EUVD-2025-38113

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Kyle Phillips Favorites favorites allows PHP Local File Inclusion.This issue affects Favorites: from n/a through = 2.3.6...

EUVD-2025-38118

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in owenr88 Simple Contact Forms simple-contact-forms allows PHP Local File Inclusion.This issue affects Simple Contact Forms: from n/a through = 1.6.4...

CVE-2025-11008

The CE21 Suite plugin for WordPress (CE21 Suite) is documented as vulnerable to unauthenticated Sensitive Information Exposure via the log file in all versions up to 2.3.1 (CVE-2025-11008). Exploitation could allow an attacker to exfiltrate credentials and log in as other users who previously use...

PT-2025-44777

Name of the Vulnerable Software and Affected Versions Car-Booking-System-PHP version 1.0 Description Car-Booking-System-PHP version 1.0 is susceptible to Cross Site Scripting XSS in the /carlux/booking.php file. The issue allows for the injection of malicious scripts through the vulnerable...

CVE-2025-11755 Delicious Recipes <= 1.9.0 - Authenticated (Contributor+) Arbitrary File Upload

The WP Delicious – Recipe Plugin for Food Bloggers formerly Delicious Recipes plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload...

EUVD-2025-36349

A vulnerability was found in shawon100 RUET OJ up to 18fa45b0a669fa1098a0b8fc629cf6856369d9a5. This vulnerability affects unknown code of the file /process.php of the component POST Request Handler. The manipulation of the argument un results in sql injection. The attack can be launched remotely...

CVE-2025-12293

A vulnerability was identified in SourceCodester Point of Sales 1.0. This issue affects some unknown processing of the file /category.php. Such manipulation of the argument Category leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might b...

CVE-2025-12261

CodeAstro Gym Management System 1.0 is affected by a SQL injection in /admin/actions/remove-announcement.php caused by manipulation of the ID parameter. The vulnerability can be exploited remotely and the exploit has been made public. Affected product/component: CodeAstro Gym Management System 1....

ChurchCRM Deserialization Vulnerability

ChurchCRM is ChurchCRM open source an open source CRM system for churches. ChurchCRM 5.18.0 and earlier versions exist deserialization vulnerability , the vulnerability stems from the file setup/routes/setup.php in the parameter DBPASSWORD/ROOTPATH/URL in the receipt of user-submitted serialized...

CVE-2025-11736

A flaw has been found in itsourcecode Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /index.php. This manipulation of the argument Username causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may...

itsourcecode Online Examination System SQL注入漏洞

itsourcecode Online Examination System is a itsourcecode open source online examination system. A SQL injection vulnerability exists in version 1.0 of itsourcecode Online Examination System, which stems from an incorrect manipulation of the parameter Username in the file /index.php, which could...

CVE-2025-11654 yousaf530 Inferno Online Clothing Store log.php sql injection

A vulnerability was identified in yousaf530 Inferno Online Clothing Store up to 827dd42bfbe380e8de76fdc67958c24cf1246208. The affected element is an unknown function of the file /log.php. Such manipulation of the argument cemail/password leads to sql injection. It is possible to launch the attack...

Inferno Online Clothing Store SQL注入漏洞

Inferno Online Clothing Store is an online shopping website by the individual developer Muhammad Yousaf Saddique. Inferno Online Clothing Store suffers from a SQL injection vulnerability that stems from incorrect manipulation of the parameter cemail/password in the file /log.php, which could lead...

PT-2025-41822

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.5.0 Description WeGIA is a Web Manager for Institutions focused on Portuguese language users. A flaw exists that allows redirection to arbitrary external domains via the nextPage parameter in the ''control.php''...

CVE-2025-11610 SourceCodester Simple Inventory System brand.php sql injection

A security flaw has been discovered in SourceCodester Simple Inventory System 1.0. This issue affects some unknown processing of the file /brand.php. The manipulation of the argument editBrandName results in sql injection. The attack can be executed remotely. The exploit has been released to the...

GHSA-H6M2-R6H9-4C44 BBOT's insufficient sanitization issues in gitdumper.py can lead to RCE

Summary bbot's gitdumper.py insufficiently sanitises a .git/config file, leading to Remote Code Execution RCE. bbot's gitdumper.py can be made to consume a malicious .git/index file, leading to arbitrary file write which can be used to achieve Remote Code Execution RCE. Impact A user who uses bbo...

CVE-2025-11530 code-projects Online Complaint Site state.php sql injection

A weakness has been identified in code-projects Online Complaint Site 1.0. Affected is an unknown function of the file /cms/admin/state.php. This manipulation of the argument state causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the...

CVE-2025-11508

A security vulnerability has been detected in code-projects Voting System 1.0. This affects an unknown function of the file /admin/votersadd.php. Such manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and...

CVE-2025-11505

A vulnerability was identified in PHPGurukul Beauty Parlour Management System 1.1. Impacted is an unknown function of the file /admin/new-appointment.php. The manipulation of the argument delid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly availab...

CVE-2025-11444

TOTOLINK N600R is affected: the buffer overflow exists in the HTTP Request Handler’s setWiFiBasicConfig function, in /cgi-bin/cstecgi.cgi, triggered by manipulating the wepkey argument. This vulnerability allows remote exploitation and has publicly available PoCs. Affected firmware versions are p...