CVE-2026-7072

A vulnerability was detected in CodePanda Source canteenmanagementsystem 1.0. Affected by this issue is some unknown functionality of the file /api/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may...

CVE-2026-6189

CVE-2026-6189 affects SourceCodester Pharmacy Sales and Inventory System 1.0. The vulnerability resides in an unknown function in /ajax.php?action=login, where manipulating the Username argument enables a SQL injection. Attack is remote, with public exploits disclosed. Additional details (affecte...

EUVD-2026-10055

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated...

CVE-2026-30833 Rocket.Chat: NoSQL injection in the EE ddp-streamer-service

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated...

CVE-2026-0999 Authentication bypass via userID login when email and username login are disabled

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548...

CVE-1999-0180

in.rshd allows users to login with a NULL username and execute commands...

CVE-2025-10118

A security vulnerability has been detected in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0. The affected element is an unknown function of the file /login.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out...

CVE-2025-5369

A vulnerability classified as critical has been found in SourceCodester PHP Display Username After Login 1.0. Affected is an unknown function of the file /login.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has bee...

GHSA-M5MF-3963-4X26 Authelia applies regulation separately to Username-based logins to Email-based logins

Summary If users are allowed to sign in via both username and email the regulation system treats these as separate login events. This leads to the regulation limitations being effectively doubled assuming an attacker using brute-force to find a user password. It's important to note that due to th...

Authelia applies regulation separately to Username-based logins to Email-based logins

Summary If users are allowed to sign in via both username and email the regulation system treats these as separate login events. This leads to the regulation limitations being effectively doubled assuming an attacker using brute-force to find a user password. It's important to note that due to th...

CVE-2025-24806 Regulation applies separately to Username-based logins to Email-based logins in authelia

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on SSO for applications via a web portal. If users are allowed to sign in via both username and email the regulation system treats these as separate login events. This leads to t...

CVE-2024-6129 spa-cartcms Username login observable behavioral discrepancy

A vulnerability, which was classified as problematic, was found in spa-cartcms 1.9.0.6. Affected is an unknown function of the file /login of the component Username Handler. The manipulation of the argument email leads to observable behavioral discrepancy. It is possible to launch the attack...

CVE-2024-0529

A vulnerability has been found in CXBSoft Post-Office up to 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /apps/loginauth.php of the component HTTP POST Request Handler. The manipulation of the argument usernamelogin leads to sql injection...

CXBSoft Post-Office SQL Injection Vulnerability

CXBSoft Post-Office is a post office system from CXBSoft. A SQL injection vulnerability exists in CXBSoft Post-Office 1.0 and earlier versions, which originates from a SQL injection vulnerability in the parameter usernamelogin in the file /apps/loginauth.php...

CVE-2019-18866

Unauthenticated SQL injection via the username in the login mechanism in Blaauw Remote Kiln Control through v3.00r4 allows a user to extract arbitrary data from the rkc database...

CVE-2019-15529

An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 exploitable with Authentication via shell metacharacters in the Username field to Login...

ecshop 2.7.3 /flow.php 登录绕过漏洞

影响文件:flow.php 188行开始elseif $REQUEST'step' == 'login' includeonce'languages/'. $CFG'lang'. '/user.php'; / 用户登录注册 / if $SERVER'REQUESTMETHOD' == 'GET' ..... else includeonce'includes/libpassport.php'; if !empty$POST'act' && $POST'act' == 'signin' $captcha = intval$CFG'captcha'; if $captcha &...

olms-xss.txt

BACKGROUND ========== "Oliver is the web-based Library Management System for Schools. Softlink has built on the understanding of thousands of school clients, over many years, and has designed a new system for school libraries and learning resource centres in the 21st century" -- from...

Cross Site Scripting in Oliver Library Management System

BACKGROUND ========== "Oliver is the web-based Library Management System for Schools. Softlink has built on the understanding of thousands of school clients, over many years, and has designed a new system for school libraries and learning resource centres in the 21st century" -- from...

CVE-2006-3567

Cross-site scripting XSS vulnerability in the web administration interface logging feature in Juniper Networks Redline DX 5.1.x, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the username login field...