PT-2026-7418

Name of the Vulnerable Software and Affected Versions EverShop versions prior to 2.1.1 Description EverShop is a TypeScript-first eCommerce platform susceptible to a second-order SQL injection. During category update and deletion event handling, the application incorporates values from the url...

GHSA-FXP3-G6GW-4R4V Craft CMS: GraphQL Asset Mutation Privilege Escalation

There is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not...

Server-side Request Forgery (SSRF)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the saveAsset mutation in GraphQL when alternative IP notations are used in the URL parameter. An attacker can access internal cloud metadata services by...

CVE-2026-25497 Craft has a GraphQL Asset Mutation Privilege Escalation

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their...

CVE-2026-25493 Craft has a SSRF in GraphQL Asset Mutation via HTTP Redirect

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypa...

CVE-2026-25493 Craft has a SSRF in GraphQL Asset Mutation via HTTP Redirect

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypa...

CVE-2026-25492

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveimagesAsset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a...

CVE-2026-2225

CVE-2026-2225 affects itsourcecode News Portal Project 1.0. The vulnerability resides in the Administrator Login component, specifically the file /admin/index.php, where manipulating the email argument enables a SQL injection. The issue can be exploited remotely, and the exploit has been publishe...

CVE-2026-2236 HGiga｜C&Cm@il - SQL Injection

C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents...

CVE-2026-2220 code-projects Online Reviewer System btn_functions.php sql injection

A vulnerability was identified in code-projects Online Reviewer System 1.0. This impacts an unknown function of the file /system/system/admins/assessments/pretest/btnfunctions.php. Such manipulation of the argument difficultyid leads to sql injection. The attack can be executed remotely. The...

CVE-2026-2211

CVE-2026-2211 (code-projects Online Music Site 1.0) : The vulnerability is in the unknown function of the file /Administrator/PHP/AdminDeleteCategory.php. A manipulation of the argument ID can trigger a SQL injection , with the attack executable remotely. Public disclosure of the exploit is noted...

CVE-2026-2117

A vulnerability was found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/editactivity.php. Performing a manipulation of the argument activityid results in sql injection. The attack can be initiated remotely. The exploit has been made...

CVE-2026-2199

A security flaw has been discovered in code-projects Online Reviewer System 1.0. The impacted element is an unknown function of the file /reviewer/system/system/admins/manage/users/user-delete.php. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated...

CVE-2026-2195

A vulnerability has been found in code-projects Online Reviewer System 1.0. This vulnerability affects unknown code of the file /system/system/admins/assessments/pretest/questions-view.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out...

CVE-2026-2196

A vulnerability was found in code-projects Online Reviewer System 1.0. This issue affects some unknown processing of the file /system/system/admins/assessments/pretest/exam-update.php. The manipulation of the argument testid results in sql injection. The attack may be performed from remote. The...

PT-2026-7203

Name of the Vulnerable Software and Affected Versions SAP CRM and SAP S/4HANA affected versions not specified Description An authenticated attacker in SAP CRM and SAP S/4HANA Scripting Editor can exploit a flaw in a generic function module call and execute unauthorized critical functionalities...

PT-2026-7058

A vulnerability was identified in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /Administrator/PHP/AdminEditCategory.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. Th...

PT-2026-7088

A flaw has been found in itsourcecode News Portal Project 1.0. This vulnerability affects unknown code of the file /admin/index.php of the component Administrator Login. This manipulation of the argument email causes sql injection. The attack can be initiated remotely. The exploit has been...

PT-2026-7078

C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents...

Code-Projects Online Reviewer System SQL注入漏洞

The Code-Projects Online Reviewer System is an online review system developed by Code-Projects as open source. Version 1.0 of the Code-Projects Online Reviewer System has a SQL injection vulnerability. This vulnerability arises from incorrect handling of parameters with the ID in...