📄 FreeScout 1.8.206 Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability in FreeScout versions less than or equal to 1.8.206 CVE-2026-28289. The sanitizeUploadedFileName function checks for dot-prefixed filenames before stripping Unicode format characters ZWSP U+200B, allowing...

Fedora: Security Advisory (FEDORA-2026-65fdd15133)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2026-5157

CVE-2026-5157 affects code-projects Online Food Ordering System 1.0, specifically the Order Module’s /form/order.php. The vulnerability arises from manipulating the cust_id argument, enabling cross-site scripting (XSS). Exploitation can be performed remotely, and a public exploit is available. Do...

CVE-2026-5150

A security vulnerability has been detected in code-projects Accounting System 1.0. This issue affects some unknown processing of the file /viewincostumer.php of the component Parameter Handler. Such manipulation of the argument cosid leads to sql injection. The attack can be launched remotely. Th...

[SECURITY] Fedora 42 Update: php-phpseclib3-3.0.50-1.fc42

MIT-licensed pure-PHP implementations of an arbitrary-precision integer arithmetic library, fully PKCS1 v2.1 compliant RSA, DES, 3DES, RC4, Rijndael, AES, Blowfish, Twofish, SSH-1, SSH-2, SFTP, and X.509...

EUVD-2026-17135

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via...

AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance

Summary The transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attack...

CVE-2026-5033

A vulnerability was detected in code-projects Accounting System 1.0. Affected by this vulnerability is an unknown functionality of the file /viewcostumer.php of the component Parameter Handler. The manipulation of the argument cosid results in sql injection. The attack may be performed from remot...

CVE-2026-33993

A flaw was found in Locutus, a library that integrates standard libraries from other programming languages into JavaScript. The unserialize function, which converts serialized PHP data into JavaScript objects, fails to filter the proto key during deserialization. A remote attacker can exploit thi...

[SECURITY] Fedora 43 Update: php-phpseclib3-3.0.50-1.fc43

MIT-licensed pure-PHP implementations of an arbitrary-precision integer arithmetic library, fully PKCS1 v2.1 compliant RSA, DES, 3DES, RC4, Rijndael, AES, Blowfish, Twofish, SSH-1, SSH-2, SFTP, and X.509...

CVE-2026-30561

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the addpurchase.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HT...

CVE-2026-30556

A Reflected Cross-Site Scripting XSS vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via...

PT-2026-29130

Name of the Vulnerable Software and Affected Versions Contact Form by Supsystic plugin for WordPress versions up to and including 1.7.36 Description The Contact Form by Supsystic plugin for WordPress is susceptible to Server-Side Template Injection SSTI, which can lead to Remote Code Execution RC...

SourceCodester Sales and Inventory System 安全漏洞

The SourceCodester Sales and Inventory System is an open-source sales and inventory management system developed by SourceCodester. Version 1.0 of the SourceCodester Sales and Inventory System contains a security vulnerability. This vulnerability stems from improper cleaning of the parameter msg i...

📄 Bludit CMS Shell Upload

Bludit CMS versions prior to 3.18.4 have an unrestricted API file upload vulnerability that allows for remote code execution. Exploit Title: Bludit CMS . The uploadFile function performs no file extension or content validation, allowing upload of PHP webshells that execute as www-data. The API...

Debian: Security Advisory (DSA-6187-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian: Security Advisory (DSA-6186-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora: Security Advisory (FEDORA-2026-bfeb46516b)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2026-5018

A weakness has been identified in code-projects Simple Food Order System 1.0. Affected is an unknown function of the file register-router.php of the component Parameter Handler. Executing a manipulation of the argument Name can lead to sql injection. The attack can be launched remotely. The explo...

CVE-2026-5034

A flaw has been found in code-projects Accounting System 1.0. Affected by this issue is some unknown functionality of the file /editcostumer.php of the component Parameter Handler. This manipulation of the argument cosid causes sql injection. It is possible to initiate the attack remotely. The...