WordPress Vex theme < 1.2.9 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Vex versions 1.2.9...

CVE-2026-32844

XinLiangCoder php_api_doc contains a reflected XSS via list_method.php (GET parameter f) after commit 1ce5bbf. Unsanitized input is echoed to the page, enabling execution of arbitrary JavaScript in victims’ browsers. Impact cited includes session hijacking, credential theft, or malware distributi...

CVE-2026-32844 XinLiangCoder / php_api_doc Reflected XSS via list_method.php

XinLiangCoder phpapidoc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in listmethod.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with...

WordPress JS Archive List plugin <= 6.1.7 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by daroo in WordPress Plugin JS Archive List versions = 6.1.7...

CVE-2026-4485

A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/searchstudent.php. The manipulation of the argument Search leads to sql injection. The attack is possible to be carried out remotely. The exploit has been...

EUVD-2026-13678

WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticated SQL Injection vulnerability in the html/matPat/restaurarproduto.php endpoint. The vulnerability allows an authenticated attacker to inject arbitrary SQL commands via the idproduto GET parameter,...

CVE-2026-33134 WeGIA has Authenticated Time-Based Blind SQL Injection in `restaurar_produto.php` via `id_produto` parameter

WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticated SQL Injection vulnerability in the html/matPat/restaurarproduto.php endpoint. The vulnerability allows an authenticated attacker to inject arbitrary SQL commands via the idproduto GET parameter,...

Security update for php-composer2

This update for php-composer2 fixes the following issues: CVE-2025-67746: Fixed ANSI control characters injection in the terminal output of various Composer commands via attacker controlled remote sources. bsc1255768 Patch Instructions: To install this SUSE update use the SUSE recommended...

SUSE-SU-2026:0935-1 Security update for php-composer2

This update for php-composer2 fixes the following issues: CVE-2025-67746: Fixed ANSI control characters injection in the terminal output of various Composer commands via attacker controlled remote sources. bsc1255768...

CVE-2026-33043

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials...

CVE-2026-33043 AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials...

CVE-2026-33035

CVE-2026-33035 affects WWBN AVideo

CVE-2026-33035 Unauthenticated Reflected XSS via innerHTML in AVideo

WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's jsonencode into a JavaScript function...

CVE-2026-32888 Open Source Point of Sale is Vulnerable to SQL Injection Through its Item Search Functionality

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled searchcustom filter, user-supplied input from the search GET...

CVE-2026-32985

Xerte Online Toolkits

SimpleJWT 资源管理错误漏洞

SimpleJWT is a JSON Web Token library written in PHP by Kelvin Mo as a personal project. Versions of SimpleJWT prior to 1.1.1 contained a resource management vulnerability. This vulnerability arises from the use of the PBES2 algorithm, allowing unauthenticated attackers to perform denial-of-servi...

PT-2026-26790

Summary The objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookie samesite = 'None' for HTTPS connections, an unauthenticated...

php_api_doc 跨站脚本漏洞

phpapidoc is a PHP API documentation generation tool developed by Wally’s personal developer. phpapidoc has a cross-site scripting vulnerability, which stems from improper cleaning of the f parameter in the listmethod.php file. This vulnerability may lead to reflective cross-site scripting attack...

CVE-2026-29103

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. A Critical Remote Code Execution RCE vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direc...

AVideo Encoder getImage.php Unauthenticated Command Injection

This module exploits an unauthenticated OS command injection vulnerability in AVideo Encoder's getImage.php endpoint CVE-2026-29058. The base64Url GET parameter is base64-decoded and injected directly into an ffmpeg shell command within double quotes, without any sanitization or use of...