WordPress Comment Genius plugin <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Comment Genius versions = 1.2.5...

CVE-2026-4624 SourceCodester Online Library Management System Parameter home.php sql injection

A vulnerability was detected in SourceCodester Online Library Management System 1.0. The impacted element is an unknown function of the file /home.php of the component Parameter Handler. Performing a manipulation of the argument searchField results in sql injection. The attack can be initiated...

CVE-2026-4624 SourceCodester Online Library Management System Parameter home.php sql injection

A vulnerability was detected in SourceCodester Online Library Management System 1.0. The impacted element is an unknown function of the file /home.php of the component Parameter Handler. Performing a manipulation of the argument searchField results in sql injection. The attack can be initiated...

CVE-2026-4624

SourceCodester Online Library Management System 1.0 contains a SQL injection in the Parameter Handler’s /home.php (unknown function) triggered by manipulating the searchField argument. The vulnerability is exploitable remotely and the exploit is publicly available. The CVE notes a medium to high ...

CVE-2026-4624

A vulnerability was detected in SourceCodester Online Library Management System 1.0. The impacted element is an unknown function of the file /home.php of the component Parameter Handler. Performing a manipulation of the argument searchField results in sql injection. The attack can be initiated...

CVE-2026-4623

CVE-2026-4623 affects DefaultFuction Jeson-Customer-Relationship-Management-System up to build 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. The vulnerability resides in the API Module, specifically the file /api/System.php, where manipulation of the url argument enables server-side request forgery (...

SUSE CVE-2026-33204

SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt on attacker-controlled JWEs using PBES2 algorithms are...

CVE-2026-29839

DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability in /systaskadd.php...

PT-2026-27304

Name of the Vulnerable Software and Affected Versions DefaultFuction Jeson-Customer-Relationship-Management-System affected versions not specified Description A security issue has been identified in the API Module component of DefaultFuction Jeson-Customer-Relationship-Management-System...

PT-2026-27524

Name of the Vulnerable Software and Affected Versions SourceCodester Sales and Inventory System version 1.0 Description A flaw exists in SourceCodester Sales and Inventory System that allows for SQL injection. The issue is located within the update purchase.php file, specifically through...

PHP File Manager 访问控制错误漏洞

PHP File Manager is a complete file system management tool developed by Dulldusk’s developers. Version 1.7.8 of PHP File Manager contains an access control vulnerability, which stems from local file inclusion. This vulnerability could allow unauthenticated attackers to read arbitrary files by...

PT-2026-27364

PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image upload endpoint. Attackers can upload PHP files through the imgFile parameter to the...

PT-2026-27377

eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Attackers can send GET requests to banners.php with crafted SQL payloads in the bid parameter to extra...

ROS-20260324-73-0030

A vulnerability in the pnvphp component of the Linux operating system is related to pointer dereferencing errors. Exploitation of the vulnerability allows an attacker to cause a denial of service...

CVE-2026-4615 SourceCodester Online Catering Reservation search.php sql injection

A vulnerability was identified in SourceCodester Online Catering Reservation 1.0. Impacted is an unknown function of the file /search.php. Such manipulation of the argument rcode leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used...

CVE-2026-4613 SourceCodester E-Commerce Site products.php sql injection

A vulnerability was found in SourceCodester E-Commerce Site 1.0. This vulnerability affects unknown code of the file /products.php. The manipulation of the argument Search results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used...

CVE-2026-33717

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the downloadVideoFromDownloadURL function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension including .php. By providing...

CVE-2026-33513

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

CVE-2026-33647

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the ImageGallery::saveFile method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An...

CVE-2026-33719 AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment in status.json.php

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints plugin/CDN/status.json.php and plugin/CDN/disable.json.php use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured...