EUVD-2026-38178

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview...

ehicle Service Management System 1.0 - Cross-Site Scripting

Vehicle Service Management System 1.0 contains a stored cross-site scripting vulnerability via the Category List section in login panel. id: CVE-2021-46071 info: name: ehicle Service Management System 1.0 - Cross-Site Scripting author: TenBird severity: medium description: | Vehicle Service...

Hospital Management System 1.0 - SQL Injection

Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/doctor.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id:...

Hospital Management System 1.0 - SQL Injection

Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/admin.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id:...

Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting XSS vulnerability via the Page content. id: CVE-2022-42095 info: name: Backdrop CMS version 1.23.0 - Cross Site Scripting Stored author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was...

Car Rental Management System 1.0 - SQL Injection

Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/manageuser.php?id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id: CVE-2022-32028...

Garage Management System 1.0 - SQL Injection

Garage Management System 1.0 contains a SQL injection vulnerability in /login.php via manipulation of the argument username with input [email protected]' AND SELECT 6427 FROM SELECTSLEEP5LwLu AND 'hsvT'='hsvT. An attacker can possibly obtain sensitive information from a database, modify data, and/or execut...

Masa CMS - Authentication Bypass

Masa CMS 7.2, 7.3, and 7.4-beta are susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the...

Hospital Management System 1.0 - Cross-Site Scripting

Hospital Management System 1.0 contains a cross-site scripting vulnerability via the searchdata parameter in doctor/search.php and patient-search.php. id: CVE-2021-39411 info: name: Hospital Management System 1.0 - Cross-Site Scripting author: arafatansari severity: high description: | Hospital...

Academy Learning Management System <5.9.1 - Cross-Site Scripting

Academy Learning Management System before 5.9.1 contains a cross-site scripting vulnerability via the Search parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based...

School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting

School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability in admin/inc/navigation.php:126. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-base...

School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting

School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability via admin/inc/navigation.php:125. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-bas...

College Management System 1.0 - SQL Injection

College Management System 1.0 contains a SQL injection vulnerability via the course code parameter. id: CVE-2022-28079 info: name: College Management System 1.0 - SQL Injection author: ritikchaddha severity: high description: | College Management System 1.0 contains a SQL injection vulnerability...

H3C ER8300G2-X - Password Disclosure

H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface. id: CVE-2024-32238 info: name: H3C ER8300G2-X - Password Disclosure author: s4e-io,adeljck severity: critical description: | H3...

Slims9 Bulian 9.4.2 - SQL Injection

Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained. id: CVE-2021-45793 info: name: Slims9 Bulian 9.4.2 - SQL Injection author: nblirwn severity: high description: | Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data c...

Masteriyo LMS <= 1.7.3 - Insecure Direct Object Reference

Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3. id: CVE-2024-33939 info: name: Masteriyo LMS = 1.7.3 - Insecure Direct Object Reference author:...

Purchase Order Management v1.0 - SQL Injection

A vulnerability classified as critical has been found in SourceCodester Purchase Order Management System 1.0. Affected is an unknown function of the file /admin/suppliers/viewdetails.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is...

LMS by Masteriyo < 1.6.8 - Information Exposure

The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints. id: CVE-2023-3345 info: name: LMS by Masteriyo 1.6.8 - Information Exposure author: DhiyaneshDK...

Sourcecodester Car Rental Management System 1.0 - Stored Cross-Site Scripting

Sourcecodester Car Rental Management System 1.0 is vulnerable to cross-site scripting via the vehicalorcview parameter. id: CVE-2021-46005 info: name: Sourcecodester Car Rental Management System 1.0 - Stored Cross-Site Scripting author: cckuailong severity: medium description: Sourcecodester Car...

WordPress KiviCare <2.3.9 - SQL Injection

WordPress KiviCare plugin before 2.3.9 contains a SQL injection vulnerability. The plugin does not sanitize and escape some parameters before using them in SQL statements via the ajaxpost AJAX action with the getdoctordetails route. An attacker can possibly obtain sensitive information, modify...