CVE-2026-49205

phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this-userHasPermissionPermissionType::BACKUP. The same fix was not applied to 4 other write endpoints...

CVE-2026-7126

CVE-2026-7126 affects SourceCodester Pharmacy Sales and Inventory System 1.0. The vulnerability is in /ajax.php?action=save_category, where manipulating the argument ID leads to a SQL injection. The issue can be exploited remotely, and a public exploit has been published. CVSS metrics indicate hi...

PT-2026-35420

A security flaw has been discovered in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=save category. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released ...

CVE-2026-5181

A vulnerability has been found in SourceCodester Simple Doctors Appointment System up to 1.0. This issue affects some unknown processing of the file /doctorsappointment/admin/ajax.php?action=savecategory. Such manipulation of the argument img leads to unrestricted upload. The attack may be...

CVE-2026-34364

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is...

CVE-2026-34364

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is...

CVE-2018-25207

Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to...

CVE-2025-70792

Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "relid" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was...

Cross-site Scripting (XSS)

Overview microweber/microweber is a new generation CMS with drag and drop. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the relid parameter in the /admin/category/create endpoint. An attacker can execute arbitrary JavaScript code in the context of an...

CVE-2025-51743

An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51743

An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51743

An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51743

An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...

jshERP 安全漏洞

jshERP Huaxia ERP is a homegrown ERP system by the individual developer of China's Ji Sheng Hua. A security vulnerability exists in jshERP version 2.3.1, which originates from the materialCategory/addMaterialCategory endpoint being vulnerable to Fastjson deserialization attack...

PT-2025-48082

An issue was discovered in jishenghua JSH ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51743

An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51743

Affected product: jishenghua JSH_ERP 2.3.1. The vulnerability is in the /materialCategory/addMaterialCategory endpoint and is caused by a fastjson deserialization flaw. Impact is described as high in CVSS (CRITICAL, 9.8) with network access, no authentication, and no user interaction. No exploita...

EUVD-2025-29656

Malicious code in bioql PyPI...

CVE-2025-10790 SourceCodester Simple Forum Discussion System ajax.php sql injection

A security flaw has been discovered in SourceCodester Simple Forum Discussion System 1.0. This affects an unknown function of the file /ajax.php?action=savecategory. The manipulation of the argument Description results in sql injection. The attack can be executed remotely. The exploit has been...

CVE-2025-10563

A vulnerability has been found in Campcodes Grocery Sales and Inventory System 1.0. This impacts an unknown function of the file /ajax.php?action=savecategory. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the...