PT-2026-31950

Summary The addRepeatIntervalToTime function uses an On loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming...

PT-2026-31948

Summary The TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. The account lock is written to the same database session that the login handler always rolls back on TOTP failure, so the lockout is triggered but never persisted. This allows unlimited...

CVE-2026-36233

The vulnerability CVE-2026-36233 affects the itsourcecode Online Student Enrollment System v1.0. A SQL injection exists in assignInstructorSubjects.php where the parameter subjcode can be injected and used directly in SQL queries without proper cleaning/validation. This could allow an attacker to...

S3CDM: A Secret-Sharing-Scheme-Based Cyberattack Detection Model and Its Simulation Implementation

We design and develop a secret-sharing-scheme-based cyberattack detection modelS3CDMthat can detect unauthorized or illegal activities especially insider attacks and protect sensitive information within complex network infrastructures of large organizations. The model splits a secret among a grou...

itsourcecode Construction Management System SQL注入漏洞

itsourcecode Construction Management System is an open-source construction management system developed by itsourcecode. Version 1.0 of the itsourcecode Construction Management System has a SQL injection vulnerability. This vulnerability arises from incorrect handling of the parameter equipname in...

PT-2026-31947

Summary The hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. Details The access contr...

WordPress Advanced CF7 DB plugin <= 2.0.9 - Missing Authorization to Authenticated (Subscriber+) Form Submissions Excel Export vulnerability

Missing Authorization to Authenticated Subscriber+ Form Submissions Excel Export vulnerability discovered by Kai Aizen in WordPress Plugin Advanced Contact form 7 DB versions = 2.0.9...

EUVD-2023-60550

WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid'...

CVE-2023-54359

The affected product is WordPress adivaha Travel Plugin 2.3. The vulnerability is a time-based blind SQL injection in the pid parameter, exploitable via the /mobile-app/v3/ endpoint, allowing unauthenticated attackers to manipulate queries and potentially extract sensitive data. The description n...

CVE-2026-39341

ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not...

EUVD-2026-20930

A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The...

org.apache.openmeetings:openmeetings-db (>=6.2.0 <=8.1.0) potentially affected by CVE-2026-33266 via org.apache.openmeetings:openmeetings-util (>=6.2.0 <=8.1.0)

org.apache.openmeetings:openmeetings-util MAVEN version =6.2.0, =6.2.0, =8.1.0 Source cves: CVE-2026-33266 Source advisory: SNYK:JAVA-ORGAPACHEOPENMEETINGS-16322846...

Use of Hard-coded Cryptographic Key

Overview Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key in the remember-me cookie encryption key and salt. An attacker can obtain full user credentials by stealing a cookie from a logged-in user if the default encryption key has not been changed. Remediati...

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026)

Last week, there were 56 vulnerabilities disclosed in 50 WordPress Plugins that have been added to the Wordfence Intelligence Vulnerability Database, and there were 38 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to...

CVE-2026-5960

A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The...

CVE-2026-5960 code-projects Patient Record Management System SQL Database Backup File hcpms.sql information disclosure

A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The...

CVE-2026-5960 code-projects Patient Record Management System SQL Database Backup File hcpms.sql information disclosure

A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The...

CVE-2026-5960

CVE-2026-5960 concerns a weakness in code-projects’ Patient Record Management System 1.0, affecting the file /db/hcpms.sql within the SQL Database Backup File Handler. The issue can lead to information disclosure and is exploitable remotely. The exploit is publicly available and categorized with ...

CVE-2026-5960

A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The...

EUVD-2026-20886

Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control Syst...