PT-2026-35752

A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit ha...

Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources

Summary A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework v3.x. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of Avo::BaseAction on any resource, even if the action is not registered fo...

CVE-2025-14040

The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in th...

CVE-2026-1105

A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was...

CVE-2026-1105

CVE-2026-1105 affects EasyCMS up to 1.6, with a flaw in the /UserAction.class.php file that allows manipulation of the _order argument, resulting in SQL injection. Documents from NVD/Red Hat indicate remote, publicly exploitable behavior and claim high impact (possible data disclosure/integrity/a...

Yccms 安全漏洞

Yccms is a lightweight Php-based CMS builder by Yccms team. A security vulnerability exists in Yccms version 3.4, which stems from improper neutralization of article title field input by the add and getPost functions in the ArticleAction.class.php file, which could lead to a stored cross-site...

CVE-2025-4541

A vulnerability classified as critical has been found in LmxCMS 1.41. Affected is the function manageZt of the file c\admin\ZtAction.class.php of the component POST Request Handler. The manipulation of the argument sortid leads to sql injection. It is possible to launch the attack remotely. The...

lmxcms 安全漏洞

lmxcms dream cms is a website builder from China Dream Cms lmxcms company. A security vulnerability exists in lmxcms version 1.41, which originates from SQL injection due to incorrect operation of the parameter sortid in the file cadminx005fx001atAction.class.php...

CVE-2025-1831

A vulnerability classified as critical has been found in zj1983 zz up to 2024-8. Affected is the function GetDBUser of the file src/main/java/com/futvan/z/system/zorg/ZorgAction.java. The manipulation of the argument userid leads to sql injection. It is possible to launch the attack remotely. The...

CVE-2021-35437

SQL injection vulnerability in LMXCMS v.1.4 allows attacker to execute arbitrary code via the TagsAction.class...

LMXCMS SQL注入漏洞

lmxcms dream cms is a website building system of China dream cms lmxcms company. A SQL injection vulnerability exists in LMXCMS v1.4, which stems from the application's lack of validation of externally entered SQL statements. An attacker can exploit this vulnerability to execute arbitrary code vi...

CVE-2022-48094

lmxcms v1.41 was discovered to contain an arbitrary file read vulnerability via TemplateAction.class.php...

CVE-2022-32299

YoudianCMS v9.5.0 was discovered to contain a SQL injection vulnerability via the id parameter at /App/Lib/Action/Admin/SiteAction.class.php...

CVE-2022-32301

YoudianCMS v9.5.0 was discovered to contain a SQL injection vulnerability via the IdList parameter at /App/Lib/Action/Home/ApiAction.class.php...

YouDianCMS SQL注入漏洞

YouDianCMS is a website CMS. A SQL injection vulnerability exists in YouDianCMS v9.5.0, which originates from the lack of validation of the IdList parameter at /App/Lib/Action/Home/ApiAction.class.php against external SQL input. This vulnerability can be exploited to execute illegal SQL commands ...

YouDianCMS SQL注入漏洞

YouDianCMS is a website CMS. A SQL injection vulnerability exists in YoudianCMS v9.5.0, which originates from the lack of validation of the MailSendID parameter at /App/Lib/Action/Admin/MailAction.class.php against external SQL input. This vulnerability can be exploited by attackers to execute...

CVE-2022-23358

EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In the background, search terms provided by the user were not sanitized and were used directly to construct a SQL statement...

CVE-2020-17564

Path Traversal in FeiFeiCMS v4.0 allows remote attackers to delete arbitrary files by sending a crafted HTTP request to the " Admin/DataAction.class.php" component...

CVE-2018-17048

admin/Lib/Action/FpluginAction.class.php in FDCMS aka Fangfa Content Manage System 4.2 allows SQL Injection...

SQL Injection Vulnerability in Gxlcms News System AdsAction.class.php

Gxlcms News System is a news cms content management system developed in php+mysql. A SQL injection vulnerability exists in Gxlcms News System AdsAction.class.php. An attacker can exploit the vulnerability to obtain sensitive database information...