CVE-2026-28674 xiaoheiFS Vulnerable to RCE via Arbitrary Payment Plugin Upload (Automatic Execution)

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the AdminPaymentPluginUpload endpoint lets admins upload any file to plugins/payment/. It only checks a hardcoded password qweasd123456 and ignores file content. A...

CodeAstro Gym Management System SQL注入漏洞

CodeAstro Gym Management System is a gym management system from CodeAstro. A SQL injection vulnerability exists in CodeAstro Gym Management System version 1.0, which stems from an incorrect manipulation of the parameter plan in the file /admin/user-payment.php, which could lead to an SQL injectio...

CVE-2025-8981

A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. This affects an unknown part of the file /admin/operations/payment.php. The manipulation of the argument paymenttype leads to sql injection. It is possible to initiate the attack remotely. The exploit has been...

PT-2025-33412 · Itsourcecode · Itsourcecode Online Tour/Travel Management System

Name of the Vulnerable Software and Affected Versions: itsourcecode Online Tour and Travel Management System version 1.0 Description: A SQL injection issue exists in itsourcecode Online Tour and Travel Management System version 1.0. The manipulation of the payment type argument in the...

Online Restaurant Management System 安全漏洞

Online Restaurant Management System is a Code-projects open source online restaurant management system. A security vulnerability exists in Online Restaurant Management System version 1.0, which originates from improper handling of the parameter ID in the /admin/paymentsave.php file, which may lea...

CVE-2019-9598

An issue was discovered in Cscms 4.1.0. There is an admin.php/pay CSRF vulnerability that can change the payment account to redirect funds...