54704 matches found
CVE-2025-70063
The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference IDOR vulnerability. The application fails to verify that the requested 'viewid' parameter belongs to the currently authenticated patient. This allows a user to access the...
CVE-2025-70062
PHPGurukul Hospital Management System v4.0 contains a Cross-Site Request Forgery CSRF vulnerability in the 'Add Doctor' module. The application fails to enforce CSRF token validation on the add-doctor.php endpoint. This allows remote attackers to create arbitrary Doctor accounts privileged users ...
SUSE CVE-2025-71235
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Delay module unload while fabric scan in progress System crash seen during load/unload test in a loop. 105954.384919 RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 105954.384920 R10:...
jsPDF 安全漏洞
jsPDF is a JavaScript-based PDF document generation library developed by Parallax. Versions of jsPDF prior to 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from improper handling of user input by the Acroform module, which could lead to the injection of arbitrary PDF...
PT-2026-20852
Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.2.0 Description jsPDF is a JavaScript library used to generate PDF documents. Prior to version 4.2.0, the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions, through user-controll...
CVE-2026-27181
MajorDoMo aka Major Domestic Module allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin method reads gr'mode' from $REQUEST and assigns it to $this-mode at the start of execution, making all mode-gated code paths reachable without...
CVE-2026-27180
MajorDoMo aka Major Domestic Module is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin method through the /objects/?module=saverestore endpoint without authentication because it uses gr'mode'...
CVE-2026-27179
MajorDoMo aka Major Domestic Module contains an unauthenticated SQL injection vulnerability in the commands module. The commandssearch.inc.php file directly interpolates the $GET'parent' parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is...
CVE-2026-27181
MajorDoMo is affected by an unauthenticated module-uninstall vulnerability via the market endpoint. The market/admin flow reads gr('mode') from $_REQUEST and sets $this->mode before authentication, making all mode-gated paths reachable through /objects/?module=market. The uninstall handler cal...
CVE-2026-27181 MajorDoMo Unauthenticated Module Uninstall via Market Endpoint
MajorDoMo aka Major Domestic Module allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin method reads gr'mode' from $REQUEST and assigns it to $this-mode at the start of execution, making all mode-gated code paths reachable without...
CVE-2026-27180
CVE-2026-27180 — MajorDoMo supply chain RCE : Affected MajorDoMo allows unauthenticated remote code execution via a poisoned update URL. The saverestore admin endpoint at /objects/?module=saverestore is exposed because gr('mode') reads from $_REQUEST instead of the framework’s mode, enabling an a...
CVE-2026-27181 MajorDoMo Unauthenticated Module Uninstall via Market Endpoint
MajorDoMo aka Major Domestic Module allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin method reads gr'mode' from $REQUEST and assigns it to $this-mode at the start of execution, making all mode-gated code paths reachable without...
CVE-2026-27179 MajorDoMo Unauthenticated SQL Injection in Commands Module
MajorDoMo aka Major Domestic Module contains an unauthenticated SQL injection vulnerability in the commands module. The commandssearch.inc.php file directly interpolates the $GET'parent' parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is...
CVE-2026-27179 MajorDoMo Unauthenticated SQL Injection in Commands Module
MajorDoMo aka Major Domestic Module contains an unauthenticated SQL injection vulnerability in the commands module. The commandssearch.inc.php file directly interpolates the $GET'parent' parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is...
CVE-2026-27179
CVE-2026-27179 affects MajorDoMo’s commands module, where commands_search.inc.php interpolates $_GET['parent'] into SQL without sanitization or parameterization. The /objects/?module=commands endpoint is loadable without authentication, enabling arbitrary module calls via their usual() method. Th...
CVE-2026-23491 InvoicePlane has Unauthenticated Path Traversal in Guest Controller
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the getfile method of the Guest module's Get controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attacker...
CVE-2026-23491
InvoicePlane up to version 1.6.3 is affected by a path traversal vulnerability in the Guest.Get controller’s get_file method, allowing unauthenticated attackers to read arbitrary server files (including configuration with database credentials). Root cause: improper input handling of the filename ...
CVE-2025-70062
PHPGurukul Hospital Management System v4.0 contains a Cross-Site Request Forgery CSRF vulnerability in the 'Add Doctor' module. The application fails to enforce CSRF token validation on the add-doctor.php endpoint. This allows remote attackers to create arbitrary Doctor accounts privileged users ...
CVE-2025-70063
The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference IDOR vulnerability. The application fails to verify that the requested 'viewid' parameter belongs to the currently authenticated patient. This allows a user to access the...
CVE-2025-70062
PHPGurukul Hospital Management System v4.0 contains a Cross-Site Request Forgery CSRF vulnerability in the 'Add Doctor' module. The application fails to enforce CSRF token validation on the add-doctor.php endpoint. This allows remote attackers to create arbitrary Doctor accounts privileged users ...