CVE-2026-4563 MacCMS Member Order Detail User.php order_info authorization

A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the function orderinfo of the file application/index/controller/User.php of the component Member Order Detail Interface. This manipulation of the argument orderid causes authorization bypass. It is possible ...

CVE-2026-4557

A vulnerability was detected in code-projects Exam Form Submission 1.0. This impacts an unknown function of the file /admin/updates1.php. Performing a manipulation of the argument sname results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be use...

CVE-2019-25592 PHPRunner 10.1 Denial of Service via Dashboard Name Field

PHPRunner 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the dashboard name field. Attackers can paste a buffer of 10000 characters into the Name field during dashboard creation to trigger an...

CVE-2026-4540

The CVE-2026-4540 entry concerns projectworlds Online Notes Sharing System 1.0. The flaw lies in the Parameters Handler’s processing of the login.php input, where manipulation of the Benutzer argument enables SQL Injection. A remote attacker could exploit this, and public exploits are mentioned i...

CVE-2026-4533

CVE-2026-4533 affects code-projects Simple Food Ordering System 1.0. The vulnerability is in the all-tickets.php file where manipulating the Status parameter results in an SQL injection, with remote exploitation possible. Exploitation details are reported across multiple sources (NVD, Red Hat, CI...

Code-Projects Exam Form Submission 代码注入漏洞

Code-Projects Exam Form Submission is an open-source exam form developed by Code-Projects. Version 1.0 of Code-Projects Exam Form Submission contains a code injection vulnerability. This vulnerability arises from incorrect handling of the parameter sname in the file admin/updates1.php, which may...

PT-2026-27012

A vulnerability has been found in code-projects Simple Gym Management System up to 1.0. This affects an unknown part of the file /gym/func.php. Such manipulation of the argument Trainer id/fname leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the...

WWBN AVideo 操作系统命令注入漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the uploadVideoToLinkedIn method in the SocialMediaPublisher plugin,...

PT-2026-26963

A vulnerability was detected in code-projects Simple Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file all-tickets.php. The manipulation of the argument Status results in sql injection. It is possible to launch the attack remotely. The exploit is now publi...

EUVD-2019-19906

i-doit CMDB 1.12 contains an arbitrary file download vulnerability that allows authenticated attackers to download sensitive files by manipulating the file parameter in index.php. Attackers can send GET requests to index.php with filemanager=image and supply arbitrary file paths like...

CVE-2019-25582

i-doit CMDB 1.12 contains an arbitrary file download vulnerability that allows authenticated attackers to download sensitive files by manipulating the file parameter in index.php. Attackers can send GET requests to index.php with filemanager=image and supply arbitrary file paths like...

CVE-2019-25582 i-doit CMDB 1.12 Arbitrary File Download via file_manager Parameter

i-doit CMDB 1.12 contains an arbitrary file download vulnerability that allows authenticated attackers to download sensitive files by manipulating the file parameter in index.php. Attackers can send GET requests to index.php with filemanager=image and supply arbitrary file paths like...

CVE-2019-25582

CVE-2019-25582 affects i-doit CMDB 1.12. An authenticated user can download arbitrary files by manipulating the file parameter in index.php with file_manager=image, e.g., requesting src/config.inc.php. This enables retrieval of configuration files and other sensitive system data. The vulnerabilit...

CVE-2019-25578

This CVE affects phpTransformer 2016.9. The SQL injection vulnerability occurs in GeneratePDF.php via the idnews parameter, allowing remote attackers to craft GET requests that execute arbitrary SQL, potentially exposing sensitive data or manipulating queries. Root cause: improper handling of use...

CVE-2019-25578

phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract...

CVE-2019-25573

Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Attackers can send GET requests to index.php with m=admin, c=posts, a=index parameters and inject SQL code in the cat...

CVE-2019-25573 Green CMS 2.x SQL Injection via cat Parameter

Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Attackers can send GET requests to index.php with m=admin, c=posts, a=index parameters and inject SQL code in the cat...

CVE-2026-1647

The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...

CVE-2026-1647 Comment Genius <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...

CVE-2026-1647

CVE-2026-1647 affects the WordPress plugin Comment Genius prior to 1.2.6 (all versions up to and including 1.2.5). The root cause is insufficient input sanitization and output escaping for the Reflected Cross-Site Scripting vulnerability via the $_SERVER['PHP_SELF'] parameter. This enables unauth...