116 matches found
CVE-2026-35448
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page...
CVE-2026-35472
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=EstoqueControle...
CVE-2025-41355
Reflected Cross-Site Scripting XSS vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or ...
CVE-2025-41355 Reflected Cross-Site Scripting on Anon Proxy Server
Reflected Cross-Site Scripting XSS vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or ...
CVE-2025-41355
CVE-2025-41355 describes a reflected XSS in Anon Proxy Server v0.104. The vulnerability affects the /anon.php endpoint, specifically the port and proxyPort parameters, allowing an attacker to craft a malicious URL that executes JavaScript in the victim’s browser. Consequences include potential le...
niknah Anon Proxy Server 跨站脚本漏洞
Niknah Anon Proxy Server is a proxy server software provided by the Niknah company, offering anonymous network access and traffic forwarding capabilities. Version 0.104 of Anon Proxy Server contains a cross-site scripting vulnerability. This vulnerability stems from the lack of effective filterin...
WWBN AVideo 安全漏洞
WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained security vulnerabilities. These vulnerabilities stemmed from logical errors in the test.php debugging endpoint of the StripeYPT plugin, which could lead to arbitra...
CVE-2026-4815
A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls0messageids' parameter in '/supportboard/include/ajax.php' endpoint...
Server-side Request Forgery (SSRF)
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the test.php endpoint. An attacker can access internal network resources, probe open or closed ports, and retrieve content fro...
PT-2026-25965
A vulnerability was detected in Portabilis i-Educar 2.11. This impacts an unknown function of the file /intranet/educar servidor curso lst.php of the component Endpoint. Performing a manipulation of the argument Name results in cross site scripting. The attack may be initiated remotely. The explo...
CVE-2019-25522
XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photoid parameter. Attackers can send GET requests to photo.php with malicious photoid values to extract sensitive data, bypass...
CVE-2019-25471 FileThingie 2.5.7 Arbitrary File Upload via ft2.php
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, an...
CVE-2019-25471
CVE-2019-25471 affects FileThingie 2.5.7. An arbitrary file upload vulnerability exists where ZIP archives sent to ft2.php can be unpacked to accessible directories, enabling upload and deployment of PHP shells and execution of arbitrary commands via extracted files. The underlying issue is an in...
CVE-2019-25450
Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demandreasonid, and availabilityid in...
FLIR Systems AX8 Cameras OS Command Injection (CVE-2022-37061)
All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow th...
PT-2026-8337
Name of the Vulnerable Software and Affected Versions tushar-2223 Hotel-Management-System versions up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15 Description A security flaw exists in tushar-2223 Hotel-Management-System. The issue is related to SQL injection within the HTTP POST Request Handler...
CVE-2019-25342
Centova Cast 3.2.12 contains a denial of service vulnerability that allows attackers to overwhelm the system by repeatedly calling the database export API endpoint. Attackers can trigger 100% CPU load by sending multiple concurrent requests to the /api.php endpoint with crafted parameters...
CVE-2020-37083
CVE-2020-37083 affects PHP AddressBook 9.0.0.1, where a time-based blind SQL injection is possible through the id parameter in photo.php. The underlying issue is a vulnerable SQL query that allows remote attackers to inject statements and cause time delays to deduce information. The documents spe...
CVE-2020-37012
Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API...
EUVD-2020-30917
berliCRM 1.0.24 contains a SQL injection vulnerability in the 'srcrecord' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information...