CVE-2026-32813

Admidio has a second-order SQL injection via its list configuration feature. Authenticated users can store arbitrary values in the list configuration (notably in lsc_special_field, lsc_sort, and lsc_filter) which are later interpolated unsafely into SQL during list rendering, enabling data exfilt...

Incorrect Behavior Order: Validate Before Canonicalize

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize via the splitPos function. An attacker can cause unintended script execution by crafting a request path containing specific multi-byte Unicode characters, which manipulates the...

WordPress RegistrationMagic plugin <= 6.0.7.1 - Privilege Escalation via admin_order vulnerability

Privilege Escalation via adminorder vulnerability discovered by Os in WordPress Plugin RegistrationMagic versions = 6.0.7.1...

CVE-2025-14085

A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables. Remote exploitation of the attack is possible. The exploi...

EUVD-2025-199641

Insecure Direct Object Reference IDOR in the Track order function in PHPGURUKUL Online Shopping Portal 2.1 allows information disclosure via the oid parameter...

WordPress plugin OneClick Chat to Order 信息泄露漏洞

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. An information disclosure vulnerability exists in the WordPress plugin OneClick Chat to Order,...

CampCodes Supplier Management System SQL注入漏洞

CampCodes Supplier Management System is a supplier management system from CampCodes, Inc. A SQL injection vulnerability exists in Campcodes Supplier Management System version 1.0, which stems from incorrect manipulation of the parameter ID in the file /manufacturer/confirmorder.php, which could...

EUVD-2012-6210

Malware in sbrugna...

EUVD-2025-15407

Malicious code in bioql PyPI...

CVE-2025-8808 xujeff tianti 天梯 com.jeff.tianti.controller save exportOrder csv injection

A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been rated as problematic. This issue affects the function exportOrder of the file /tianti-module-admin/user/ajax/save of the component com.jeff.tianti.controller. The manipulation leads to csv injection. The attack may be initiated...

CVE-2025-31445

CVE-2025-31445 is a reflected XSS in the WordPress plugin Pages Order (listed as Pages Order) that arises from improper neutralization of input during web page generation. The vulnerability affects version(s) up to and including 1.1.3 and is categorized under “Cross-Site Scripting” with a reflect...

cy-fast 注入漏洞

cy-fast is a SpringBoot based rapid development framework by chenyi personal developer. An injection vulnerability exists in cy-fast version 1.0, which is caused by SQL injection in the parameter order...

GHSA-9358-CPVX-C2QP Magento LTS's guest order "protect code" can be brute-forced too easily

Impact Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protectcode". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. Patch...

Online Computer and Laptop Store SQL注入漏洞

Online Computer and Laptop Store is an online computer and laptop store. An SQL injection vulnerability exists in Online Computer and Laptop Store v1.0, which originates from the function deleteorder in /classes/master.php?f=deleteorder where the parameter id of deleteorder lacks validation for...

Intuitive Custom Post Order < 3.1.4 - Arbitrary Menu Order Update via CSRF

The plugin lacks CSRF protection in its update-menu-order ajax action, allowing an attacker to trick any user to change the menu order via a CSRF attack...

The full intention of an order is not signed

Lines of code Vulnerability details Impact Orders might be replayed or executed where not intended. Proof of Concept The signed order specifies only the matching policy, but not the BlurExchange or ExecutionDelegate. This means that the user might have intended an order specifically for this...

CVE-2021-37478

In NavigateCMS version 2.9.4 and below, function block is vulnerable to sql injection on parameter block-order, which results in arbitrary sql query execution in the backend database...

Firefox Tag Order Vulnerability

nsHTMLContentSink.cpp in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service crash and possibly execute arbitrary code via unknown vectors involving a "particular sequence...