GHSA-37J7-56XC-C468 Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal

Affected Versions: Tested on current dev branch build fingerprint 505...7bd86 CVSS v4 Score: 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Privileges Required: Web application admin account for file write, any authenticated user for RCE trigger --- Summary Two separate...

Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal

Affected Versions: Tested on current dev branch build fingerprint 505...7bd86 CVSS v4 Score: 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Privileges Required: Web application admin account for file write, any authenticated user for RCE trigger --- Summary Two separate...

GHSA-PV87-R9QF-X56P AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php

Impact An unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and...

CVE-2026-26711

code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket.php...

Incorrect Authorization

Auth0-PHP is vulnerable to Incorrect Authorization. The vulnerability is due to improper validation of access tokens, where affected applications may accept ID tokens as Access tokens, and attackers can exploit this by manipulating the audience validation in access tokens...

CVE-2025-50199 Chamilo: Blind Server-Side Request Forgery (Unauth Blind SSRF)

Chamilo is a learning management system. Prior to version 1.11.30, there is a blind SSRF vulnerability in /index.php via the POST openidurl parameter. This issue has been patched in version 1.11.30...

CVE-2025-50199 Chamilo: Blind Server-Side Request Forgery (Unauth Blind SSRF)

Chamilo is a learning management system. Prior to version 1.11.30, there is a blind SSRF vulnerability in /index.php via the POST openidurl parameter. This issue has been patched in version 1.11.30...

CVE-2026-26694

code-projects Simple Student Alumni System v1.0 is vulnerale to SQL Injection in /TracerStudy/modalview.php...

CVE-2025-50193 Chamilo: OS command Injection in /plugin/vchamilo/views/import.php with the POST to_main_database parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST tomaindatabase parameter. This issue has been patched in version 1.11.30...

CVE-2025-50192

Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in /main/webservices/registration.soap.php. This issue has been patched in version 1.11.30...

CVE-2025-50190 Chamilo: Error-based SQL Injection via GET openid.assoc_handle with the /index.php script

Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assochandle parameter with the /index.php script. This issue has been patched in version 1.11.30...

EUVD-2025-208159

Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assochandle parameter with the /index.php script. This issue has been patched in version 1.11.30...

WordPress Super Stage WP plugin <= 1.0.1 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by yiğit ibrahim sağlam in WordPress Plugin Super Stage WP versions = 1.0.1...

EUVD-2026-9144

A security vulnerability has been detected in itsourcecode University Management System 1.0. Affected by this issue is some unknown functionality of the file /adminsinglestudentupdate.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. T...

CVE-2026-3402

A security vulnerability has been detected in PHPGurukul Student Record Management System up to 1.0. This vulnerability affects unknown code of the file /edit-course.php. Such manipulation of the argument Course Short Name leads to cross site scripting. The attack can be executed remotely. The...

CVE-2026-26695

code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordstudentedit.php...

PT-2026-22993

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 24.0 Description AVideo is an open source video platform. A Remote Code Execution RCE issue was identified in the plugin upload/import functionality. An authenticated administrator could upload a specially crafted ZIP...

CVE-2026-26708

sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manageuser.php...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: php (UTSA-2026-005380)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005380 advisory. In PHP from 8.1. before 8.1.32, from 8.2. before 8.2.28, from 8.3. before 8.3.19, from 8.4. before 8.4.5, when user-supplied headers are sent, the insufficient...

PT-2026-22994

Name of the Vulnerable Software and Affected Versions Idno versions prior to 1.6.4 Description Idno, a social publishing platform, contains a remote code execution vulnerability that can be triggered through a chained sequence of issues. Specifically, a web application administrator can be...