PT-2026-33235

Name of the Vulnerable Software and Affected Versions @vendure/core versions prior to 2.3.4 @vendure/core versions 3.0.0 through 3.5.6 @vendure/core versions 3.6.0 through 3.6.1 Description An unauthenticated SQL injection exists in the Shop API and an authenticated SQL injection exists in the...

Linux Distros Unpatched Vulnerability : CVE-2019-25710

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary...

PT-2026-32634

CVE-2026-37593 SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh attendance/admin/view att.php. https://t.co/c4uhTDec9s...

Webkul Krayin CRM 安全漏洞

Webkul Krayin CRM is a free and open-source CRM solution for small and medium-sized businesses from the Indian company Webkul. Version 2.2.x of Webkul Krayin CRM contains a security vulnerability. This vulnerability stems from the admin/tinymce/upload endpoint, where an authenticated arbitrary fi...

SourceCodester Online Employees Work From Home Attendance System 安全漏洞

SourceCodester Online Employees Work From Home Attendance System is an open-source online employee remote work attendance system developed by SourceCodester. Version 1.0 of the SourceCodester Online Employees Work From Home Attendance System contains a security vulnerability. This vulnerability...

CVE-2026-38533

CVE-2026-38533 : In Snipe-IT v8.4.0, an improper authorization flaw in the /api/v1/users/{id} endpoint lets authenticated users with the users.edit permission modify sensitive authentication and account-state fields of other non-admin users via a crafted PUT request. Public details show the impac...

CVE-2026-38526

Webkul Krayin CRM v2.2.x is affected by an authenticated arbitrary file upload vulnerability at the /admin/tinymce/upload endpoint, allowing upload of a crafted PHP file to execute code on the server. The issue, described across CVE/NVD/CVEList entries, requires authentication and yields likely r...

CVE-2026-37589

SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in /storage/admin/maintenance/manage_storage_unit.php. The CVE entry (CVE-2026-37589) is corroborated by multiple sources (NVD, ENISA EUVD, CVE List, AttackersKB, CVE enrichment) indicating a SQL injection fl...

PT-2026-32640

CVE-2026-37600 SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view details.php. https://t.co/uQ5V37C8xd...

CVE-2025-65136

In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter...

PT-2026-32598

Name of the Vulnerable Software and Affected Versions WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress versions up to 1.2 Description Stored Cross-Site Scripting occurs via admin settings due to insufficient input sanitization and output escaping. Authenticated...

PT-2026-32633

CVE-2026-37592 Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL in the file /storage/admin/maintenance/manage pricing.php. https://t.co/MgRy57pmLM...

CVE-2025-65132

The CVE-2025-65132 entry corresponds to a reflected Cross-Site Scripting (XSS) vulnerability in alandsilva26/hotel-management-php 1.0. The affected component is the admin-facing edit_room.php, where an attacker can inject and execute arbitrary JavaScript through the room_id GET parameter. This is...

CVE-2025-65136

Summary: CVE-2025-65136 affects the Manikandan580 School-management-system 1.0. The vulnerability is a reflected XSS in the admin-facing page /studentms/admin/contact-us.php, exploitable via the pagedes POST parameter. The accompanying data from multiple sources (NVD, EUVD-ENISA, CVE lists, and v...

CVE-2026-32272

Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fi...

CVE-2026-32272

Craft Commerce (Craft CMS) 5.0.0–5.5.4 contains an SQL injection in ProductQuery::hasVariant and VariantQuery::hasProduct that bypass the input sanitization blocklist in ElementIndexesController, re-introduced by using Craft::configure() on a subquery without sanitization. An authenticated contro...

CVE-2026-33657

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard non-administrative privileges to inject arbitrary HTML into system-generated email notifications by crafting...

CVE-2026-4124

The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wpajaxziggeoajax handler only verifies a nonce checkajaxreferer but performs no capability checks via currentusercan. Furthermore, the nonce 'ziggeoajaxnonce' is exposed to all...

CVE-2026-40043

Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser action that allows authenticated low-privilege users to escalate privileges by manipulating the originalusername cookie. Attackers can set the client-controlled originalusername cookie to any value and request a...

Exploit for Improper Access Control in Fortinet Forticlientems

CVE-2026-35616 - FortiClient EMS Pre-Authentication API Bypass...