fuel dispensers, tank gauges, pricing, POS, bank terminals, and relays. No public exploit identified at time of analysis, but a public reference to a proof-of-concept repository (ciprobe/bukts_auth_bypass) suggests trivially reproducible exploitation against ICS/OT infrastructure.

Authentication Bypass PHP
NVD GitHub VulDB
EPSS 0% CVSS 3.4
LOW POC PATCH Monitor

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.

PHP WordPress Store Locator Wordpress +1
NVD WPScan VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 enables authenticated remote attackers to manipulate the unsanitized `ID` parameter within the `Invoice` function of `application/controllers/Payroll.php`, allowing arbitrary database reads and writes against the underlying HR and payroll data store. A public proof-of-concept exploit is hosted on GitHub, confirming the vulnerability is actively weaponizable by any attacker holding a low-privilege account. No vendor patch has been identified; the CVE is not in CISA KEV, but the CVSS 4.0 vector carries E:P (exploit published), reflecting confirmed public exploit availability.

PHP SQLi Human Resource Management System
NVD VulDB GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Mass assignment in MISP's sharing group creation endpoint allows authenticated users with add-sharing-group permission to hijack arbitrary existing sharing groups by submitting the target group's primary key in the add() request. The CakePHP create()+save() pattern treats a supplied id as an update, bypassing the normal edit ACL on app/Controller/SharingGroupsController.php and exposing confidentiality and integrity of shared threat intelligence. No public exploit identified at time of analysis, though a fix commit is publicly visible on GitHub.

Authentication Bypass PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Incorrect authorization in MISP's event template builder exposes organisation-private galaxy definitions to any authenticated user due to a PHP operator-precedence bug that silently voids the intended access-control filter. In multi-tenant MISP deployments, authenticated non-site-admin users can enumerate all enabled galaxies - including organisation-only custom galaxies belonging to other organisations - through the template builder galaxy list. No active exploitation is confirmed (not listed in CISA KEV), but the low exploitation barrier (any valid account, no special privileges) makes this a meaningful metadata-disclosure risk wherever multiple organisations share a MISP instance.

Authentication Bypass PHP Misp
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Remote code execution in jmespath.php versions prior to 2.9.1 allows attackers controlling JMESPath expressions to inject arbitrary PHP into compiler-generated cache files, which are then loaded and executed by JmesPath\CompilerRuntime. The flaw stems from insufficient escaping of parsed function names when the compiler emits PHP source, enabling code execution whenever an application evaluates untrusted expressions through the compiler runtime. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects unauthenticated network-reachable RCE in any web app that pipes user input into the compiler.

PHP Information Disclosure Jmespath Php
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension.

Adobe RCE XSS +4
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Weak password recovery in PbootCMS up to 3.2.12 allows remote unauthenticated attackers to take over user accounts by manipulating the `checkcode`, `username`, `password`, and `email` parameters in the `retrieve` function of `apps/home/controller/MemberController.php`. The recovery mechanism fails to adequately validate or protect the verification token, enabling bypass of the intended authentication challenge during the password reset flow. A public proof-of-concept exploit explicitly titled 'Account-Takeover' is available on GitHub, elevating the realistic risk beyond the conservative base score of 6.9.

PHP Information Disclosure Pbootcms
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate arbitrary database contents via the ids parameter of the actions/progress_video.php endpoint. The flaw carries a critical CVSS 9.8 score and no public exploit identified at time of analysis, but the trivial network-reachable attack surface on a public-facing video sharing platform makes opportunistic scanning likely. Vendor patch is available in 5.5.3 - #129 per the GHSA advisory.

PHP SQLi Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated SQL injection in ClipBucket v5 prior to release 5.5.3 - #132 allows any user with video-upload privileges to exfiltrate database contents via the POST /actions/subtitle_edit.php endpoint. The vulnerable 'number' parameter handling enables boolean-based blind SQLi, and no public exploit is identified at time of analysis though the GitHub Security Advisory (GHSA-q233-m544-6jqr) documents the issue in detail.

PHP SQLi Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Arbitrary file upload leading to remote code execution in CodeIgniter4 framework versions prior to 4.7.3 occurs because the `ext_in` validation rule inspects the MIME-derived guessed extension rather than the client-supplied filename extension. Applications that accept user uploads, rely on `ext_in` for extension allow-listing, persist files under their original client filename inside a web-accessible directory, and permit PHP execution in that directory can be coerced into writing and executing attacker-controlled PHP. No public exploit identified at time of analysis, though the patch commit and tests publicly demonstrate the bypass technique (a polyglot file named `shell.php` carrying GIF magic bytes).

File Upload PHP RCE
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-side request forgery in the Fediverse Embeds WordPress plugin before 1.5.8 lets any unauthenticated visitor coerce the WordPress host into issuing arbitrary outbound HTTP requests and returns the full response body to the caller, turning the site into a full-read open proxy. The flaw stems from the ftf/media-proxy REST route being registered with permission_callback => __return_true and a dead allowlist check whose result was never honored before wp_remote_get was invoked on a base64-decoded attacker-supplied URL. No public exploit identified at time of analysis, but the bug is trivial to weaponize against internal cloud metadata endpoints and intranet services from any reachable WordPress install.

PHP WordPress SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-Side Request Forgery in the Fediverse Embeds WordPress plugin (versions prior to 1.5.9) allows any unauthenticated visitor to cause the WordPress server to fetch an arbitrary URL by abusing a publicly exposed AJAX endpoint. The nonce mechanism guarding the endpoint (`ftf-fediverse-embeds-nonce`) is not an authentication boundary - the same nonce is embedded into every public page containing a fediverse embed, making it trivially obtainable by any site visitor. Once obtained, the nonce can be replayed to invoke `file_get_html($site_url)` with an attacker-controlled URL, potentially exposing internal services such as cloud provider metadata endpoints. No active exploitation has been confirmed (CVE is not in CISA KEV) and no public proof-of-concept has been identified at time of analysis.

PHP WordPress SSRF
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Authenticated information disclosure in openSIS Classic 9.3 lets any logged-in user with messaging-module access read other users' sent messages by tampering with the mail_id parameter sent to modules/messaging/SentMail.php. The flaw is a textbook insecure direct object reference (CWE-639) with no public exploit identified at time of analysis, though the upstream commit fixing it is published on GitHub, effectively documenting the vulnerable code path.

Authentication Bypass PHP
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

XML injection in guzzlehttp/guzzle-services allows unauthenticated remote attackers to smuggle arbitrary XML elements into outgoing API requests by embedding the CDATA terminator `]]>` in attacker-controlled input. The PHP XMLWriter::writeCData() call used by the request serializer for values containing `<`, `>`, or `&` terminates the CDATA section prematurely when the payload contains `]]>`, causing the remainder to be interpreted as raw XML markup by the downstream service. Depending on downstream service behavior, this can enable privilege escalation, parameter boundary bypass, or operation semantic manipulation — the advisory's canonical example shows injection of a `<Role>admin</Role>` element that a receiving service may honor. No public exploit has been identified at time of analysis, and this vulnerability is not in the CISA KEV catalog.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH This Week

PHP Object Injection in Concrete CMS versions below 9.5.2 allows arbitrary PHP object instantiation through unsafe unserialize() calls in the Permission, Cache, and Search components. The flaw is triggered when a malicious serialized payload has already been written to the database, meaning the unauthenticated trigger depends on a prior write primitive existing in the deployment. No public exploit identified at time of analysis, and CVSS 4.0 base scores it 8.4 with high confidentiality, integrity, and availability impact.

PHP Deserialization
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().

PHP RCE CSRF +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in Evoluted PHP Directory Listing Script through version 4.0.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL. The `dir` parameter in `index.php` is rendered unsanitized in two distinct HTML contexts: the page `<title>` element and breadcrumb `<a href>` attributes, each enabling distinct injection techniques — title context breakout and event handler injection respectively. No public exploit has been confirmed via CISA KEV, though a proof-of-concept gist is referenced in the NVD advisory data, indicating exploit code may be publicly accessible.

PHP XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Reflected cross-site scripting in OSCAL-GUI allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting payloads through the unsanitized `project` parameter in `oscal-forms.php`. The parameter is URL-decoded and passed without sanitization into an error message via the `Messages()` function in `oscal-functions.php`, which is then reflected directly into the HTML response body when the supplied project ID does not match any existing record. A publicly available proof-of-concept exploit exists; the vulnerability is not confirmed in CISA KEV, and real-world impact is constrained by the CVSS UI:A requirement for victim interaction, making targeted phishing the primary delivery mechanism.

PHP XSS Oscal Gui
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.

PHP Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Monitor

WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC This Week

Mac Photo Gallery 3.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the albid parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC This Week

Apptha Slider Gallery 1.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the imgname parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC Monitor

KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC Monitor

Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Path Traversal PHP +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

PHP Object Injection in TYPO3 CMS's cache frontend (VariableFrontend) and persistent key-value store (Registry) exposes TYPO3 installations to potential Remote Code Execution when an attacker controls write access to the underlying storage layer. The root cause is bare PHP `unserialize()` calls on storage-retrieved data without HMAC integrity validation or class allowlists, meaning attacker-controlled data in the `sys_registry` table or cache backend can trigger deserialization of crafted PHP objects through a gadget chain. No public exploit has been identified at time of analysis and no CISA KEV listing exists; however, the CVSS 4.0 Subsequent impact scores (SC:H/SI:H/SA:H) confirm that successful exploitation yields full system-level impact despite the local access prerequisite.

PHP Deserialization RCE
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Authenticated PHP Object Injection in the Blocksy WordPress theme (versions ≤ 2.1.35) allows contributor-level users to escalate to remote code execution by storing a malicious serialized object in post meta that is later deserialized during the V200 database migration. Wordfence-reported flaw chains weak input sanitization in blocksy_sanitize_post_meta_options() with an unconditional @unserialize() call in SearchReplacer::run_recursively(), triggering RaiiPattern::__destruct() to invoke arbitrary callables via call_user_func(). No public exploit identified at time of analysis, but the low-privilege requirement and high impact make this a meaningful priority for sites running upgraded Blocksy installations.

PHP Deserialization WordPress +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the kk Blog Card WordPress plugin (all versions ≤ 1.3) allows authenticated contributors to inject persistent JavaScript payloads via unsanitized 'href' and 'type' attributes of the [blog-card] shortcode. The flaw, rooted in direct attribute concatenation without sanitization or escaping in kk-blog-card-shortcode.php, executes injected scripts in the browser of any visitor loading an affected page - including administrators. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector elevates potential impact beyond the plugin boundary.

PHP XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Product Filter Widget for Elementor WordPress plugin (versions up to and including 1.0.6) enables unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session. The vulnerability stems from unsanitized output of the 'args[filterFormArray]' parameter in a publicly accessible AJAX endpoint registered via wp_ajax_nopriv_ with no nonce verification or capability check, meaning any unauthenticated request to admin-ajax.php can carry the payload. Exploitation is delivered via a CSRF-style auto-submitting form, requiring the attacker to social-engineer a victim into visiting an attacker-controlled page; no public exploit code or CISA KEV listing has been identified at time of analysis.

PHP XSS CSRF +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated settings manipulation in Helpfulcrowd Product Reviews plugin for WordPress (versions up to and including 1.2.9) allows any remote attacker to overwrite arbitrary plugin configuration values in the WordPress database. The vulnerability stems from a PHP type juggling flaw in the token validation function combined with an openly accessible REST endpoint registered with `__return_true` as its permission callback. By submitting a JSON boolean `true` as the token value, an attacker bypasses the loose-comparison check (`!=`) in `helpfulcrowd_validate_token()` and gains full write access to the `helpfulcrowd_options` database option with no sanitization or allowlist enforcement. No public exploit or CISA KEV listing is identified at time of analysis.

PHP Memory Corruption WordPress +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Recover Exit For WooCommerce WordPress plugin (versions up to and including 1.0.3) allows remote unauthenticated attackers to include arbitrary local PHP files via the unsanitized `tpf` POST parameter passed to `include()` in the `recover_exit()` function. Successful exploitation can disclose sensitive files such as `wp-config.php` and, when combined with file upload primitives or log poisoning, escalate to remote code execution. No public exploit identified at time of analysis, though the vulnerable sink is documented in the plugin source on plugins.trac.wordpress.org.

Information Disclosure WordPress Path Traversal +4
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in WP Meta Sort Posts WordPress plugin (all versions ≤ 0.9) allows unauthenticated remote attackers to modify plugin settings by tricking a logged-in administrator into clicking a crafted link, due to missing nonce validation in msp-options.php. The CVSS vector (PR:N, UI:R) confirms the attacker requires no authentication but must social-engineer an administrator, with impact limited to changing the msp_loop_file and msp_nav_location settings. No active exploitation confirmed - this CVE is not listed in CISA KEV, no public exploit code has been identified, and EPSS data was not provided in available intelligence.

CSRF WordPress PHP
NVD
EPSS 0% CVSS 2.1
LOW Monitor

Dolibarr ERP CRM's Legacy Filemanager component exposes its configuration endpoint without any authorization gate, allowing authenticated users holding only low-level privileges to interact with filemanager functionality reserved for website administrators. Affecting all releases through 23.0.2, the missing permission check in htdocs/core/filemanagerdol/connectors/php/config.inc.php means any valid account - regardless of role - can reach this endpoint. Publicly available exploit code exists (CVSS E:P); no CISA KEV listing is confirmed in the available data.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized access in SEMCMS 5.0 allows remote attackers to reach the SEMCMS_copy.php endpoint without authentication, exposing sensitive functionality intended to be restricted. The CVSS 7.5 score reflects high confidentiality impact with no integrity or availability effect, and no public exploit identified at time of analysis beyond a referenced gist. The flaw stems from improper access control (CWE-284) in a PHP-based content management system.

PHP Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Cross-site request forgery in SemCms 5.0 allows a remote attacker to perform unauthorized actions against the admin user management endpoint at /admin/semcms_user.php by tricking an authenticated administrator into triggering a crafted POST request. The affected product is a PHP-based CMS and the vulnerability stems from a missing or bypassable CSRF token on a privileged administrative function. Publicly available exploit code exists per SSVC data, though the vulnerability has not been added to the CISA KEV catalog and is not confirmed as actively exploited in the wild.

CSRF PHP N A
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

CSV Injection in Poweradmin's log export functionality allows a high-privileged attacker to embed spreadsheet formulas in usernames that execute when an administrator exports activity logs and opens the resulting CSV in Excel, LibreOffice Calc, or Google Sheets. All four log export controllers pass username fields directly to PHP's fputcsv() without neutralizing formula trigger characters (=, +, -, @), enabling phishing via rendered hyperlinks and silent data exfiltration via =IMPORTXML() or similar functions targeting victim administrators. Publicly available exploit code exists per GHSA-3h6h-67x3-cv5x; the vulnerability is not listed in CISA KEV.

Google PHP Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Phar deserialization in PhpSpreadsheet (PHPOffice) is reachable on PHP 7.x because the `File::prohibitWrappers` helper added to patch CVE-2026-34084 can be bypassed with a three-slash phar URI such as `phar:///path/file.phar/inner`, where `parse_url` returns false and the wrapper check is skipped. Remote attackers who can supply a file path to `IOFactory::load()` achieve full RCE on PHP 7.x branches (1.x up to 1.30.4) and a phar file-read primitive on PHP 8.x branches up to 5.7.0; publicly available exploit code exists with a working Docker reproducer, though EPSS is only 0.04% (12th percentile).

PHP Docker Deserialization
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 exposes the backend database to manipulation by authenticated remote attackers via the `classId` parameter in `/attendance-php/Admin/createClassArms.php`. An attacker with low-privilege authenticated access to the admin panel can craft malicious SQL payloads to read, alter, or delete database records - impacting confidentiality, integrity, and availability (C:L/I:L/A:L per CVSS). A public proof-of-concept exploit exists (GitHub issue, VulDB reference), elevating practical risk beyond the moderate CVSS score of 6.3 alone. No CISA KEV listing has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 exposes the /attendance-php/Admin/createClass.php?action=edit endpoint to database manipulation via an unsanitized ID parameter. Authenticated remote attackers with low-privilege access can exploit this to read, modify, or partially disrupt database contents. A public exploit exists (reported via GitHub), though the CVSS 4.0 score of 2.1 reflects constrained real-world impact due to limited scope change and low-severity confidentiality/integrity/availability ratings - no public exploit identified in CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized `className` parameter in `/attendance-php/Admin/createClass.php`. A publicly available proof-of-concept exploit (CVSS E:P) lowers the barrier to exploitation, though the CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - all confidentiality, integrity, and availability impacts are rated Low with no scope change. No confirmed active exploitation (not in CISA KEV) has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in CodeAstro Student Attendance Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter at /attendance-php/index.php to inject arbitrary SQL. Publicly available exploit code exists per VulDB reference, raising the practical risk despite the moderate 7.3 CVSS score. No CISA KEV listing and no EPSS score were supplied, so exploitation appears opportunistic against this small-vendor PHP application rather than mass-targeted.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Payroll System 1.0 exposes database records to manipulation via the ID parameter in /view_account.php, allowing a low-privileged authenticated remote attacker to read, alter, or partially disrupt payroll data. A public proof-of-concept exploit is available via GitHub, as reported by VulDB. Despite network accessibility and public PoC, the CVSS 4.0 score of 2.1 reflects constrained impact - limited to the vulnerable component with no lateral scope - and a mandatory low-privilege authentication prerequisite that tempers broad exploitation risk.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Payroll System 1.0 exposes payroll data to manipulation by authenticated low-privilege users via unsanitized input in the salary calculation endpoint. The vulnerability affects the `rate` and `salary_rate` parameters of `/home_salary.php`, where attacker-controlled values are passed directly into SQL queries without sanitization. Publicly available exploit code exists per GitHub references, though the vulnerability is not listed in the CISA KEV catalog and carries a CVSS 4.0 base score of only 2.1, reflecting constrained real-world impact due to authentication requirements and limited CIA impact ratings.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar CalcField formula evaluator, which sanitizes input with a recursive regex before passing it to eval(). The same flawed regex is also vulnerable to ReDoS/stack overflow, enabling denial of service against the server. No public exploit identified at time of analysis, but the commit diff in 4.6.6 fully documents the vulnerable code path, lowering the bar for exploit development.

PHP Code Injection Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Hard-coded credential exposure in SourceCodester's Online Examination & Learning Management System 1.0 (also distributed as Syllabus-aligned Learning Management and Examination System 1.0) allows remote unauthenticated attackers to exploit a statically embedded password ('CICT_2026') in the import_users.php file without any authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated remote exploitation at low complexity, and the E:P exploit maturity modifier alongside the CVE description's explicit statement of public disclosure confirm that publicly available exploit code exists. Impact is constrained to low confidentiality exposure against the vulnerable component with no confirmed integrity or availability consequences.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in imvks786/student_management_system allows a low-privileged remote attacker to inject malicious scripts via the name, address, or fname parameters in /add.php. The payload executes in a victim's browser when the affected page is viewed, enabling session hijacking, credential theft, or UI redress attacks against other users of the application. A public exploit is available via a GitHub issue report; the vendor has not responded to the coordinated disclosure.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in the imvks786 student_management_system PHP application allows authenticated low-privileged remote attackers to delete student records they are not authorized to remove via manipulation of the `del` parameter at the /see.php Student Deletion Endpoint. The vulnerability (CWE-285) stems from the application failing to verify that the requesting user holds sufficient privileges to perform the deletion action, effectively enabling horizontal or vertical privilege escalation within the data management scope. No public exploit identified at time of analysis via CISA KEV, though publicly available exploit code exists per the referenced GitHub issue disclosure.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper access control in imvks786's Student Management System PHP application exposes the /add.php Student Record Handler endpoint to unauthorized manipulation by authenticated remote attackers. The vulnerability, classified under CWE-284, allows a low-privileged user to perform actions beyond their intended authorization scope - consistent with the 'Authentication Bypass' tag suggesting role-boundary violations rather than full pre-auth access. Public exploit code exists per the GitHub issue report, though the CVSS 4.0 score of 2.1 reflects limited impact scope (low confidentiality, integrity, and availability impact, no downstream system effect). The vendor has not responded to the coordinated disclosure.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection at the Administrator Login Endpoint of imvks786's student_management_system (PHP) allows unauthenticated remote attackers to manipulate the a_usr and a_pwd parameters in admin/admin_login.php to inject arbitrary SQL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no privileges or user interaction required. A public proof-of-concept exploit has been released via GitHub issue tracker; the project maintainer has not responded to disclosure, and no patch is available at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

Reflected cross-site scripting in SourceCodester Inventory System 1.0 allows remote authenticated attackers to inject arbitrary JavaScript into victim browsers via unsanitized parameters in header.php. The attack requires low-level authentication and victim interaction with a crafted URL, limiting scope to integrity impact only (no confidentiality or availability impact per CVSS). Publicly available exploit code exists (CVSS E:P), though no active exploitation has been confirmed via CISA KEV, and the overall CVSS score of 3.5 (Low) reflects the constrained attack conditions.

PHP XSS
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Improper authorization in SourceCodester Inventory System 1.0 allows authenticated remote attackers to manipulate the ROLE parameter in the account creation API endpoint, bypassing role-based access controls to create or modify accounts with elevated privileges beyond what is authorized. The affected component is /Product_Inventory/api/users_handler.php, a PHP endpoint that fails to enforce server-side authorization on the ROLE argument during account creation. A publicly available proof-of-concept exploit exists (CVSS temporal E:P), lowering the barrier for opportunistic abuse. No patch has been identified at time of analysis.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Stored cross-site scripting in SourceCodester Inventory System 1.0 allows remote unauthenticated attackers to inject persistent malicious scripts via the fullname and username parameters in /users.php on the User Management Page. When an authenticated user - likely an administrator - visits the affected page, the injected script executes in their browser session, enabling session hijacking, credential theft, or unauthorized UI manipulation. Publicly available exploit code exists (GitHub PoC by Xmyronn); this is not listed in CISA KEV but the low-complexity, no-authentication submission path elevates practical risk above the CVSS 4.3 score suggests.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient database records to authenticated remote attackers via the unsanitized `admissiontme` parameter in `/addpatient.php`. A publicly available proof-of-concept (published on GitHub) lowers the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects constrained impact - limited to partial data read/write with no scope change to subsequent systems. No active exploitation has been confirmed (not in CISA KEV), but the healthcare context amplifies regulatory significance even for low-severity data exposure.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows remote low-privileged attackers to manipulate backend database queries via the 'Date' parameter in /adminaccount.php. The vulnerability is PHP-based (CWE-89) and publicly exploitable code exists via a GitHub submission linked through VulDB. Despite remote reachability, the CVSS 4.0 score of 2.1 reflects constrained real-world impact: low privileges are required, and the scope is fully contained with only low-level confidentiality, integrity, and availability consequences. No public patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in itsourcecode Hospital Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `patientid` parameter in `/billing.php`, executing in the context of a victim user's browser session upon interaction with a crafted URL. A publicly available proof-of-concept exploit exists, referenced in GitHub issue #13 of the ltranquility/vuln_submit repository, lowering the barrier for opportunistic exploitation. This CVE is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.1 reflects limited impact scope - low integrity effect only, no confidentiality or availability loss - constrained further by the passive user interaction requirement.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

HTML injection in Bolt CMS 3.7.5 and earlier allows authenticated remote attackers to inject arbitrary HTML by manipulating the `style` argument within the HTML Attribute Handler component (`src/Storage/Field/Type/TextType.php`). The vulnerability requires low-privilege credentials and passive victim interaction for injected content to render, producing low-severity but persistent integrity exposure. Publicly available exploit code exists (CVSS E:P confirmed), and because the project repository has been archived as read-only by the maintainer, no vendor patch will ever be released - any remaining deployment faces permanent unpatched exposure.

PHP XSS
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 exposes the application's database to remote authenticated attackers via the `type_of_leave` parameter in `/admin/add_leave.php`. The vulnerability (CWE-89) allows manipulation of backend SQL queries, potentially enabling data extraction, modification, or destruction. A publicly available exploit exists per VulDB report and a referenced GitHub proof-of-concept, elevating practical risk despite the low CVSS 4.0 base score of 2.1.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate database queries via the Name parameter in /admin/search_staff_for_updation.php. The vulnerability enables read, write, and denial-of-service impact against the underlying database with low complexity and no user interaction required. No public exploit code or active exploitation has been identified at time of analysis.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `Name` parameter in the admin endpoint `/admin/search_staff_to_assign_pc.php`. Per the CVSS 4.0 vector, impact is limited to low confidentiality, integrity, and availability on the vulnerable system (VC:L/VI:L/VA:L) with no scope change to subsequent systems. Publicly available exploit code exists via a GitHub issue, though no active exploitation is confirmed in CISA KEV, and no vendor-released patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 exposes the /admin/delete_leave_type.php endpoint to arbitrary database query manipulation via the unsanitized leave_type parameter. The CVSS 4.0 vector (PR:L) confirms that a low-privileged authenticated user can remotely trigger the injection without user interaction or additional attack complexity. A publicly available exploit exists on GitHub (no public exploit identified in CISA KEV), and the CVSS 4.0 score of 2.1 reflects limited confidentiality, integrity, and availability impact confined to the vulnerable component with no lateral scope change.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 allows remote authenticated attackers to manipulate database queries via the Name parameter in /admin/search_staff_for_deletion.php. The vulnerability is a classic CWE-89 unsanitized input flaw in a PHP-based web application, enabling read, write, and limited availability impact against the underlying database. Publicly available exploit code exists per VulDB disclosure; no KEV listing indicates opportunistic rather than targeted exploitation at this time.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive patient data to remote, unauthenticated attackers via the `ID` parameter in the `/classes/Master.php?f=save_patient` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, attack prerequisites, or user interaction are required, making this trivially exploitable from the network. A publicly available exploit exists (CVSS E:P), elevating real-world risk beyond what the moderate base score of 5.5 suggests; no public exploit identified at time of analysis rises to KEV level, but the POC lowers the barrier for opportunistic attackers targeting healthcare data.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Ingredients Stock Management System 1.0 exposes the `/Ingredients-Stock/add_stock.php` endpoint to authenticated remote attackers who can manipulate the `ID` parameter to execute arbitrary SQL commands against the backend database. The attack is network-accessible with low complexity, enabling unauthorized data exfiltration, record manipulation, and potential escalation within the database tier. Publicly available exploit code exists (E:P in CVSS temporal vector), materially lowering the barrier to exploitation; no CISA KEV listing has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the Category parameter in /Frontend/Search.php to execute arbitrary SQL commands against the backend database. Publicly available exploit code exists (disclosed via GitHub), increasing the practical risk despite the small footprint of this PHP application. No active exploitation has been confirmed in CISA KEV at the time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 allows remote attackers to manipulate the ID parameter in /Administrator/PHP/AdminDeleteAlbum.php to execute arbitrary database queries. Publicly available exploit code exists (published via GitHub and tracked by VulDB), and the flaw is reachable over the network without authentication per the CVSS vector. There is no public exploit identified as actively used in the wild (not CISA KEV), but the combination of trivial attack complexity and public PoC raises the practical exploitation risk for any exposed deployment.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple Flight Ticket Booking System 1.0 allows remote unauthenticated attackers to manipulate database queries via the Username POST parameter in checkUser.php. Publicly available exploit code exists (disclosed via GitHub), increasing the likelihood of opportunistic attacks against exposed instances, though the issue is not listed in CISA KEV. The CVSS 3.1 base score of 7.3 reflects network-reachable, low-complexity exploitation with no privileges or user interaction required.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive1.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists per VulDB submission 369106, raising the practical risk despite the moderate CVSS 7.3 score. No KEV listing and no public exploitation campaigns identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive2.php to execute arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub), though there is no confirmed active exploitation in CISA KEV. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial impact across confidentiality, integrity, and availability.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive3.php to execute arbitrary database queries. Publicly available exploit code exists, increasing immediate risk to any exposed deployment, though no CISA KEV listing or EPSS data has been provided to indicate widespread active exploitation. The flaw carries a CVSS 7.3 rating reflecting network reachability with no authentication or user interaction required.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `sy` parameter in `/archive5.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and exploit code is publicly available (E:P), lowering the bar for opportunistic exploitation. Impact is assessed as low across confidentiality, integrity, and availability - consistent with a partial data-disclosure or limited-manipulation SQL injection rather than full database takeover.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Second-order SQL injection in BeikeShop's Admin Design Builder endpoint (versions up to 1.6.0.22) allows authenticated admin-panel users to manipulate the `settings.value` argument in `beike/Admin/Routes/admin.php` to inject arbitrary SQL. The root cause spans multiple PHP repository classes - `DesignService.php`, `BrandRepo.php`, and `ProductRepo.php` - where brand and product ID arrays were passed to database queries without integer casting or sanitization. A public proof-of-concept exploit exists; the CVSS 4.0 score of 2.1 reflects the administrative authentication prerequisite that meaningfully constrains real-world exposure.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive4.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the risk of opportunistic exploitation against exposed deployments, though no active exploitation has been confirmed via CISA KEV.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

WordPress Plugin admin-word-count-column 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Path Traversal
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

Privilege escalation in Kushan2k student-management-system allows authenticated remote attackers to grant themselves administrator rights by manipulating the `isadmin` parameter in the Profile Update Endpoint. The `edit-admin` function in `controllers/AdminController.php` performs no server-side authorization check on this parameter, enabling any low-privileged account holder to self-elevate to admin. A publicly available exploit exists per VulDB and a GitHub issue disclosure; the vendor has not yet responded, and no patch has been released under the rolling-release model.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in the `getStatus` function of `controllers/GradeController.php` within Kushan2k's student-management-system exposes the Certificate Verification Endpoint to database manipulation by low-privileged remote attackers via the `nic` parameter. A publicly available exploit (proof-of-concept via GitHub issue) lowers the practical bar for abuse despite the CVSS 4.0 base score of 2.1. No patch has been released, and the maintainer has not responded to responsible disclosure, leaving all deployments through commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a unprotected.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unrestricted file upload in Kushan2k's student-management-system exposes the registration endpoint to unauthenticated remote attackers who can upload arbitrary files - including PHP webshells - by manipulating the `stimg` argument in `service/RegisterService.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no complexity, and no user interaction are required, making this trivially exploitable by any network-reachable attacker. Publicly available exploit code exists (E:P confirmed), and the vendor has not responded to responsible disclosure as of analysis time, leaving all installations unpatched.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index1.php to unauthenticated remote exploitation via an unsanitized Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier indicates a publicly available proof-of-concept - confirmed via a GitHub issue disclosure. An attacker can manipulate the Password argument to inject arbitrary SQL, potentially bypassing authentication or exfiltrating database contents. No CISA KEV listing is present, and no vendor patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
Prev Page 9 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy