SUSE-SU-2026:21542-1 Security update for php-composer2

This update for php-composer2 fixes the following issues: - CVE-2025-67746: ANSI control characters injection in terminal output of various Composer commands via attacker controlled remote sources bsc1255768. - CVE-2026-40176: arbitrary command injection via malicious Perforce repository definiti...

CVE-2026-7746

A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file /productexpiry/edit-admin.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is...

CVE-2026-7746

SourceCodester Web-based Pharmacy Product Management System 1.0 is affected by an SQL injection in /product_expiry/edit-admin.php via the ID parameter. Root cause: unsafely constructed SQL due to improper handling of the argument, enabling remote exploitation. Exploit is publicly available accord...

CVE-2026-29199

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When forceservervars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Hos...

CVE-2026-7716

A vulnerability was found in code-projects Gym Management System In PHP and Windows NT 1.0. This vulnerability affects unknown code of the file /index.php. Performing a manipulation of the argument day results in sql injection. The attack can be initiated remotely. The exploit has been made publi...

CVE-2026-7716

A vulnerability was found in code-projects Gym Management System In PHP and Windows NT 1.0. This vulnerability affects unknown code of the file /index.php. Performing a manipulation of the argument day results in sql injection. The attack can be initiated remotely. The exploit has been made publi...

CVE-2026-7716

CVE-2026-7716 describes an SQL injection in the Gym Management System (code-projects) for PHP on Windows NT 1.0, via manipulation of the day parameter in /index.php. The exact vulnerable component and file are /index.php; the root cause is improper handling of user input leading to SQL injection....

EUVD-2026-26867

A vulnerability was found in code-projects Gym Management System In PHP and Windows NT 1.0. This vulnerability affects unknown code of the file /index.php. Performing a manipulation of the argument day results in sql injection. The attack can be initiated remotely. The exploit has been made publi...

CVE-2026-31205

CVE-2026-31205 describes a stored cross‑site scripting vulnerability in Pluck CMS prior to 4.7.21dev. The issue allows a remote attacker to escalate privileges via the editpage.php flow and the sanitizePageContent function. The description does not specify affected versions beyond the 4.7.21dev l...

VulnCheck KEV: CVE-2026-3296

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize on stored entry meta...

PT-2026-37204

Name of the Vulnerable Software and Affected Versions AzuraCast versions prior to 0.23.6 Description An issue exists in the Flow.js media upload endpoint 'POST /api/station/station id/files/upload' where the currentDirectory request parameter is not sanitized for path traversal sequences. When...

PT-2026-36744

Name of the Vulnerable Software and Affected Versions Gym Management System In PHP and Windows NT 1.0 affected versions not specified Description A remote SQL injection can be triggered through the manipulation of the day argument in the '/index.php' endpoint. SQL injection is a type of flaw that...

SourceCodester Web-based Pharmacy Product Management System 注入漏洞

SourceCodester Web-based Pharmacy Product Management System is an open-source pharmacy product management system developed by SourceCodester. Version 1.0 of the SourceCodester Web-based Pharmacy Product Management System has a SQL injection vulnerability. This vulnerability arises from unknown...

Astra Linux - уязвимость в php7.3

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14, and 8.0.0, when validating URLs using functions like filtervar$url, FILTERVALIDATEURL, PHP will accept a URL with an invalid password as a valid URL. This may cause functions that rely on the validity of URLs to misinterpret the URL and...

Astra Linux - уязвимость в php7.3

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16, and 8.2.X before 8.2.3, an excessive number of parts in HTTP form uploads can lead to high resource consumption and an excessive number of log entries. This can cause a denial of service on the affected server by exhausting CPU resources or disk...

Astra Linux - уязвимость в php8.1, php7.3

In PHP versions 8.1. through 8.1.32, 8.2. through 8.2.28, 8.3. through 8.3.19, and 8.4. through 8.4.5, when requesting an HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may...

Astra Linux - уязвимость в php7.3

In PHP versions 8.0. before 8.0.30, 8.1. before 8.1.22, and 8.2. before 8.2.8, when loading PHAR files, insufficient length checking may lead to a stack buffer overflow, potentially causing memory corruption or Remote Code Execution RCE...

Astra Linux - уязвимость в php7.3, php8.1

In PHP versions 8.1. before 8.1.30, and 8.2. before 8.2.24, as well as 8.3. before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could result in legitimate data not being processed. This could allow malicious attackers to control a portion of the submitted dat...

Astra Linux - уязвимость в php8.1, php7.3

In PHP versions 8.1. before 8.1.28, 8.2. before 8.2.18, and 8.3. before 8.3.5, if a password stored using passwordhash starts with a null byte \x00, testing a blank string as the password via passwordverify will incorrectly return true...

Astra Linux - уязвимость в php8.1, php7.3

In PHP versions 8.1. before 8.1.33, 8.2. before 8.2.29, 8.3. before 8.3.23, and 8.4. before 8.4.10, when parsing XML data in SOAP extensions, overly large 2Gb XML namespace prefixes may lead to null pointer dereferencing. This can result in crashes and affect the availability of the target server...