Incorrect Authorization

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Incorrect Authorization due to an inverted authorization check in the twofactorauthentication.php process. An attacker can remove...

GHSA-RH3W-4CCX-PRF9 Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP

Summary A logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip th...

GHSA-XQV4-XM7H-52CV Admidio's Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items

Summary The Admidio inventory module enforces authorization for destructive operations delete, retire, reinstate only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for itemdelete, itemretire, itemreinstate, itempictureupload, itempicturesav...

OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

Impact OpenClaw deployments before 2026.4.21 could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true: - a channel plugin declared commands.enforceOwnerForCommands: true; - the channel accepted wildcard inbound senders with allowFrom: ""; ...

CVE-2026-7407

A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function savesettings of the file /pizzafy/admin/ajax.php?action=savesettings of the component Setting Handler. Such manipulation leads to sql injection. It is possible...

CVE-2026-7410 SourceCodester Pizzafy Ecommerce System ajax.php add_to_cart sql injection

A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=addtocart. The manipulation of the argument pid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to...

CVE-2026-7409 SourceCodester Pizzafy Ecommerce System ajax.php save_user sql injection

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function saveuser of the file /admin/ajax.php?action=saveuser. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used...

CVE-2026-7409

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function saveuser of the file /admin/ajax.php?action=saveuser. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used...

EUVD-2026-26291

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function saveuser of the file /admin/ajax.php?action=saveuser. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used...

CVE-2026-7409 SourceCodester Pizzafy Ecommerce System ajax.php save_user sql injection

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function saveuser of the file /admin/ajax.php?action=saveuser. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used...

CVE-2026-7225

A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects the function deletemenu of the file /admin/ajax.php?action=deletemenu. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit...

CVE-2026-41460

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this...

CVE-2026-7408

The CVE-2026-7408 affects SourceCodester Pizzafy Ecommerce System 1.0. The vulnerable component is the save_menu function in /admin/ajax.php?action=save_menu. Manipulation of input leads to SQL injection, exploitable remotely. Public exploit appears to exist. No remediation details are provided i...

CVE-2026-7408 SourceCodester Pizzafy Ecommerce System ajax.php save_menu sql injection

A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function savemenu of the file /admin/ajax.php?action=savemenu. Performing a manipulation results in sql injection. The attack can be initiated remotely. The exploit is now public and may be...

CVE-2026-7408 SourceCodester Pizzafy Ecommerce System ajax.php save_menu sql injection

A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function savemenu of the file /admin/ajax.php?action=savemenu. Performing a manipulation results in sql injection. The attack can be initiated remotely. The exploit is now public and may be...

CVE-2026-7408

A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function savemenu of the file /admin/ajax.php?action=savemenu. Performing a manipulation results in sql injection. The attack can be initiated remotely. The exploit is now public and may be...

CVE-2026-7407 SourceCodester Pizzafy Ecommerce System Setting ajax.php save_settings sql injection

A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function savesettings of the file /pizzafy/admin/ajax.php?action=savesettings of the component Setting Handler. Such manipulation leads to sql injection. It is possible...

CVE-2026-7407 SourceCodester Pizzafy Ecommerce System Setting ajax.php save_settings sql injection

A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function savesettings of the file /pizzafy/admin/ajax.php?action=savesettings of the component Setting Handler. Such manipulation leads to sql injection. It is possible...

EUVD-2026-26289

A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function savesettings of the file /pizzafy/admin/ajax.php?action=savesettings of the component Setting Handler. Such manipulation leads to sql injection. It is possible...

CVE-2026-7407

A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function savesettings of the file /pizzafy/admin/ajax.php?action=savesettings of the component Setting Handler. Such manipulation leads to sql injection. It is possible...