Web Application

An authentication logic flaw in Cap-go versions prior to 12.128.2 allows attackers to register an account with a victim's unverified email address, then enable two-factor authentication on this pre-registered account to gain full control, read/modify data, enforce organization-level policies, and deny the legitimate user access.

Cap-go versions prior to 12.128.2 are susceptible to an authentication bypass vulnerability (CVE-2026-56073) in OTP verification that allows attackers to manipulate server responses to falsely mark verification successful, leading to unauthorized 2FA enablement and subsequent account takeover.

An SQL injection vulnerability, CVE-2017-20266, in Joomla SP Movie Database version 1.3 allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the `searchword` parameter in GET requests to the `searchresults` view, enabling extraction of sensitive database information.

An unauthenticated SQL injection vulnerability (CVE-2017-20264) in Joomla! Component Sponsor Wall version 8.0 allows attackers to execute arbitrary SQL queries by injecting malicious code into the `wallid` parameter of GET requests to `index.php`, leading to the extraction of sensitive database information such as credentials and configuration data.

An unauthenticated attacker can exploit CVE-2017-20261, a critical SQL injection vulnerability in Joomla! Component Bargain Product VM3 1.0, by injecting malicious code into the 'product_id' parameter within GET requests to the 'brainy' or 'alice' views, allowing them to execute arbitrary SQL queries and extract sensitive database information.

An unauthenticated SQL injection vulnerability (CVE-2017-20257) in Joomla! Component Quiz Deluxe 3.7.4 allows attackers to execute arbitrary SQL commands and extract sensitive information via the `ajaxaction.flag_question` task using `stu_quiz_id` or `flag_quest` parameters.

CVE-2017-20256 describes an SQL injection vulnerability in Joomla Survey Force Deluxe 3.2.4 that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'invite' parameter in GET requests, enabling the extraction of sensitive database information.

An unauthenticated SQL injection vulnerability (CVE-2017-20253) in Joomla! Component My Projects 2.0 allows attackers to execute arbitrary SQL queries via the 'VerAyari' parameter, leading to the extraction of sensitive database information including credentials and system data.

A critical authorization bypass vulnerability exists in the `AuthorizeActionFilter` class within the DotVVM framework, failing to perform any authorization checks and allowing attackers to bypass intended access restrictions without specific exploitation techniques, impacting all users relying on `AuthorizeActionFilter` for security. Patched versions include DotVVM 4.3.15, 4.2.11, and 5.0.0-preview09; `AuthorizeAttribute` can be used as a workaround.

A remote, unauthenticated attacker can exploit a vulnerability in Gitea to bypass existing security measures, potentially leading to unauthorized access, privilege escalation, or data manipulation within the application.

A remote, authenticated attacker can exploit multiple vulnerabilities in pgAdmin to achieve arbitrary code execution with user or administrator privileges, bypass security measures, perform SQL Injection and Cross-Site Scripting attacks, redirect users to malicious websites, disclose sensitive information, and manipulate data. This comprehensive set of capabilities allows for significant compromise of system integrity, confidentiality, and potentially availability, posing a high risk to affected environments.

CVE-2026-47647 describes a critical improper access control vulnerability in Microsoft Dynamics 365 that allows an authorized attacker to elevate privileges over a network, potentially leading to full compromise of the affected system.

A remote, unauthenticated attacker can exploit an unpatched Server-Side Request Forgery (SSRF) vulnerability in Crawl4AI Docker API versions up to 0.8.9, specifically targeting the `/crawl/stream` endpoint, to read internal network services and cloud-metadata endpoints, potentially exposing sensitive information like IAM credentials.

On June 17, 2026, Drupal released critical security advisories (AV26-615) addressing multiple vulnerabilities in Drupal core and several modules including Plotly.js Graphing, Flag attendance field, and Formatter Field, which, if unpatched, could allow remote attackers to compromise affected web servers and sensitive data.

A high-severity cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54002, exists in Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3, allowing authenticated Panel users to inject malicious markup into `writer` or `list` fields or via `Sane` API-dependent custom code, leading to stored XSS and potential privilege escalation.

A high-severity vulnerability in dadrus/heimdall (versions <= 0.17.16) enables attackers to spoof client IP addresses by injecting unvalidated or malformed values into `Forwarded` or `X-Forwarded-For` HTTP headers, potentially bypassing access controls or propagating malicious IP data to upstream services when `trusted_proxies` is configured.

Praisonai-platform versions up to and including 0.1.4 are vulnerable to a critical authentication bypass stemming from a hardcoded JWT signing secret ('dev-secret-change-me') and a bypassed production guard, allowing unauthenticated attackers to forge JSON Web Tokens (JWTs) and impersonate any user, leading to complete access, privilege escalation to workspace owner, and potential resource destruction.

Multiple high-severity vulnerabilities discovered in various SAP products, including SQL injection (SQLi), remote indirect code injection (XSS), and security policy bypasses, could allow unauthenticated attackers to compromise sensitive enterprise systems by June 2026.

A stack-based buffer overflow vulnerability (CVE-2026-10292) exists in the strcpy function of /goform/formTaskEdit in UTT HiPER 1200GW up to version 2.5.3-170306, allowing for remote code execution.

Pixa Bank 2.0 is vulnerable to SQL injection, allowing unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter via POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads, potentially leading to the retrieval of user information such as names, email addresses, and phone numbers from the database.

A SQL injection vulnerability exists in code-projects Hotel and Tourism Reservation System version 1.0 due to improper sanitization of the 'tour' GET parameter in the tour.php file, potentially allowing remote attackers to execute arbitrary SQL queries.

No-Cms 1.0 is vulnerable to SQL injection (CVE-2018-25431) in the order_by parameter of the manage_privilege export endpoint, allowing authenticated attackers to manipulate database queries and potentially extract sensitive information.

Paroiciel 11.20 contains an SQL injection vulnerability (CVE-2018-25430) that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter, potentially leading to sensitive data extraction.

Paroiciel 11.20 is vulnerable to SQL injection, allowing authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter, potentially extracting sensitive database information.

Paroiciel 11.20 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter via GET requests to the trec.php endpoint, enabling attackers to extract sensitive database information.

Banana Slides version 0.4.0 contains a path traversal vulnerability (CVE-2026-49136) in the generate_image() function that allows unauthenticated attackers to read arbitrary image-format files outside the intended uploads directory by exploiting an incomplete path prefix check.

CVE-2026-10288 is a high severity vulnerability in code-projects Hotel and Tourism Reservation System 1.0, allowing remote attackers to bypass authentication via manipulation of the Password argument in the /admin/login.php file.

A vulnerability in Laravel allows an attacker to bypass the security policy; specifically, laravel/framework versions 12.x before 12.60.0 and 13.x before 13.10.0 are affected (CVE-2026-48019).

A SQL injection vulnerability (CVE-2026-10226) exists in student_management_system_by_php up to version 310d950e09013d5133c6b9210aff9444382d16d1, allowing remote attackers to execute arbitrary SQL commands by manipulating specific parameters in the delete.php file.

A SQL injection vulnerability exists in raisulislamg4's student_management_system_by_php up to commit 310d950e09013d5133c6b9210aff9444382d16d1, allowing remote attackers to execute arbitrary SQL commands by manipulating the Username argument in login_check.php.

CVE-2026-10178 is a remote SQL injection vulnerability in code-projects Online Music Site 1.0, affecting the /Administrator/PHP/AdminEditAlbum.php file due to manipulation of the ID argument.

CVE-2026-44839 is a cross-site scripting (XSS) vulnerability in the RabbitMQ management UI that arises from unsanitized virtual host (vhost) names, potentially allowing an attacker to execute arbitrary JavaScript in the context of a user's browser.

CVE-2026-10167 is an improper authentication vulnerability in OUSL-GROUP-BrinaryBrains School Student Management System allowing a remote attacker to manipulate the 'role' argument to bypass authentication.

Yot CMS 3.3.1 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters in GET requests, potentially leading to database information disclosure.

Gate Pass Management System 2.1 is vulnerable to SQL injection via the login-exec.php endpoint, allowing unauthenticated attackers to bypass authentication and gain unauthorized access to the application by injecting SQL code in the login and password parameters.

MOGG web simulator Script is vulnerable to SQL injection (CVE-2018-25422), allowing unauthenticated attackers to execute arbitrary SQL commands via the id parameter in play.php, potentially leading to sensitive data extraction.

AiOPMSD Final 1.0.0 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter via GET requests to country.php, enabling extraction of sensitive database information including usernames, database names, and version details.

AiOPMSD Final 1.0.0 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries via the 'q' parameter in search.php, potentially leading to sensitive data extraction.

MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability (CVE-2018-25411) that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter in GET requests to email.php, potentially leading to sensitive database information disclosure.

SIM-PKH version 2.4.1 is vulnerable to SQL injection (CVE-2018-25410), allowing an authenticated attacker to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter via a crafted GET request, potentially leading to database information disclosure.

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability (CVE-2018-25409) that allows authenticated attackers to upload malicious PHP files via the fupload parameter through the aksi_pengurus.php endpoint, leading to remote code execution.

Open ISES Project 3.30A is vulnerable to path traversal (CVE-2018-25408), allowing unauthenticated attackers to download arbitrary files by manipulating the filename parameter in the ajax/download.php endpoint, potentially exposing configuration and system files.

eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities allowing unauthenticated attackers to execute arbitrary SQL queries via crafted parameters in mod.php.

eNdonesia Portal 8.7 is vulnerable to SQL injection (CVE-2018-25406), allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through specific parameters, potentially leading to data exfiltration.

eNdonesia Portal version 8.7 is vulnerable to SQL injection (CVE-2018-25405), allowing unauthenticated attackers to execute arbitrary SQL queries through the artid, cid, did, contid, and aboutid parameters in mod.php, potentially leading to the extraction of sensitive database information.

A flaw in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 allows a remote attacker to perform SQL injection by manipulating the email argument on the Login Page, potentially leading to unauthorized data access.

A public exploit is available for an OS Command Injection vulnerability in Dolibarr ERP/CRM versions prior to 17.0.1 (CVE-2023-30253), which allows authenticated users to inject PHP code via the Website/CMS module to obtain a reverse shell as the www-data user.

CVE-2026-10110 is a SQL injection vulnerability in code-projects Student Details Management System 1.0, allowing a remote attacker to execute arbitrary SQL commands by manipulating the 'roll' argument in the /index.php file, potentially leading to data breaches and unauthorized access.

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability (CVE-2026-10108) in the GET /music/{file_path:path} endpoint, allowing unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check.

An authenticated remote attacker can exploit a vulnerability in Gogs to execute arbitrary code, potentially leading to complete system compromise.

CubeCart versions before 6.7.0 are vulnerable to reflected cross-site scripting (XSS), allowing an unauthenticated attacker to inject malicious JavaScript payloads via the search functionality, which will be executed in the context of the victim's browser.

A SQL injection vulnerability exists in Pimcore Platform when handling DataObject composite indices during class definition import/save, allowing an authenticated administrative user to inject attacker-controlled composite index metadata, leading to unintended SQL execution in the backend, specifically via the `index_columns` element.

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification, leading to privilege escalation.

Pimcore's CustomReports feature has a share bypass vulnerability due to inconsistent authorization checks between the report listing endpoint and the report detail endpoint, allowing low-privileged users to access report configurations without explicit sharing permissions.

CrowdSec AppSec component fails to read the HTTP request body for chunked/HTTP-2 requests, leading to a bypass of WAF rules targeting `REQUEST_BODY`, `BODY_ARGS`, `ARGS_POST`, `JSON`, or `XML`, enabling unauthenticated remote attackers to evade body-inspection pipelines.

Taipy 4.1.1 contains a path traversal vulnerability (CVE-2026-48544) in the ElementLibrary.get_resource() method that allows unauthenticated attackers to escape the intended module directory by exploiting an incomplete path containment check, enabling unauthorized file access outside the intended library directory.

Multiple vulnerabilities have been discovered in Kaspersky Anti Targeted Attack Platform versions prior to 7.1.7, allowing an attacker to cause a remote cross-site scripting (XSS) vulnerability, tracked as CVE-2026-28348 and CVE-2026-28350.

itsourcecode Courier Management System 1.0 is vulnerable to SQL injection (CVE-2026-9606) via the /manage_user.php file, allowing remote attackers to manipulate the ID argument and potentially execute arbitrary SQL commands.

Kirby CMS is vulnerable to arbitrary method call via REST API search and collection query endpoints, allowing attackers to execute sensitive methods like password disclosure or privilege escalation, patched in versions 4.9.1 and 5.4.1.

A SQL injection vulnerability (CVE-2026-9584) exists in code-projects Project Management System 1.0 within the chk.php file of the Login component, allowing a remote attacker to execute arbitrary SQL commands.

A SQL injection vulnerability exists in itsourcecode Student Transcript Processing System 1.0 in the `/admin/modules/class/index.php?view=view` component; the vulnerability is triggered by manipulating the `ID` argument, potentially enabling remote attackers to execute arbitrary SQL commands.

itsourcecode Student Transcript Processing System 1.0 is vulnerable to SQL injection via the studentId/cid parameter in the /admin/modules/student/trans.php file, allowing remote attackers to manipulate database queries.

CVE-2026-9573 is a SQL injection vulnerability in itsourcecode Student Transcript Processing System 1.0, allowing a remote attacker to execute arbitrary SQL commands by manipulating the studentId parameter in the /admin/modules/student/index.php?view=view file.

Typebot is vulnerable to stored cross-site scripting (XSS) due to the rating block's custom icon feature, which accepts arbitrary HTML/SVG via the `customIcon.svg` field without sanitization. When a malicious typebot is imported or crafted by a workspace collaborator, the payload executes in the builder's DOM context, bypassing the `isUnsafe` Web Worker sandbox that protects Script blocks during preview, allowing session hijacking and privilege escalation within the builder application.

A SQL injection vulnerability (CVE-2026-9552) exists in Das Parking Management System 6.2.0 within the Search API Endpoint, allowing a remote attacker to execute arbitrary SQL commands by manipulating the 'Value' argument.

A SQL injection vulnerability exists in Das Parking Management System 停车场管理系统 version 6.2.0 allowing a remote attacker to execute arbitrary SQL commands by manipulating the Value argument in the xp_cmdshell function of the ParkingRecord/ExportParkingRecords API endpoint.

A path traversal vulnerability (CVE-2026-9550) exists in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0, allowing remote attackers to access sensitive files by manipulating the path argument in the /SubstationWEBV2/app/..;/main/upfile component.

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability (CVE-2026-45247) that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie.

A SQL injection vulnerability exists in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 10 in the /api/Dinner/PayConfig endpoint, where a remote attacker can manipulate the 'tableno' argument to inject arbitrary SQL commands.

A SQL injection vulnerability exists in itsourcecode Electronic Judging System version 1.0, specifically affecting the /admin/edit_team.php file, where an attacker can remotely manipulate the 'num_id' argument to execute arbitrary SQL commands.

A SQL Injection vulnerability exists in itsourcecode Electronic Judging System version 1.0 in the /admin/edit_judge.php file. By manipulating the judge_id argument, an attacker could execute arbitrary SQL commands on the system. The vulnerability can be triggered remotely and has a public exploit available.

A SQL injection vulnerability (CVE-2026-9523) exists in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2, where manipulating the 'sort' argument in the '/SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree' file leads to remote code execution, and is publicly known and actively exploited.

A SQL injection vulnerability (CVE-2026-9474) exists in the StudentManagementSystem application, specifically affecting the confirm_logged_in function within the /studentdel.php file, allowing remote attackers to execute arbitrary SQL commands by manipulating the ID parameter.

A SQL injection vulnerability exists in the /success.php file of yashpokharna2555 StudentManagementSystem, allowing remote attackers to execute arbitrary SQL commands by manipulating the User argument.

Tiandy Easy7 Integrated Management Platform 7.17.0 is vulnerable to SQL injection (CVE-2026-9465) via manipulation of the strTBName argument in /Easy7/apps/WebService/GetDBDataEx.jsp, allowing a remote attacker to execute arbitrary SQL commands.

CVE-2026-9421 is an unrestricted file upload vulnerability in the File Handler component of KLiK SocialMediaWebsite 1.0 that can be exploited remotely.

Collectric CMU 1.0 is vulnerable to CVE-2018-25379, a boolean-based blind SQL injection, allowing unauthenticated attackers to manipulate database queries via the 'lang' parameter, potentially extracting sensitive information using time-based techniques.

Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability, tracked as CVE-2018-25374, allowing unauthenticated attackers to read arbitrary files by manipulating the path parameter in requests to nocache.php.

MedDream PACS Server Premium 6.7.1.1 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the email parameter via a crafted POST request to the userSignup.php endpoint.

MooSocial Store Plugin 2.6 contains a blind SQL injection vulnerability, identified as CVE-2018-25371, allowing unauthenticated attackers to manipulate database queries via the 'product' parameter, potentially leading to sensitive data extraction.

Twitter-Clone 1 is vulnerable to SQL injection via the name parameter in the search.php endpoint, allowing unauthenticated attackers to execute arbitrary SQL queries and extract sensitive information (CVE-2018-25364).

A SQL injection vulnerability (CVE-2026-9447) exists in SourceCodester Simple POS and Inventory System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'Name' argument in the /user/search.php file.

Dolibarr ERP CRM 7.0.3 is vulnerable to remote code evaluation, allowing unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter, leading to arbitrary command execution.

userSpice 4.3.24 contains a username enumeration vulnerability, allowing unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint and analyzing the response for the 'taken' string.

CVE-2026-44930 is an LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF that may allow an attacker to retrieve arbitrary certificates from the repository.

CVE-2026-9383 is a SQL injection vulnerability in itsourcecode Electronic Judging System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the Username parameter in the /intrams/admin/login.php file.

A server-side request forgery (SSRF) vulnerability, identified as CVE-2026-9372, exists in ItzCrazyKns Vane up to version 1.12.1, allowing a remote attacker to manipulate the baseURL argument in the Model Provider API component and potentially conduct internal reconnaissance or access sensitive data.

A SQL injection vulnerability (CVE-2026-9364) exists in projectworlds Online Art Gallery Shop version 1.0, specifically in the /admin/adminHome.php file, which can be exploited remotely by manipulating the social_linked argument, potentially leading to unauthorized data access or modification.

A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System 1.0 within the /admin/patients/manage_history.php file, where manipulation of the ID argument can lead to remote exploitation.

SourceCodester Hospitals Patient Records Management System version 1.0 is vulnerable to SQL injection (CVE-2026-9355) via the ID parameter in the /classes/Master.php?f=save_patient_history endpoint, allowing a remote attacker to execute arbitrary SQL queries.

A remote code injection vulnerability (CVE-2026-9353) exists in NousResearch hermes-agent up to version 2026.4.23, allowing attackers to inject malicious code by manipulating the THREAT_PATTERNS argument in the Skills Guard Multi-Word Prompt Handler component.

Redaxo CMS Mediapool Addon version 5.5.1 and older contains an arbitrary file upload vulnerability (CVE-2018-25353) that allows authenticated users to bypass file extension blacklist restrictions, leading to arbitrary code execution.

Smartshop 1 is vulnerable to time-based blind SQL injection via the 'searched' parameter in search.php, allowing unauthenticated attackers to inject SQL code to extract sensitive information.

Smartshop version 1 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries via the id parameter in category.php GET requests, potentially leading to sensitive data extraction.

YesWiki versions prior to 4.6.4 are vulnerable to an unauthenticated SQL injection in the Bazar form-import path (`FormManager::create()`), allowing an unauthenticated attacker to inject arbitrary SQL into an `INSERT` statement and read the full database, including `yeswiki_users.password` hashes (CVE-2026-46670).

A vulnerability in SPIP versions prior to 4.4.15 allows an attacker to bypass the security policy, potentially leading to unauthorized actions.

Open ISES Tickets before version 3.44.2 is vulnerable to SQL injection in ajax/statistics.php via the tick_id and f_tick_id POST parameters, allowing authenticated attackers to manipulate SQL queries and potentially read, modify, or destroy database contents.

Open ISES Tickets before version 3.44.2 is vulnerable to SQL injection (CVE-2026-48238) because the id GET parameter in ajax/mobile_main.php is concatenated into the WHERE clause of a SELECT statement without sanitization, allowing authenticated attackers to craft requests that can read, modify, or destroy database contents.

A public exploit is available for CVE-2026-9082, a SQL injection vulnerability in Drupal Core affecting PostgreSQL-backed sites running versions 8.0 through 11.3.9, allowing unauthenticated users to potentially achieve data exfiltration, privilege escalation, and remote code execution.

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability (CVE-2026-9141) in the embedded web configuration interface, allowing unauthenticated attackers to access internal application pages, modify alarm routing, and disrupt monitoring and control functions.

CVE-2026-5783 is a reflected cross-site scripting (XSS) vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus before version V24.29750.1.0, allowing attackers to inject malicious scripts into web pages viewed by users.

An authentication bypass vulnerability in phpMyFAQ allows an unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts, by sending a PUT request with a valid username and associated email address to /api/user/password/update, resulting in complete account takeover.

Plug versions 1.4.0 to 1.19.1 are vulnerable to denial-of-service (CVE-2026-8468) due to unbounded buffer accumulation in multipart header parsing, allowing an unauthenticated attacker to exhaust server memory by sending a crafted multipart/form-data request.

TONNET's E-LAN Hybrid Recording System is vulnerable to SQL Injection (CVE-2026-9003), allowing unauthenticated remote attackers to inject arbitrary SQL commands and read database contents.

The Account Switcher plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6456) due to a loose comparison and lack of validation on the `rememberLogin` REST API endpoint, allowing authenticated attackers to gain administrator privileges.

camofox-mcp exposed an unauthenticated HTTP MCP endpoint, allowing remote clients to invoke browser-control tools without authentication, potentially leading to unauthorized browser automation and data access.

FileBrowser Quantum is susceptible to CVE-2026-46410, an unauthenticated information disclosure vulnerability, potentially exposing sensitive information such as source code and file paths.

An authenticated remote attacker can exploit a vulnerability in BigBlueButton to conduct a Cross-Site Scripting (XSS) attack.

Summarize versions prior to 0.15.1 are vulnerable to path traversal in the /v1/summarize daemon endpoint, allowing authenticated callers to write files to arbitrary directories via the slidesDir request parameter and subsequently delete files.

A privilege escalation vulnerability exists in Budibase's `onboardUsers` endpoint (CVE-2026-45716) allowing a builder-level user to create global admin accounts by bypassing the intended invite flow when SMTP is not configured, due to insufficient authorization checks and direct user creation with attacker-controlled roles.

parse-nested-form-data versions 1.0.0 and earlier are vulnerable to prototype pollution via crafted FormData field names, allowing an unauthenticated remote client to mutate `Object.prototype` and potentially corrupt application state, alter control flow, or cause denial of service.

Multiple Livewire components in the Shopper framework admin panel allowed authenticated low-privilege users to bypass authorization and mutate data without the required permissions, leading to potential privilege escalation and cross-site scripting.

CVE-2026-7498 is a stored cross-site scripting (XSS) vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb through 30122025, allowing attackers to inject arbitrary web scripts in the browser of an unsuspecting user.

A SQL injection vulnerability (CVE-2026-8771) exists in linlinjava litemall up to version 1.8.0, affecting the list function of the WxGoodsController.java file within the Front-end WeChat API component, enabling remote exploitation with a publicly available exploit.

A vulnerability in Metasoft MetaCRM up to version 6.4.0 Beta06 allows for unrestricted file upload due to manipulation of the 'File' argument in the /common/jsp/upload3.jsp file, potentially leading to arbitrary code execution.

adenhq hive versions up to 0.11.0 are vulnerable to path traversal via manipulation of the _read_events_tail function in core/framework/server/routes_sessions.py, allowing a remote attacker to potentially access sensitive files.

A remote path traversal vulnerability exists in fishaudio Bert-VITS2's Gradio Interface, allowing attackers to manipulate the data_dir argument in the generate_config function of webui_preprocess.py.

Zechat 1.5 is vulnerable to SQL injection in the v parameter (CVE-2018-25339), allowing unauthenticated attackers to extract database information using time-based blind techniques.

Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities, allowing attackers to inject malicious code through profile fields and POST parameters, potentially leading to information disclosure or arbitrary code execution.

Oinone Pamirs up to version 7.2.0 is vulnerable to SQL injection in the RSQLToSQLNodeConnector.makeVariable function of the queryListByWrapper Interface, allowing remote attackers to execute arbitrary SQL commands.

Fuel CMS 1.4.13 is vulnerable to blind SQL injection via the 'col' parameter in the Activity Log interface, allowing authenticated attackers to manipulate database queries and extract information through time-based delays (CVE-2021-47980).

EgavilanMedia PHPCRUD 1.0 is vulnerable to SQL injection (CVE-2021-47956), allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter in a POST request to insert.php, potentially extracting sensitive database information.

LayerBB version 1.1.4 is vulnerable to SQL injection via the search_query parameter, allowing unauthenticated attackers to inject SQL code and extract sensitive database information.

A vulnerability in Microsoft Exchange Server allows for arbitrary code execution, potentially enabling attackers to execute malicious JavaScript within a user's browser context to steal data or install malware.

PHP Timeclock 1.04 is vulnerable to time-based and boolean-based blind SQL injection in the login_userid parameter of login.php, allowing unauthenticated attackers to extract sensitive database information by sending crafted POST requests with SQL payloads.

AVideo's Meet plugin contains an authorization bypass vulnerability in the `uploadRecordedVideo.json.php` endpoint that derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin.

An authenticated Sharp user with view access to at least one valid Sharp entity instance can download unrelated files from configured Laravel Storage disks by manipulating the `disk` and `path` parameters in the generic download endpoint, potentially exposing sensitive data like backups and internal documents; this vulnerability is tracked as CVE-2026-44692.

Pipecat's development runner has a path traversal vulnerability in the `/files` endpoint due to lack of input validation when handling the filename parameter, allowing an unauthenticated attacker with network access to read arbitrary files on the server using `%2F`-encoded separators.

Marten versions up to 8.36 are vulnerable to SQL injection due to the `regConfig` parameter in full-text search APIs not being properly validated or parameterized, allowing attackers to inject arbitrary SQL commands by manipulating the `regConfig` parameter, potentially leading to information disclosure, data manipulation, or denial-of-service; version 8.36.1 addresses this vulnerability.

Open WebUI versions 0.9.4 and earlier are vulnerable to Server-Side Request Forgery (SSRF) due to a parsing difference between the urlparse and requests libraries in the `validate_url` function, allowing attackers to bypass URL validation and make requests to internal IP addresses.

Open WebUI version 0.8.3 and earlier is vulnerable to an authorization bypass, allowing any authenticated user to permanently delete files owned by other users via `DELETE /api/v1/files/{id}` if the target file is referenced in any shared chat due to a flaw in the `has_access_to_file()` function.

Open WebUI versions 0.8.11 and earlier are vulnerable to arbitrary code execution due to a bypassed feature gate; the `/api/v1/utils/code/execute` endpoint allows authenticated users to execute Python code via Jupyter even when code execution is disabled, leading to potential data exfiltration and code execution (CVE-2026-45672).

Open WebUI versions prior to 0.8.6 contain a vulnerability in the chat completion API that allows attackers to bypass tool restrictions by invoking any server tool with elevated privileges by supplying the correct tool_id or tool_servers parameters; this issue is tracked as CVE-2026-45350.

Crabbox versions prior to v0.12.0 contain a privilege escalation vulnerability (CVE-2026-8629) that allows users with visibility-only access to obtain elevated agent tickets and impersonate trusted lease-side bridges via unauthorized POST requests to specific ticket endpoints.

Karakeep SDK is vulnerable to SSRF via the `metascraper-logo-favicon` plugin, which bypasses intended SSRF protections by making HTTP requests to URLs extracted from attacker-controlled HTML `<link rel="icon">` tags, allowing authenticated users to trigger server-side requests to arbitrary internal URLs.

A gym trainer in wger (<= 2.5) can escalate privileges to a gym manager by chaining calls to the trainer-login endpoint due to a flawed permission check, as tracked by CVE-2026-43978.

Vvveb before 1.0.8.3 is vulnerable to unrestricted file upload, allowing super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file containing PHP code which is then accessible via HTTP requests.

Vvveb before version 1.0.8.3 is vulnerable to an uncontrolled recursion vulnerability in the admin controller dispatch cycle that allows a low-privilege attacker to cause denial of service by exhausting PHP memory.

FlowiseAI version 3.1.1 and earlier contains a mass assignment vulnerability in the assistant update endpoint, allowing authenticated users to modify server-controlled properties like workspaceId, createdDate, and updatedDate, enabling cross-workspace reassignment of assistants and breaking tenant isolation in multi-workspace environments.

FlowiseAI versions 3.1.1 and earlier leak encrypted credential data when API requests include a `credentialName` filter, potentially leading to full credential theft if combined with access to the encryption key.

FlowiseAI versions 3.1.1 and earlier contain a mass assignment vulnerability in the variable update endpoint allowing authenticated users to modify server-controlled properties like workspaceId, createdDate, and updatedDate, potentially breaking tenant isolation in multi-workspace environments (CVE-2026-42861).

APPYAP Technology and Information Inc.'s Yaay Social Media App, versions 3.8.0 through 24102025, contains an authorization bypass vulnerability (CVE-2025-12008) that allows unauthorized access to functionality due to improperly constrained access control lists (ACLs).

CVE-2025-11024 is a critical SQL injection vulnerability affecting Akilli Commerce Software Technologies Ltd. Co.'s E-Commerce Website before version 4.5.001, allowing for blind SQL injection.

The InfusedWoo Pro plugin for WordPress is vulnerable to an authorization bypass (CVE-2026-6512) in versions up to 5.1.2, allowing unauthenticated attackers to delete posts, pages, products, orders, comments, and change post statuses.

CVE-2026-20916 describes a vulnerability in F5 BIG-IQ where an authenticated user with low privileges can create or modify arbitrary files via an undisclosed iControl REST endpoint, potentially leading to privilege escalation or system compromise.

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability (CVE-2020-37224) that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter, potentially leading to sensitive information disclosure.

Joomla com_fabrik 3.9.11 is vulnerable to a directory traversal attack (CVE-2020-37219) where an unauthenticated attacker can list arbitrary files by manipulating the folder parameter in a GET request to the onAjax_files method, using path traversal sequences to access system directories outside the web root.

Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter.

A missing authentication vulnerability in Flowise versions prior to 3.0.5 allows attackers to perform critical functions without authentication, and a working exploit is publicly available on Exploit-DB.

A remote, authenticated attacker can exploit a vulnerability in Kyverno to perform a cross-site scripting attack.

An authenticated remote attacker can exploit a vulnerability in Langflow to perform a denial-of-service attack, impacting system availability.

A remote, authenticated attacker can exploit a vulnerability in nginx-ui to disclose sensitive information.

An unauthenticated remote code injection vulnerability (CVE-2026-44672) exists in Mapfish Print's Dynamic table functionality, allowing attackers to execute arbitrary code on the server.

The Court Reservation – Manage Your Court Bookings Online plugin for WordPress versions 1.10.11 and earlier are vulnerable to SQL injection via the 'id' parameter, enabling unauthenticated attackers to extract sensitive database information.

SillyTavern versions 1.17.0 and earlier do not invalidate existing sessions after a password change, allowing attackers with stolen session cookies to retain access, even after the victim resets their password, and nullifies the password reset as a recovery measure against session theft.

SillyTavern versions 1.17.0 and earlier contain a path traversal vulnerability, CVE-2026-44650, in the `/api/extensions/delete` endpoint (and others), allowing an unauthenticated user to delete the entire extensions directory by providing '.' as the extension name, leading to data loss and potential remote exploitation via chaining with CVE-2025-59159.

Adobe Commerce versions 2.4.9-beta1 and earlier are susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-34686) that allows low-privileged attackers to inject malicious scripts into form fields, leading to potential account compromise.

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are vulnerable to a path traversal (CVE-2026-34653) allowing authenticated administrators to read and write arbitrary files.

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability (CVE-2026-34645) that could allow an attacker to bypass security measures and gain unauthorized write access without user interaction.

CVE-2026-42898 is a code injection vulnerability in Microsoft Dynamics 365 (on-premises) that allows an authorized attacker to execute arbitrary code over a network.

A remote, authenticated attacker can exploit multiple vulnerabilities in Siemens SIMATIC S7 PLCs Web Server to perform cross-site scripting attacks, potentially leading to information disclosure or further unauthorized actions.

CVE-2026-6001 is an authorization bypass vulnerability in ABIS Technology Ltd. Co. BAPSİS before version 202604152042, allowing exploitation of trusted identifiers through a user-controlled key.

CVE-2026-25789 describes a vulnerability where affected devices do not properly validate and sanitize filenames on the Firmware Update page, potentially allowing a remote attacker to execute malicious JavaScript in the context of the user's session through social engineering, leading to session hijacking or credential theft.

CVE-2025-6577 is a critical SQL injection vulnerability affecting Akilli Commerce E-Commerce Website versions before 4.5.001, potentially allowing unauthenticated attackers to execute arbitrary SQL commands.

An authenticated SQL injection vulnerability (CVE-2026-44521) exists in the elFinder MySQL volume driver (`elFinderVolumeMySQL`) allowing any logged-in user, including read-only users, to inject SQL through a crafted `target` file hash leading to unauthorized data disclosure and denial of service.

The `@rvf/set-get` library, used by `@rvf/core`, is vulnerable to prototype pollution via form data processing; the `setPath` function does not block the keys `__proto__`, `constructor`, or `prototype` when walking a path, allowing attackers to set arbitrary properties on `Object.prototype` of the running server process via HTTP form submissions (CVE-2026-44483).

Open WebUI is vulnerable to path traversal (CVE-2026-44565), allowing attackers to upload files to arbitrary locations on the web server's filesystem and subsequently delete them due to insufficient filename sanitization in the `/ollama/models/upload` API endpoint.

CVE-2025-14179 is a SQL injection vulnerability in pdo_firebird due to improper handling of NUL bytes in quoted strings, potentially leading to unauthorized data access or modification.

Aero CMS 0.0.1 is vulnerable to PHP code injection (CVE-2022-50944), allowing an authenticated attacker to execute arbitrary PHP code by uploading malicious files through the image parameter, leading to remote code execution on the server.

WordPress Plugin Survey & Poll version 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter, potentially leading to sensitive data extraction.

Balbooa Joomla Forms Builder version 2.0.6 is vulnerable to unauthenticated SQL injection via POST requests to the com_baforms component, allowing remote attackers to execute arbitrary SQL queries and extract sensitive database information by manipulating the 'id' parameter in a JSON payload.

Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability (CVE-2021-47928) that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter, potentially leading to account takeover and data exfiltration.

CVE-2026-39826 is an escaper bypass vulnerability that leads to cross-site scripting (XSS).

CVE-2026-39823 is a cross-site scripting (XSS) vulnerability in Microsoft's html/template component caused by a bypass of meta content URL escaping, potentially allowing an attacker to inject malicious scripts into web pages.

The @profullstack/mcp-server is vulnerable to OS Command Injection in the domain_lookup module, allowing unauthenticated remote attackers to execute arbitrary OS commands as the server process by injecting shell metacharacters into the domains/keywords parameters via the POST /domain-lookup/check and /domain-lookup/bulk endpoints.

A SQL injection vulnerability (CVE-2026-8132) exists in CodeAstro Leave Management System 1.0 via manipulation of the txt_username parameter in /login.php, enabling remote exploitation and potential database compromise.

SourceCodester SUP Online Shopping 1.0 is vulnerable to SQL injection via the 'seenid' parameter in /admin/message.php, allowing remote attackers to execute arbitrary SQL commands; exploit code is publicly available.

SourceCodester SUP Online Shopping 1.0 is vulnerable to SQL injection via the msgid parameter in /admin/replymsg.php, allowing remote attackers to execute arbitrary SQL commands.

A SQL injection vulnerability exists in SourceCodester Comment System 1.0, specifically affecting the post_comment.php file; by manipulating the 'Name' argument, remote attackers can inject SQL code, potentially leading to unauthorized access or data modification.

CVE-2026-34327 is a spoofing vulnerability in Microsoft Partner Center that allows unauthorized attackers to perform spoofing over a network by using externally controlled references to resources in another sphere.

Ech0's access tokens with the 'never expire' option cannot be revoked through logout or deletion, leading to persistent access until the JWT secret is rotated instance-wide.

A SQL injection vulnerability exists in code-projects Feedback System 1.0 via manipulation of the email parameter in /admin/checklogin.php, potentially allowing remote attackers to execute arbitrary SQL commands.

A remote SQL injection vulnerability exists in SourceCodester Pharmacy Sales and Inventory System 1.0 via manipulation of the ID argument in the /ajax.php?action=save_user file, potentially allowing attackers to execute arbitrary SQL queries.

A remote authenticated attacker who shares a room with a victim can steal their Matrix access token by injecting a malicious emote pack, exploiting improper URL validation and service worker behavior in Cinny versions prior to 4.10.3.

DivvyDrive versions 4.8.2.9 before 4.8.3.2 are susceptible to stored cross-site scripting (XSS) due to improper neutralization of user-supplied input during web page generation, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.

DivvyDrive versions 4.8.2.9 before 4.8.3.2 are susceptible to cross-site scripting (XSS) due to improper neutralization of script-related HTML tags, potentially allowing an attacker to inject malicious scripts.

DivvyDrive versions 4.8.2.9 through 4.8.3.2 are susceptible to cross-site request forgery (CSRF), allowing an attacker to execute unauthorized actions on behalf of an authenticated user.

A vulnerability in wger version 2.5 and earlier allows an attacker with `gym.manage_gym` permission and `gym=None` to reset the password of any other `gym=None` user, disclosing the new password in plaintext and allowing account takeover.

A SQL injection vulnerability exists in the Oracle path of `FilterEngine.create_sqla_query` in Rucio, allowing any authenticated user to execute arbitrary SQL against the backend database via the DID search endpoint, potentially leading to full database compromise and data exfiltration.

A path traversal vulnerability exists in FileBrowser's public share DELETE API allowing unauthenticated attackers with valid share hashes and delete permissions to delete arbitrary files outside the shared directory, leading to unauthorized data loss and potential service disruption.

OpenClaw before version 2026.4.10 contains an incomplete navigation guard vulnerability, allowing attackers to trigger navigation without proper SSRF policy enforcement by bypassing post-action security checks via browser interactions like pressKey and type submit flows, potentially leading to unauthorized Server-Side Request Forgery (SSRF).

Craft CMS versions 5.0.0-RC1 before 5.9.18 are vulnerable to information disclosure where an authenticated control panel user with only accessCp permission can discover filenames and the complete folder structure of assets in unauthorized volumes by supplying arbitrary asset IDs to AssetsController::actionShowInFolder(), exposing sensitive volume structures and enabling targeted follow-up attacks.

An authenticated attacker with agent privileges can upload malicious files to Cisco Enterprise Chat and Email (ECE) via the Lite Agent feature, leading to potential browser-based attacks against other users.

A low-privileged user with user creation permissions in Grav CMS can overwrite existing accounts, including the primary administrator, leading to a Denial of Service (DoS) and privilege de-escalation by exploiting a business logic vulnerability in versions prior to 2.0.0-beta.2.

PyLoad versions 0.5.0b3.dev99 and earlier are vulnerable to a path traversal vulnerability in the `set_package_data` function, allowing attackers to write files to arbitrary directories with the privileges of the PyLoad process.

YAFNET is vulnerable to an unauthenticated stored second-order XSS vulnerability in the admin event log, triggered by a reflected `User-Agent` header, allowing an attacker to execute arbitrary JavaScript in an administrator's session.

A buffer overflow vulnerability exists in D-Link DI-8100 version 16.07.26A1 affecting the Web Management Interface component via manipulation of the Name argument in the /url_member.asp file, enabling a remote attacker to potentially execute arbitrary code; an exploit is publicly available.

The django-s3file package is vulnerable to relative path traversal attacks via the S3FileMiddleware component, allowing attackers to bypass pre-signed upload locations and potentially leading to unauthorized file access and modification.

Multiple stored cross-site scripting (XSS) vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to inject malicious code into specific pages of the interface, leading to arbitrary script execution or sensitive information access.

ERPGo SaaS version 3.9 is vulnerable to CSV injection, allowing authenticated attackers to execute arbitrary code by injecting malicious formulas into the vendor name field during vendor creation, which are then executed when the exported CSV file is opened in a spreadsheet application.

A remote, authenticated attacker can exploit a vulnerability in NetBox to execute arbitrary program code.

A command injection vulnerability (CVE-2026-7812) exists in the git_operation function of 54yyyu code-mcp's MCP Tool, allowing remote attackers to execute arbitrary commands by manipulating the operation argument.

A path traversal vulnerability exists in Axle-Bucamp MCP-Docusaurus versions up to commit 404bc028e15ec304c9a045528560f4b5f27a17e0, allowing remote attackers to access sensitive files by manipulating the DOCS_DIR/path argument in specific functions.

RTGS2017 NagaAgent up to version 5.1.0 is vulnerable to path traversal via manipulation of the 'Name' argument in the Skills Endpoint, potentially leading to unauthorized file access.

A-G-U-P-T-A wireshark-mcp is vulnerable to remote OS command injection (CVE-2026-7785) via manipulation of the `quick_capture` function in `pyshark_mcp.py`, potentially allowing attackers to execute arbitrary commands on the system.

OpenMRS versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, are vulnerable to a path traversal (Zip Slip) attack via the `POST /openmrs/ws/rest/v1/module` endpoint that allows authenticated attackers to achieve arbitrary file write and remote code execution.

Quarkus Vertx HTTP versions < 3.20.6.1, >= 3.21.0 and < 3.27.3.1, >= 3.30.0 and < 3.33.1.1, and >= 3.34.0 and < 3.35.1.1 are vulnerable to an authorization bypass where appending a semicolon and arbitrary text to the request URL allows unauthorized access to protected resources.

An authenticated remote attacker can exploit multiple unspecified vulnerabilities in Langflow to achieve arbitrary code execution.

YunaiV yudao-cloud up to version 3.8.0 is vulnerable to an authentication bypass (CVE-2026-7710) due to improper handling of the mock-token argument in the JwtAuthenticationTokenFilter.java file, allowing remote attackers to bypass authentication.

CVE-2026-7698 allows for remote OS command injection in Tiandy Easy7 Integrated Management Platform 7.17.0 via manipulation of the 'week' argument in the /Easy7/rest/systemInfo/updateDbBackupInfo file.

Jinher OA 1.0 is vulnerable to remote SQL injection via the DeptIDList parameter in the /C6/JHSoft.Web.PlanSummarize/UserSel.aspx file, potentially allowing attackers to execute arbitrary SQL queries.

InnoShop version 0.7.8 and earlier contains an improper authentication vulnerability in the InstallServiceProvider::boot function (CVE-2026-7630) that allows remote attackers to bypass authentication and gain unauthorized access to the installation endpoint.

CVE-2026-7632 is a SQL injection vulnerability in code-projects Online Hospital Management System 1.0, allowing a remote attacker to execute arbitrary SQL commands by manipulating the 'delid' argument in the '/viewappointment.php' file.

A remote attacker can inject OS commands by manipulating the dev_script argument in the Preview Endpoint of eyal-gor's p_69_branch_monkey_mcp (up to commit 69bc71874ce40050ef45fde5a435855f18af3373), leading to arbitrary code execution on the server.

Zyosoft's School App contains an Insecure Direct Object Reference vulnerability (CVE-2026-7491) that allows authenticated remote attackers to modify parameters and access or modify other users' data.

Sunnet CTMS is vulnerable to SQL injection (CVE-2026-7489), allowing authenticated remote attackers to execute arbitrary SQL commands and compromise the database.

A path traversal vulnerability exists in Flux159 mcp-game-asset-gen version 0.1.0, where manipulation of the `statusFile` argument in the `image_to_3d_async` function allows for remote exploitation.

itsourcecode Courier Management System 1.0 is vulnerable to SQL Injection via the ID parameter in /edit_staff.php, potentially allowing remote attackers to execute arbitrary SQL commands.

CVE-2026-7550 is an SQL injection vulnerability in SourceCodester Pharmacy Sales and Inventory System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the ID argument in the /ajax.php?action=save_customer endpoint.

A SQL injection vulnerability (CVE-2026-7545) exists in SourceCodester Advanced School Management System 1.0 within the checkEmail endpoint of commonController.php, allowing remote attackers to potentially execute arbitrary SQL commands.

A path traversal vulnerability exists in Fujian Apex LiveBOS version 2.0 and earlier, allowing remote attackers to read arbitrary files by manipulating the filename argument in the /feed/UploadImage.do endpoint.

SSCMS v7.4.0 is vulnerable to SQL injection via the stl:sqlContent tag's queryString attribute, allowing attackers to execute arbitrary SQL statements through crafted payloads submitted to the /api/stl/actions/dynamic endpoint.

A missing authorization vulnerability in Kirby CMS allows authenticated users to bypass intended access restrictions on pages and files, potentially leading to unauthorized information disclosure and content modification; patched in versions 4.9.0 and 5.4.0.

CVE-2026-7468 is an improper access control vulnerability in 1024-lab smart-admin up to version 3.30.0, affecting the /smart-admin-api/druid/index.html file, which can be exploited remotely.

Admidio's SAML Identity Provider implementation fails to properly validate signatures on SAML AuthnRequests and LogoutRequests, enabling attackers to bypass signature enforcement, potentially disclose user attributes via forged SSO requests, and terminate user sessions via forged SLO requests.

A relative path traversal vulnerability exists in getsimpletool mcpo-simple-server <= 0.2.0, allowing remote attackers to delete arbitrary files via manipulation of the `detail` argument in the `delete_shared_prompt` function.

XATABoost CMS 1.0.0 is vulnerable to union-based SQL injection, allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter via GET requests to news.php, enabling extraction of sensitive database information.

A path traversal vulnerability exists in fatbobman mail-mcp-bridge version 1.3.3 and earlier, allowing a remote attacker to read arbitrary files by manipulating the message_ids argument in the src/mail_mcp_server.py file.

A remote SQL injection vulnerability (CVE-2026-7389) exists in EyouCMS versions up to 1.7.9 due to improper handling of the 'sort_asc' argument in the GetSortData function, potentially allowing attackers to execute arbitrary SQL commands.

A path traversal vulnerability exists in eiceblue spire-pdf-mcp-server version 0.1.1, allowing remote attackers to access arbitrary files via manipulation of the filepath argument in the get_pdf_path function.

A path traversal vulnerability exists in eiceblue spire-doc-mcp-server version 1.0.0, allowing a remote attacker to access arbitrary files by manipulating the 'document_name' argument in the 'get_doc_path' function.

Elinsky execution-system-mcp 0.1.0 is vulnerable to path traversal via manipulation of the context argument in the _get_context_file_path function, allowing remote attackers to access sensitive files.

A remote SQL injection vulnerability exists in SourceCodester Pharmacy Sales and Inventory System 1.0 via manipulation of the ID parameter in the /ajax.php?action=delete_category endpoint, potentially leading to unauthorized data access or modification.

A server-side request forgery (SSRF) vulnerability in ChatGPTNextWeb NextChat up to version 2.16.1 allows remote attackers to manipulate the proxyHandler function, potentially leading to unauthorized internal resource access.

A path traversal vulnerability (CVE-2026-7237) exists in AgiFlow scaffold-mcp versions up to 1.0.27, allowing remote attackers to write to arbitrary files by manipulating the file_path argument in the write-to-file tool.

A path traversal vulnerability (CVE-2026-7234) exists in BrowserOperator browser-operator-core up to version 0.6.0, allowing remote attackers to read arbitrary files by manipulating the request.url argument in the startsWith function of scripts/component_server/server.js.

A path traversal vulnerability exists in edvardlindelof notes-mcp up to version 0.1.4, affecting the notes_mcp.py file, allowing a remote attacker to access sensitive files by manipulating the `root_dir/path` argument.

A path traversal vulnerability exists in the `search_papers` function of `src/main.py` in duartium papers-mcp-server version 9ceb3812a6458ba7922ca24a7406f8807bc55598, allowing remote attackers to read arbitrary files by manipulating the `topic` argument, with a public exploit available.

A SQL injection vulnerability exists in dubydu sqlite-mcp version 0.1.0 and earlier within the extract_to_json function allowing remote exploitation through manipulation of the output_filename argument.

A SQL injection vulnerability (CVE-2026-7199) exists in SourceCodester Pharmacy Sales and Inventory System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'ID' parameter in the `/ajax.php?action=delete_product` endpoint, potentially leading to data breach or system compromise.

CVE-2026-7131 is a SQL injection vulnerability in code-projects Online Lot Reservation System up to version 1.0, affecting the /loginuser.php component via manipulation of the email/password arguments, which could allow remote attackers to execute arbitrary SQL queries.

SourceCodester Pharmacy Sales and Inventory System 1.0 is vulnerable to SQL injection by manipulating the ID argument in the /ajax.php?action=save_receiving file, allowing remote attackers to execute arbitrary SQL commands.

A SQL injection vulnerability exists in itsourcecode Construction Management System version 1.0, affecting the processing of the /locations.php file, allowing a remote attacker to inject SQL commands by manipulating the 'address' argument, with a publicly available exploit.

A SQL injection vulnerability exists in CodePanda Source canteen_management_system version 1.0 within the /api/login.php file by manipulating the Username argument, allowing remote attackers to execute arbitrary SQL commands.

A SQL injection vulnerability exists in code-projects Inventory Management System 1.0 within the Login component, specifically affecting the Username argument, where a remote attacker can manipulate the Username parameter, leading to unauthorized data access or modification.

CVE-2026-7063 is a SQL Injection vulnerability in code-projects Employee Management System 1.0 via the 'pwd' parameter in /370project/process/eprocess.php, enabling remote attackers to execute arbitrary SQL commands.

KLiK SocialMediaWebsite up to version 1.0.1 is vulnerable to SQL injection via manipulation of the c_id argument in the /includes/get_message_ajax.php file, specifically affecting the Private Message Handler component, which can be exploited remotely.

PicoClaw version 0.2.4 is vulnerable to command injection via the /api/gateway/restart endpoint of the Web Launcher Management Plane, allowing a remote attacker to execute arbitrary commands by manipulating input.

An improper authorization vulnerability (CVE-2026-6977) exists in vanna-ai vanna up to version 2.0.2 due to manipulation of an unknown function within the Legacy Flask API, potentially allowing remote attackers to bypass intended access restrictions.

OpenClaw before 2026.3.31 is vulnerable to cross-site request forgery (CSRF) attacks due to missing browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing attackers to perform unauthorized actions.

Xerte Online Toolkits 3.15 and earlier contain an incomplete input validation vulnerability allowing unauthenticated attackers to upload malicious PHP code with a '.php4' extension, leading to arbitrary operating system command execution on the server.

A SQL injection vulnerability exists in Daptin versions prior to 0.11.4 within the `/aggregate/:typename` endpoint, where the `column` and `group` query parameters are passed to `goqu.L()` without validation, allowing authenticated users to inject arbitrary SQL expressions and exfiltrate sensitive data.

SiYuan is vulnerable to path traversal via double URL encoding in the `/export/` endpoint, bypassing an incomplete fix for CVE-2026-30869; an authenticated attacker can exploit this vulnerability to traverse directories and read arbitrary workspace files, including the SQLite database (`siyuan.db`), kernel log, and user documents due to a redundant `url.PathUnescape()` call in `serveExport()`.

FreeScout before 1.8.215 has an incorrect authorization vulnerability where a direct POST request to the `save_draft` AJAX path can create a draft inside a hidden conversation when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, potentially allowing unauthorized access or modification of data.

Vvveb CMS 1.0.8 is vulnerable to remote code execution, allowing authenticated attackers to upload a PHP webshell with a .phtml extension, bypass extension restrictions, and execute arbitrary operating system commands by requesting the uploaded file.

An improper authentication vulnerability in rowboatlabs rowboat <=0.1.67 allows remote attackers to bypass authentication by manipulating the X-Tools-JWE argument in the tool_call function, potentially leading to unauthorized access and control.

A SQL injection vulnerability (CVE-2026-6629) exists in Metasoft MetaCRM up to version 6.4.0, allowing remote attackers to execute arbitrary SQL commands via manipulation of the sql argument in the Statement.executeUpdate function of the sql.jsp file.

Digiwin's EasyFlow .NET is susceptible to a SQL Injection vulnerability, enabling unauthenticated remote attackers to inject arbitrary SQL commands for unauthorized database access, modification, and deletion.

CVE-2026-6580 describes a vulnerability in liangliangyy DjangoBlog up to version 2.1.0.0 where manipulation of the 'key' argument in the Amap API Call Handler leads to the use of a hard-coded cryptographic key, enabling remote exploitation.

A critical authentication bypass vulnerability in liangliangyy DjangoBlog up to version 2.1.0.0 (CVE-2026-6577) allows remote attackers to inject arbitrary GPS data without authentication via the logtracks endpoint, potentially leading to data manipulation and unauthorized access.

CVE-2026-6574 allows remote attackers to manipulate the 'key' argument in the /public/install/lp.sql file via the API Upload Endpoint in osuuu LightPicture <= 1.2.2, leading to hardcoded credentials exposure.

WeGIA versions prior to 3.6.10 are vulnerable to SQL injection via the cpf_usuario POST parameter, allowing authenticated users to query the database under an arbitrary identity.

PraisonAI is vulnerable to SQL injection across nine database backends due to unsanitized `table_prefix` parameters, and in PostgreSQL due to an unsanitized `schema` parameter, enabling arbitrary SQL execution.

YesWiki is vulnerable to authenticated SQL Injection via the id_fiche parameter in the EntryManager::formatDataBeforeSave() function, allowing attackers to inject arbitrary SQL commands and potentially extract sensitive data.