CVE-2026-32250

CVE-2026-32250 affects NamelessMC (Minecraft server website software). The issue is a Reflected XSS in the id parameter of the endpoint “/index.php?route=/queries/user/”. User input is echoed into the HTML response without proper sanitization/output encoding, enabling an attacker to inject JavaSc...

CVE-2026-32250

NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting XSS vulnerability was discovered in version 2.2.4 in the id parameter of the endpoint /index.php?route=/queries/user/. The application reflects user-supplied input from the id parameter into the HTML response...

CVE-2019-25664 SuiteCRM 7.10.7 SQL Injection via record Parameter

SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Attackers can append SQL code to the record parameter in GET requests to the index.php endpoint to...

CVE-2026-33428 Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions...

CVE-2019-25488

Jettweb Hazir Rent A Car Scripti V4 contains multiple SQL injection vulnerabilities in the admin panel that allow unauthenticated attackers to manipulate database queries through GET parameters. Attackers can inject SQL code into the 'tur', 'id', and 'ozellikdil' parameters of the admin/index.php...

CVE-2019-25536 Netartmedia PHP Real Estate Agency 4.0 SQL Injection via features parameter

Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features parameter. Attackers can send POST requests to index.php with crafted SQL payloads in the features...

CVE-2026-28771

A Reflected Cross-Site Scripting XSS vulnerability exists in the /index.cgi endpoint of International Datacasting Corporation IDC SFX Series SuperFlex Satellite Receiver Web Management Interface version 101. The application fails to adequately sanitize user-supplied input provided via the cat...

CVE-2026-28772

A Reflected Cross-Site Scripting XSS vulnerability in the /IDCLogging/index.cgi endpoint of International Datacasting Corporation IDC SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101 allows a remote attacker to execute arbitrary web scripts or HTML. The vulnerability is...

CVE-2026-28772 Reflected XSS in IDC_Logging Index endpoint

A Reflected Cross-Site Scripting XSS vulnerability in the /IDCLogging/index.cgi endpoint of International Datacasting Corporation IDC SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101 allows a remote attacker to execute arbitrary web scripts or HTML. The vulnerability is...

CVE-2026-28771 Reflected XSS In /index.cgi Endpoint On IDC Satellite Receiver Web Management Interface Version 101

A Reflected Cross-Site Scripting XSS vulnerability exists in the /index.cgi endpoint of International Datacasting Corporation IDC SFX Series SuperFlex Satellite Receiver Web Management Interface version 101. The application fails to adequately sanitize user-supplied input provided via the cat...

CVE-2026-28771

CVE-2026-28771 describes a reflected XSS in IDC SFX Series SuperFlex Satellite Receiver Web Management Interface (version 101) via the cat parameter on /index.cgi. Input is not adequately sanitized and reflected in the HTTP response, enabling arbitrary HTML/JavaScript execution in the victim’s br...

PT-2026-22874

Name of the Vulnerable Software and Affected Versions International Datacasting Corporation IDC SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101 Description A Reflected Cross-Site Scripting XSS issue exists in the /IDC Logging/index.cgi API endpoint. The issue occurs...

📄 Pragyan CMS 3.0 Blind SQL Injection

A critical blind SQL injection vulnerability exists in Pragyan CMS version 3.0 and earlier, affecting the main index endpoint. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands and potentially compromise the entire database. This issue is older research...

CVE-2023-53926

PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the 'column' parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted SQL payloads through the 'column' parameter in the index.php endpoint to potentially extract or modify database...

CVE-2023-53923

UliCMS 2023.1 is affected by a privilege‑escalation vulnerability in the UserController endpoint. An unauthenticated attacker can issue a crafted POST to /dist/admin/index.php to create a new admin account with full system access. Documents identify the vulnerable component and impact (unrestrict...

📄 FoxCMS 1.0 Code Injection

FoxCMS version 1.0 proof of concept remote code injection exploit. ============================================================================================================================================= | Title : FoxCMS v1.0 php code innjection | | Author : indoushka | | Tested on : windows...

CVE-2025-63739

An issue was discovered in function phpinisaveAction in file webmain/system/cogini/coginiAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to authenticated users to modify PHP configuration files via the a parameter to the index.php endpoint...

EUVD-2025-202292

An issue was discovered in function phpinisaveAction in file webmain/system/cogini/coginiAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to authenticated users to modify PHP configuration files via the a parameter to the index.php endpoint...

EUVD-2025-200326

PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the admin/index.php endpoint. Specifically, the username parameter accepts unvalidated user input, which is then concatenated directly into a backend SQL query...

CVE-2025-65380

PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the admin/index.php endpoint. Specifically, the username parameter accepts unvalidated user input, which is then concatenated directly into a backend SQL query...