Piwigo 13.7.0 - SQL Injection

Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header User-Agent is vulnerable at the endpoint that records user information when logging in to the...

EUVD-2026-37553

RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator...

CVE-2026-53876

The RadiX AX6600 WiFi 6 Tri-Band Gaming Router is affected by an OS command injection vulnerability that may lead to arbitrary command execution with root privileges when an administrator logs in to the web console. The issue is described as an OS command injection; the exact root cause details a...

PT-2026-49205

WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in...

CVE-2026-11531

A security flaw has been discovered in imvks786 studentmanagementsystem up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This impacts an unknown function of the file admin/adminlogin.php of the component Administrator Login Endpoint. Performing a manipulation of the argument ausr/apwd results in s...

CVE-2026-11531

The CVE concerns the imvks786 student_management_system (up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46) where the admin_login.php endpoint (Administrator Login) is affected. The vulnerability arises from manipulating the arguments a_usr and a_pwd, enabling SQL injection through improperly...

EUVD-2026-35125

A security flaw has been discovered in imvks786 studentmanagementsystem up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This impacts an unknown function of the file admin/adminlogin.php of the component Administrator Login Endpoint. Performing a manipulation of the argument ausr/apwd results in s...

CVE-2026-11531 imvks786 student_management_system Administrator Login Endpoint admin_login.php sql injection

A security flaw has been discovered in imvks786 studentmanagementsystem up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This impacts an unknown function of the file admin/adminlogin.php of the component Administrator Login Endpoint. Performing a manipulation of the argument ausr/apwd results in s...

student_management_system 注入漏洞

studentmanagementsystem is a student information management tool personally developed by Vivek Singh. There is an injection vulnerability in studentmanagementsystem. This vulnerability stems from improper handling of parameters ausr/apwd by an unknown function in the Administrator Login Endpoint...

CVE-2026-10880

OSNexus QuantaStor SDS Manager is affected by an unauthenticated SQL injection in the login endpoint. The username is not properly sanitized before being used in a SQL query, enabling a remote attacker (no authentication) to bypass login and gain administrator access. CVSS 3.1 base score 9.8 (Net...

PT-2026-46296

Name of the Vulnerable Software and Affected Versions OSNexus QuantaStor versions prior to 6.6.2 Description An unauthenticated remote attacker can perform a blind SQL injection via the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, which...

NEC Aterm series vulnerable to OS command injection (NV26-003)

Overview NEC Aterm series products provided by NEC Corporation contain the following vulnerability. OS command injection CWE-78 - CVE-2026-8652 So Kato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...

EUVD-2026-29725

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entr...

EUVD-2026-17345

Blind Cross-Site Scripting XSS in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseña' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information...

CVE-2026-33288

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize...

CVE-2025-55040

The import form CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to upload and install malicious form definitions through a CSRF attack. The vulnerable cForm.importform function lacks CSRF token validation, enabling malicious websites to forge file upload requests that install...

CVE-2025-55046

CVE-2025-55046 is documented across multiple sources as a CSRF vulnerability in MuraCMS up to version 10.1.10, where the function cTrash.empty lacks CSRF token validation. An authenticated administrator visiting a crafted page can involuntarily submit a forged request that permanently deletes all...

CVE-2026-0953

CVE-2026-0953 affects the Tutor LMS Pro WordPress plugin (versions through 3.9.5). The issue is an authentication bypass in the Social Login addon: the plugin fails to verify that the email in the authentication request matches the email from the validated OAuth token, allowing unauthenticated at...

CVE-2026-2690 itsourcecode Event Management System Admin Login ajax.php sql injection

A flaw has been found in itsourcecode Event Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=login of the component Admin Login. This manipulation of the argument Username causes sql injection. It is possible to initiate the atta...

CVE-2026-2225

A flaw has been found in itsourcecode News Portal Project 1.0. This vulnerability affects unknown code of the file /admin/index.php of the component Administrator Login. This manipulation of the argument email causes sql injection. The attack can be initiated remotely. The exploit has been...