CVE-2026-39329

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reach...

CVE-2025-70844

yaffa v2.0.0 is vulnerable to Cross Site Scripting XSS. An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page...

CVE-2026-5668

A flaw has been found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown part of the file /admin/Add%20notice/add%20notice.php. This manipulation of the argument $SERVER'PHPSELF' causes cross site scripting. It is possible to initiate th...

CVE-2026-27314 Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass

Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY. Users are...

CVE-2026-27314 Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass

Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY. Users are...

CVE-2026-27314

CVE-2026-27314 affects Apache Cassandra 5.0 in an mTLS environment using MutualTlsAuthenticator. A user with only CREATE permission can bind their certificate identity to an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY . The root cause is an authoriza...

CVE-2026-35464

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the...

CVE-2026-35464 pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the...

CVE-2026-5643

A vulnerability was identified in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This impacts an unknown function of the file /admin/Add%20notice/notice.php of the component Admin Add Endpoint. Such manipulation of the argument $SERVER'PHPSELF' leads to cross...

CVE-2026-5647

A vulnerability was detected in code-projects Online Shoe Store 1.0. This affects an unknown part of the file /admin/adminfeature.php of the component Add Product Page. The manipulation of the argument productname results in cross site scripting. The attack may be launched remotely. The exploit i...

EUVD-2025-209259

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the addoreditpopupbox function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create ...

PT-2026-30902

yaffa v2.0.0 is vulnerable to Cross Site Scripting XSS. An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page...

CVE-2025-70844

CVE-2025-70844 affects yaffa v2.0.0, with XSS in the Add Account Group function on the account-group page. The vulnerability allows injection of arbitrary JavaScript and execution in the context of viewers of the affected page. Affected component: yaffa/Account Group page; root cause: improper in...

CVE-2025-70844

yaffa v2.0.0 is vulnerable to Cross Site Scripting XSS. An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page...

Yet Another Free Financial Application 安全漏洞

Yet Another Free Financial Application is a self-hosted web application for personal financial management and planning developed by Kantorgge’s individual developers. Version 2.0.0 of Yet Another Free Financial Application contains a security vulnerability. This vulnerability stems from the “Add...

CVE-2026-35459

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery SSRF vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download that checks the hostname of the initial download URL. However,...

CVE-2026-5668

A flaw has been found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown part of the file /admin/Add%20notice/add%20notice.php. This manipulation of the argument $SERVER'PHPSELF' causes cross site scripting. It is possible to initiate th...

CVE-2026-5576

A flaw has been found in SourceCodester/jkev Record Management System 1.0. Affected by this issue is some unknown functionality of the file saveemp.php of the component Add Employee Page. This manipulation causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has...

CVE-2026-5668 Cyber-III Student-Management-System add%20notice.php cross site scripting

A flaw has been found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown part of the file /admin/Add%20notice/add%20notice.php. This manipulation of the argument $SERVER'PHPSELF' causes cross site scripting. It is possible to initiate th...

CVE-2026-5668

CVE-2026-5668 affects Cyber-III Student-Management-System (up to 1a938fa61e9f735078e9b291d2e6215b4942af3f). The flaw is in an unknown part of /admin/Add%20notice/add%20notice.php where manipulation of $_SERVER['PHP_SELF'] enables cross-site scripting. It can be triggered remotely; the exploit has...