PT-2026-39464

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on...

CodeAstro Online Catering Ordering System 注入漏洞

The CodeAstro Online Catering Ordering System is an online catering ordering system developed by CodeAstro Corporation. Version 1.0 of the CodeAstro Online Catering Ordering System has a SQL injection vulnerability. This vulnerability stems from the handling of parameter IDs in the...

CVE-2026-42576

CVE-2026-42576 affects chainguard/apko. Before v1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without key-type checks. If a repository JWKS endpoint returns a non-RSA key (e.g., EC), an unchecked type assertion panics, crashing apko ...

CVE-2026-42569 phpvms: /importer authorization bypass causing full database wipe

phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6...

CVE-2026-42569

phpVMS 7.x prior to 7.0.6 contains a critical, unauthenticated access flaw in the legacy importer feature that allows manipulation or deletion of data via the importer path. The weakness affects phpVMS 7.x up to 7.0.5 and was fixed in 7.0.6 (with later advisory notes referencing 7.0.7 for mitigat...

CVE-2026-42569 phpvms: /importer authorization bypass causing full database wipe

phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6...

CoreExploit-Final

CoreExploit 🔐 Ethical Penetration Testing Learning Platfor...

SQL Injection

LiteLLM is vulnerable to SQL Injection. The vulnerability is due to unsafe inclusion of caller-supplied API key values directly into database queries during proxy API key checks, which allows an attacker to read or modify database contents through crafted Authorization headers...

Authorization Bypass

com.arcadedb, arcadedb-server is vulnerable to Authorization Bypass. The vulnerability is due to improper initialization of access controls and missing security configuration during database creation, which allows an attacker to bypass database and record-level authorization restrictions...

SUSE CVE-2026-42501

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy GOMODPROXY or checksum database GOSUMDB. A malicious module proxy can serve altered versions o...

EUVD-2026-28880

Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.phpL145 feature. Successful exploitation requires Teacher or high...

CVE-2026-8207

Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.phpL145 feature. Successful exploitation requires Teacher or high...

CVE-2026-8207

Gibbon up to version 30.0.01 is affected by an authenticated SQL injection via the Tracking/graphing feature in Tracking/graphing.php (line 145). Exploitation requires Teacher or higher privileges and can lead to unintended read/write access to the database. A fix is available in Gibbon v30.0.01;...

CVE-2026-8207

Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.phpL145 feature. Successful exploitation requires Teacher or high...

CVE-2026-36458

ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cmscontent tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered...

CVE-2026-8126

A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file postcomment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used...

Unity Linux 20.1060e / 20.1070e Security Update: clamav (UTSA-2026-017365)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017365 advisory. A vulnerability in the regex module used by the signature database load module of Clam AntiVirus ClamAV versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and...

Gibbon SQL注入漏洞

Gibbon is a school platform developed by the Gibbon team that addresses practical issues encountered by educators every day. Versions of Gibbon prior to v30.0.01 contained an SQL injection vulnerability. This vulnerability stemmed from the misuse of the Tracking/graphing feature, allowing...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-016791)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016791 advisory. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField only implemented on PostGIS allows remote...

CVE-2026-42287

Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been...