WordPress plugin Boost SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-3335 Canto <= 3.1.1 - Missing Authorization to Unauthenticated File Upload

The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the /wp-content/plugins/canto/includes/lib/copy-media.php file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and t...

CVE-2015-20114

Next Click Ventures RealtyScript 4.0.2 contains a cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious input through multiple parameters that are not properly sanitized. Attackers can craft requests with injected script payloads...

Bitcoinrb Vulnerable to Command injection via RPC

Summary: Remote Code Execution Unsafe handling of request parameters in the RPC HTTP server results in command injection Details In lib/bitcoin/rpc/httpserver.rb line 30-39, the JSON body of a POST request is parsed into command and args variables. These values are then passed to send, which is...

CVE-2026-25814 NoSQL Injection Risk via Unsanitized Query Parameters

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization...

OAuth Parameter Injection

Auth0 Next.js is vulnerable to OAuth Parameter Injection. The vulnerability is due to insufficient validation of the returnTo parameter, where attacker-controlled input can inject unintended OAuth query parameters into the authorization request, potentially resulting in tokens being issued with...

PT-2025-34878 · Unknown · Diskover-Web

Name of the Vulnerable Software and Affected Versions: diskover-web version 2.3.0 Description: The software is susceptible to multiple reflected cross-site scripting XSS flaws within its web interface. Unsanitized GET parameters, including maxage, maxindex, index, path, q query, and doctype, are...

CVE-2024-24003

jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount function of jshERP does not filter column and order parameters well enough, and an attacker can construct malicious payload to bypass jshERP's...

CVE-2025-2945 pgAdmin 4: Remote Code Execution in Query Tool and Cloud Deployment

Remote Code Execution security vulnerability in pgAdmin 4 Query Tool and Cloud Deployment modules. The vulnerability is associated with the 2 POST endpoints; /sqleditor/querytool/download, where the querycommited parameter and /cloud/deploy endpoint, where the highavailability parameter is unsafe...

PT-2025-4077 · WordPress · Vr-Frases

Name of the Vulnerable Software and Affected Versions: VR-Frases plugin for WordPress versions up to, and including, 3.0.1 Description: The issue is related to SQL Injection via several parameters due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on th...

PT-2024-34433 · Unknown · Kashipara E-Learning Management System Project

Name of the Vulnerable Software and Affected Versions: KASHIPARA E-learning Management System Project version 1.0 Description: A SQL Injection issue was found in the /admin/edit student.php endpoint via the cys, un, ln, fn, and id parameters. This allows for potential unauthorized access to...

CVE-2024-47901

A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber All versions V8.2.12, InterMesh 7707 Fire Subscriber All versions V7.2.12 only if the IP interface is enabled which is not the default configuration. The web server of affected devices does not sanitize the input paramete...

The vulnerability of the Svacer SAST application, a static analyzer for Svace, arises from the unsafe processing of parameters during the creation of short links. This allows attackers to redirect users to any arbitrary URL address.

The vulnerability of the Svacer SAST static analyzer app is related to the unsafe processing of parameters during the creation of short links. Exploiting this vulnerability could allow a malicious actor to redirect users to any arbitrary URL address...

CLSA-2022-1658346794 Fix CVE(s): CVE-2015-20107

SECURITY UPDATE: Injection vulnerability - debian/patches/CVE-2015-20107.patch: Make mailcap refuse to match unsafe filenames/types/param in Lib/mailcap.py. - CVE-2015-20107...

BloofoxCms SQL注入漏洞

BloofoxCms is a Php based text content management system. A SQL injection vulnerability exists in BloofoxCms versions 0.5.1 inclusive to 0.5.2.1 inclusive due to the following parameters "URLs,langid,tmplid,modrewrite,etadoctype,metacharset,default group,page group" lacks validation of externally...

ScratchOAuth2 跨站脚本漏洞

Kenny2github ScratchOAuth2 is a Kenny2github open source application. Verify that a Scratch account is authentic for authorization or identification purposes. ScratchOAuth2 has a cross-site scripting vulnerability that stems from the lack of effective filtering and validation of user-submitted...

Exploit for Injection in Thedaylightstudio Fuel_Cms

Fuel CMS 1.4.1 - Remote Code Execution FUEL CMS 1.4.1 allows...

Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)

Due to the way that Rack::Request and Rails::Request interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameter...

PHP Volunteer Management System 1.0.2 - Multiple SQL Injections

PHP Volunteer Management System 1.0.2 - Multiple SQL Injections Title: PHP Volunteer Management System v 1.0.2 multiple SQLi Vulnerabilities Version: 1.0.2 Author/Found by: loneferret Software Site: https://sourceforge.net/projects/phpvolunteer/ Other vulnerabilities:...

WinSCP URI handler command execution

scp:// and sftp:// URI handlers allow to transmit unsafe paramters via command line...