CVE-2026-10185 SourceCodester Hospitals Patient Records Management System Users.php save sql injection

A weakness has been identified in SourceCodester Hospitals Patient Records Management System 1.0. Affected is an unknown function of the file /classes/Users.php?f=save. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been...

CVE-2026-10185

SourceCodester Hospitals Patient Records Management System 1.0 contains a SQL injection in /classes/Users.php?f=save. The vulnerability arises from manipulating the ID argument, enabling remote exploitation. Public exploits are available. Exploit maturity is PROOF-OF-CONCEPT; CVSS metrics indicat...

📄 WBCE CMS 1.6.4 SQL Injection

WBCE CMS versions 1.6.4 and below suffer from a remote time-bsed SQL injection vulnerability via the groups parameter. CVE-2025-65950: WBCE CMS is Vulnerable to Time-Based Blind SQL Injection through groups Parameter Overview | Field | Details | |---|---| | CVE ID | CVE-2025-65950 | | Severity |...

CVE-2025-65950

WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively...

EUVD-2025-202607

WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively...

CVE-2025-65950 WBCE CMS is Vulnerable to Time-Based Blind SQL Injection through groups[] Parameter

WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively...

CVE-2025-65950

WBCE CMS is vulnerable in versions 1.6.4 and earlier due to improper handling of the groups[] parameter in admin/users/save.php, enabling a low-privileged authenticated user to execute arbitrary SQL queries and potentially escalate to full database compromise with data exfiltration. The issue is ...

CVE-2025-65950 WBCE CMS is Vulnerable to Time-Based Blind SQL Injection through groups[] Parameter

WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively...

CVE-2025-65950 WBCE CMS is Vulnerable to Time-Based Blind SQL Injection through groups[] Parameter

WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively...

PT-2025-50504

Name of the Vulnerable Software and Affected Versions WBCE CMS versions prior to 1.6.5 Description WBCE CMS is a content management system. Versions 1.6.4 and below contain a flaw in the user management module that allows a low-privileged authenticated user with user modification permissions to...

CVE-2025-65094 WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)

WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, bu...

WBCE CMS 授权问题漏洞

WBCE CMS is a PHP and MySQL based open source content management system CMS from WBCE CMS Open Source. An authorization issue vulnerability exists in WBCE CMS versions prior to 1.6.4, which stems from a low-privileged user can elevate privileges to the administrators group by manipulating the...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the save process in the /system/users/save path when handling the name or email arguments. An attacker can inject arbitrary web script or HTML by submitting crafted input to these parameters. Details...

Cockpit 代码注入漏洞

Cockpit is an interactive server management interface for Cockpit open source. A code injection vulnerability exists in Cockpit 2.11.3 and earlier versions, which stems from a cross-site scripting attack due to incorrect manipulation of the parameters name/email in the file /system/users/save...

CVE-2022-41379

An arbitrary file upload vulnerability in the component /leavesystem/classes/Users.php?f=save of Online Leave Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2022-30073

WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting XSS via /admin/users/save.php...

CVE-2024-35353

A vulnerability has been discovered in Diño Physics School Assistant version 2.3. The vulnerability impacts an unidentified code within the file /classes/Users.php?f=save. Manipulating the argument id can result in improper authorization...

CVE-2024-35352

A vulnerability has been discovered in Diño Physics School Assistant version 2.3. This vulnerability impacts unidentified code within the file /classes/Users.php?f=save. Manipulating the parameter middlename results in cross-site scripting...

CVE-2022-41379

An arbitrary file upload vulnerability in the component /leavesystem/classes/Users.php?f=save of Online Leave Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2022-30460

Simple Social Networking Site v1.0 is vulnerable to Cross Site Scripting XSS via /sns/classes/Users.php?f=save, firstname...