CVE-2026-22666

Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dolevalstandard function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject...

CVE-2021-4473

CVE-2021-4473 affects the Tianxin Internet Behavior Management System. A command-injection flaw exists in the Reporter component endpoint, allowing unauthenticated attackers to supply an objClass parameter containing shell metacharacters and output redirection to execute arbitrary commands. This ...

CVE-2021-4473

Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers...

CVE-2026-5635

A security flaw has been discovered in PHPGurukul Online Shopping Portal Project 2.1. Affected by this issue is some unknown functionality of the file /categorywise-products.php of the component Parameter Handler. The manipulation of the argument cid results in sql injection. The attack can be...

CVE-2026-5637

A security vulnerability has been detected in projectworlds Car Rental System 1.0. This vulnerability affects unknown code of the file /messageadmin.php of the component Parameter Handler. Such manipulation of the argument Message leads to sql injection. The attack may be launched remotely. The...

CVE-2026-5642

A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown function of the file /viva/update.php of the component HTTP POST Request Handler. This manipulation of the argument Name causes improper authorization. It ...

Year in Review: Vulnerabilities old and new and something React2

Speed and age shouldn't be allowed to pair up, but that is the theme of the Talos 2025 Year in Review vulnerability findings. Figure 1. React/React2Shell 2025 at the top, with PHPUnit 2017 and Log4j 2021 following up. The year was characterized by an unending beat-down on infrastructure that reli...

PT-2026-30817

Name of the Vulnerable Software and Affected Versions Tianxin Internet Behavior Management System versions prior to NACFirmware 4.0.0.7 20210716.180815 topsec 0 basic.bin Description The Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter compone...

itsourcecode Construction Management System SQL注入漏洞

itsourcecode Construction Management System is an open-source construction management system developed by itsourcecode. Version 1.0 of the itsourcecode Construction Management System has a SQL injection vulnerability. This vulnerability arises from incorrect handling of the parameter “code” in th...

ChurchCRM 跨站脚本漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the GeoPage.php file, which had reflective cross-site scripting capabilities, potentially leading to account takeover...

PT-2026-31007

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied throug...

CVE-2026-5705 code-projects Online Hotel Booking Booking Endpoint booknow.php cross site scripting

A vulnerability was identified in code-projects Online Hotel Booking 1.0. Affected by this vulnerability is an unknown functionality of the file /booknow.php of the component Booking Endpoint. Such manipulation of the argument roomname leads to cross site scripting. It is possible to launch the...

CVE-2026-35473

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IentradaControle. T...

CVE-2026-35449

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

CVE-2026-35448

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page...

CVE-2026-35449 WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

CVE-2026-35472

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=EstoqueControle...

CVE-2026-35396

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IsaidaControle. The...

CVE-2026-35184

EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0...

CVE-2026-5681 itsourcecode sanitize or validate this input Parameter borrowedequip.php sql injection

A flaw has been found in itsourcecode sanitize or validate this input 1.0. This impacts an unknown function of the file /borrowedequip.php of the component Parameter Handler. This manipulation of the argument empid causes sql injection. The attack is possible to be carried out remotely. The explo...