1216 matches found
CVE-2026-14743
CVE-2026-14743 affects the code-projects Real State Services 1.0. The vulnerability is a SQL injection in an unknown function of the file /normalHomeSale.php triggered by manipulating the loc argument. Exploitation can be performed remotely, and public exploit code is available. The provided docu...
CVE-2026-14743
A vulnerability was identified in code-projects Real State Services 1.0. The impacted element is an unknown function of the file /normalHomeSale.php. Such manipulation of the argument loc leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might ...
CVE-2026-57950
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement...
EUVD-2026-40167
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement...
CVE-2026-57950
Summary (CVE-2026-57950): ruoyi-vue-pro before 2026.05 contains a broken access control in ErpSaleOrderController due to incorrect permission namespace enforcement. The controller applies the erp:sale-out namespace instead of the intended erp:sale-order namespace, allowing attackers with erp:sale...
CVE-2026-57950 ruoyi-vue-pro - Incorrect Permission Namespace in ErpSaleOrderController
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement...
CVE-2026-13559
A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-listsale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to...
EUVD-2026-40070
A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-listsale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to...
CVE-2026-13559 code-projects Real State Services single-list_sale.php add sql injection
A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-listsale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to...
CVE-2026-13559
CVE-2026-13559 affects code-projects Real State Services 1.0. The vulnerability resides in the /single-list_sale.php?action=add handling of the ID parameter, where unsafely manipulated input enables SQL injection. Attack vector is network-based and exploitation is possible remotely, with a public...
CVE-2026-8705
The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the pagsegurometodo POST parameter of the clearsaletotalpush AJAX action in all versions up to, and including, 3.4.2. The handler is registered for unauthenticated users wpajaxnoprivclearsaletotalpush, and although a...
EUVD-2026-38672
The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the pagsegurometodo POST parameter of the clearsaletotalpush AJAX action in all versions up to, and including, 3.4.2. The handler is registered for unauthenticated users wpajaxnoprivclearsaletotalpush, and although a...
CVE-2026-8705
The CVE describes a SQL injection in the ClearSale Total WordPress plugin (versions <= 3.4.2). The vulnerability occurs via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action, which is accessible to unauthenticated users (wp_ajax_nopriv_clearsale_total_push). Although...
CVE-2026-52711
Unauthenticated Broken Access Control in WooCommerce POS = 1.8.14 versions...
EUVD-2026-37048
Unauthenticated Broken Access Control in WooCommerce POS = 1.8.14 versions...
CVE-2025-41011
HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specificcustomer', ussing 'startdateformatted' y 'enddateformatted'...
CVE-2026-32712
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Daily Sales management table. The customername column is configured with escape: false in the bootstrap-tabl...
CVE-2026-4479
The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2026-39380
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied throug...
CVE-2026-8802
A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument picfilename results in path traversal. The attack may be launched remotely. The patch is...