311 matches found
CVE-2026-34233
CVE-2026-34233 affects CtrlPanel, an open-source billing app. In versions ≤1.1.1, multiple admin controllers expose DataTable endpoints that can be reached via GET and lack any authorization checks. Despite routes living under the /admin/ prefix, the route group middleware does not enforce admin-...
CVE-2026-42847
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 122, there is a critical SQL Injection SQLi vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint adminarea/actionlogs.php. The endpoint adminarea/actionlogs.php reads...
CVE-2026-42847
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 122, there is a critical SQL Injection SQLi vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint adminarea/actionlogs.php. The endpoint adminarea/actionlogs.php reads...
CVE-2026-42847 ClipBucket: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 122, there is a critical SQL Injection SQLi vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint adminarea/actionlogs.php. The endpoint adminarea/actionlogs.php reads...
CVE-2026-42847 ClipBucket: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 122, there is a critical SQL Injection SQLi vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint adminarea/actionlogs.php. The endpoint adminarea/actionlogs.php reads...
CVE-2026-42847
CVE-2026-42847 affects ClipBucket v5 prior to 5.5.3 - #122. The vulnerability is a SQL injection in the authenticated admin endpoint admin_area/action_logs.php, where the GET parameter $_GET['type'] is read, stored, and concatenated into a SQL WHERE condition on action_type in fetch_action_logs()...
ClipBucket SQL注入漏洞
ClipBucket is an open-source PHP script developed by MacWarrior. It is available for free download and used to host video websites. Versions of ClipBucket prior to 5.5.3 – version 122 – contained a SQL injection vulnerability. This vulnerability occurred due to the lack of parameterization of the...
CVE-2026-4090 Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form
The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rdicsettingspage function when processing settings form submissions. This makes it possible for unauthenticated attackers...
CVE-2026-4090
Technical details beyond the CVE entry are not provided in the connected documents. Monitor for updates on affected plugin versions and remediation status.
PT-2026-34284
The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd ic settings page function when processing settings form submissions. This makes it possible for unauthenticated...
BIT-JOOMLA-2026-21629 Joomla! Core - [20260301] - ACL hardening in com_ajax
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers...
CVE-2026-5814 PHPGurukul Online Course Registration check_availability.php sql injection
A security vulnerability has been detected in PHPGurukul Online Course Registration 3.1. This issue affects some unknown processing of the file /admin/checkavailability.php. The manipulation of the argument regno leads to sql injection. The attack can be initiated remotely. The exploit has been...
CVE-2026-21629
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers...
EUVD-2026-17853
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers...
CVE-2026-21629
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers...
CVE-2026-21629 Joomla! Core - [20260301] - ACL hardening in com_ajax
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers...
CVE-2026-21629
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers...
CVE-2026-21629 Joomla! Core - [20260301] - ACL hardening in com_ajax
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers...
itsourcecode Online Doctor Appointment System SQL注入漏洞
itsourcecode Online Doctor Appointment System is an open-source online doctor appointment system developed by itsourcecode. Version 1.0 of the system has a SQL injection vulnerability, which stems from incorrect handling of the patientid parameter in the file admin/patientaction.php. This...
CVE-2025-70064
CVE-2025-70064 affects PHPGurukul Hospital Management System v4.0. A low-privileged user (Patient) can directly reach the Administrator Dashboard and sub-modules by navigating to the /admin/ directory after authentication, enabling privilege escalation to view confidential logs and modify system ...