CVE-2020-25900

Affected software: HelloTalk (up to version 3.4.1). Vulnerability summary: The app stores full‑precision GPS coordinates even when a user intends to share only a country or city, and these coordinates are placed into a client‑side database that is stored on other users’ devices. The client databa...

PT-2026-47052

Name of the Vulnerable Software and Affected Versions OpenXDMoD versions prior to 10.0.3 Description An SQL injection allows an unauthenticated remote attacker to execute arbitrary SQL statements. This can result in the complete compromise of the underlying database. The issue requires no...

CVE-2020-25900

HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. The client side was changed in 2019 to encrypt that database...

PT-2026-47035

Name of the Vulnerable Software and Affected Versions AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL versions prior to 2026-05-26 Description An untrusted search path issue exists in the GlobalDatabasePlugin. This allows a remote authenticated low-privilege actor to escalate privileges to...

WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection

Exploit Title: WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection Google Dork: N/A Date: 2026-06-02 Exploit Author: cardosource Vendor Homepage: https://contest-gallery.com/ Software Link: https://wordpress.org/plugins/contest-gallery/ Version: getrow without proper...

PT-2026-46960

A vulnerability was detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. This affects an unknown function of the file dashboard page/forms/fetch.php. Performing a manipulation of the argument department code results i...

CVE-2026-11246

Insufficient validation of untrusted input in IndexedDB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Low...

CVE-2026-10874 projectworlds Online Art Gallery Shop Project adminHome.php sql injection

A vulnerability was identified in projectworlds Online Art Gallery Shop Project 1.0. The affected element is an unknown function of the file /admin/adminHome.php. The manipulation of the argument socialinsta leads to sql injection. The attack may be initiated remotely. The exploit is publicly...

CVE-2026-42540

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 allow a user to alter values in the database via manipulated API requests. Version 2.4.28 contains a patch...

CVE-2026-42540

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 allow a user to alter values in the database via manipulated API requests. Version 2.4.28 contains a patch...

EUVD-2026-34328

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 allow a user to alter values in the database via manipulated API requests. Version 2.4.28 contains a patch...

CVE-2026-42540

IRIS web collaborative platform suffers a Mass Assignment vulnerability (CVE-2026-42540). Versions prior to 2.4.28 allow an attacker to alter values in the database through manipulated API requests. A fix is available in version 2.4.28. The CVSS 3.1 score is 4.3 (Medium) with Network attack vecto...

CVE-2026-36499

A missing upper-bound check in the udpifsetthreads function of Open vSwitch v3.6.90 allows an attacker with OVSDB write access to request an excessive number of handler or revalidation threads. This can cause a denial of service DoS via resource exhaustion...

GHSA-WC3V-3457-C8CM OpenMeter: SQL injection through meter creation

Summary An authenticated tenant can inject arbitrary SQL through the valueProperty or groupBy fields of POST /api/v1/meters. The injection passes the application's JSONPath validation check and executes against the shared ClickHouse database, which contains event data for all tenants with no...

CVE-2026-10880 Unauthenticated SQL Injection in Osnexus Quantastor

OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, allowing an unauthenticated remote attacker to bypass authentication and log in as an administrator without supplying a val...

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)

Last week, there were 277 vulnerabilities disclosed in 184 WordPress Plugins and 70 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 94 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilitie...

CVE-2026-10808

A vulnerability was identified in itsourcecode Fees Management System 1.0. This affects an unknown function of the file /managestudent.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be use...

CVE-2019-25730

Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to pages.php with crafted id values using error-based SQL injection techniques to...

CVE-2019-25726

All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send requests to the admin interface with UNION-based SQL injection payloads in the id...

EUVD-2019-20168

PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Attackers can send GET requests to the search endpoint with crafted SQL payloads in the query parameter to...