ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 contained security vulnerabilities. These vulnerabilities stemmed from the ENtyid parameter in the EditEventTypes.php file not being cleaned properly, which could lead to SQL injection attacks...

PT-2026-30964

ChurchCRM is an open-source church management system. Prior to 7.1.0, The application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not...

PT-2026-30801

Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and...

PT-2026-30943

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in ChurchCRM's SettingsIndividual.php where user-controlled array keys from the type POST parameter are used directly in SQL queries without sanitization. This allows any authenticated user ...

Time-Domain Voice Identity Morphing (TD-VIM): A Signal-Level Approach to Morphing Attacks on Speaker Verification Systems

In biometric systems, it is a common practice to associate each sample or template with a specific individual. Nevertheless, recent studies have demonstrated the feasibility of generating "morphed" biometric samples capable of matching multiple identities. These morph attacks have been recognized...

MA-IDS: Multi-Agent RAG Framework for IoT Network Intrusion Detection with an Experience Library

Network Intrusion Detection Systems NIDS face important limitations. Signature-based methods are effective for known attack patterns, but they struggle to detect zero-day attacks and often miss modified variants of previously known attacks, while many machine learning approaches offer limited...

CVE-2024-36058

CVE-2024-36058 (Koha) is a time-based SQL injection affecting the Send Basket feature. Vulnerable in Koha Library before 23.05.10, the issue stems from unsanitized POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, enabling a library user to read arbitrary data from the database. Multip...

drizzle-orm SQL注入漏洞

Drizzle-ORM is a lightweight, multi-database-supported TypeScript ORM project developed by the Drizzle Team. Versions of drizzle-orm prior to 0.45.2 and 1.0.0-beta.20 contain a SQL injection vulnerability. This vulnerability arises from the improper escaping of SQL identifiers in the escapeName...

Windmill SQL注入漏洞

Windmill is a low-code development platform open-source by Windmill Labs, Inc. Versions of Windmill from 1.276.0 to 1.603.2 have a SQL injection vulnerability. This vulnerability stems from the owner parameter in the folder ownership management function, which allows for SQL injection attacks. It...

SUSE CVE-2026-33906

Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the production database with a tamper...

CVE-2026-35441

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive...

EUVD-2026-19406

Index out-of-range when encountering a branch page with zero elements in go.etcd.io/bbolt...

CVE-2026-35395 WeGIA has a SQL Injection in DespachoDAO.php via id_memorando parameter

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA Web gerenciador para instituições assistenciais contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The idmemorando parameter is extracted from $REQUEST without validation and directly interpolated into...

CVE-2026-5681

A flaw has been found in itsourcecode sanitize or validate this input 1.0. This impacts an unknown function of the file /borrowedequip.php of the component Parameter Handler. This manipulation of the argument empid causes sql injection. The attack is possible to be carried out remotely. The explo...

CVE-2026-33817

Rejected reason: CVE confirmed to be a false positive...

CVE-2026-35181

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing...

EUVD-2026-19315

A security vulnerability has been detected in code-projects Online FIR System 1.0. Affected by this vulnerability is an unknown functionality of the file /Login/checklogin.php of the component Login. The manipulation of the argument email/password leads to sql injection. The attack is possible to...

EUVD-2026-19364

A vulnerability was detected in code-projects Online FIR System 1.0. Affected by this issue is some unknown functionality of the file /complaints.sql of the component SQL Database Backup File Handler. The manipulation results in insecure storage of sensitive information. The attack may be perform...

CVE-2026-35174

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download...

CVE-2026-33817

Removed by vendor...