Search Results (37319 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-21683 2 Color, Internationalcolorconsortium 2 Iccdev, Iccdev 2026-04-18 8.8 High
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `icStatusCMM::CIccEvalCompare::EvaluateProfile()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
CVE-2026-24874 1 Themrdemonized 1 Xray-monolith 2026-04-18 9.1 Critical
Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.
CVE-2026-1432 1 T-systems 1 Buroweb 2026-04-18 N/A
SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information.
CVE-2026-24678 1 Freerdp 1 Freerdp 2026-04-18 7.5 High
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, A capture thread sends sample responses using a freed channel callback after a device channel close, leading to a use after free in ecam_channel_write. This vulnerability is fixed in 3.22.0.
CVE-2026-3164 2 Clive 21, Itsourcecode 2 News Portal Project, News Portal Project 2026-04-18 7.3 High
A vulnerability was found in itsourcecode News Portal Project 1.0. This issue affects some unknown processing of the file /admin/contactus.php. The manipulation of the argument pagetitle results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.
CVE-2026-37344 1 Sourcecodester 1 Vehicle Parking Area Management System 2026-04-18 7.2 High
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_location.php.
CVE-2026-1422 2 Code-projects, Fabian 2 Online Examination System, Online Examination System 2026-04-18 7.3 High
A vulnerability was found in code-projects Online Examination System 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login Page. Performing a manipulation of the argument User results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
CVE-2026-1546 1 Jishenghua 1 Jsherp 2026-04-18 6.3 Medium
A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the argument barCodes leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-2166 2 Code-projects, Fabian 2 Online Reviewer System, Online Reviewer System 2026-04-18 7.3 High
A security vulnerability has been detected in code-projects Online Reviewer System 1.0. The affected element is an unknown function of the file /login/index.php of the component Login. The manipulation of the argument username/password leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
CVE-2026-2179 1 Phpgurukul 1 Hospital Management System 2026-04-18 4.7 Medium
A vulnerability was determined in PHPGurukul Hospital Management System 4.0. This impacts an unknown function of the file /admin/manage-users.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2026-23980 1 Apache 1 Superset 2026-04-18 6.5 Medium
Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue.
CVE-2026-26706 2 Oretnom23, Sourcecodester 2 Pharmacy Point Of Sale System, Pharmacy Point Of Sale System 2026-04-18 9.8 Critical
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_receipt.php.
CVE-2026-0575 2 Code-projects, Fabian 2 Online Product Reservation System, Online Product Reservation System 2026-04-18 7.3 High
A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. This impacts an unknown function of the file /handgunner-administrator/adminlogin.php of the component Administrator Login. Such manipulation of the argument emailadd/pass leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
CVE-2026-0576 2 Code-projects, Fabian 2 Online Product Reservation System, Online Product Reservation System 2026-04-18 7.3 High
A vulnerability was detected in code-projects Online Product Reservation System 1.0. Affected is an unknown function of the file /handgunner-administrator/prod.php of the component Parameter Handler. Performing a manipulation of the argument cat/price/name/model/serial results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
CVE-2026-0579 2 Code-projects, Fabian 2 Online Product Reservation System, Online Product Reservation System 2026-04-18 7.3 High
A vulnerability was found in code-projects Online Product Reservation System 1.0. This affects an unknown part of the file /handgunner-administrator/edit.php of the component POST Parameter Handler. The manipulation of the argument prod_id/name/price/model/serial results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.
CVE-2026-0582 2 Angeljudesuarez, Itsourcecode 2 Society Management System, Society Management System 2026-04-18 6.3 Medium
A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown part of the file /admin/edit_activity_query.php. The manipulation of the argument Title leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
CVE-2026-0728 2 Carmelo, Code-projects 2 Intern Membership Management System, Intern Membership Management System 2026-04-18 4.7 Medium
A security vulnerability has been detected in code-projects Intern Membership Management System 1.0. This issue affects some unknown processing of the file /intern/admin/delete_admin.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
CVE-2026-37343 1 Sourcecodester 1 Vehicle Parking Area Management System 2026-04-18 7.2 High
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_user.php.
CVE-2026-23477 2 Rocket.chat, Rocketchat 2 Rocket.chat, Rocket.chat 2026-04-18 7.7 High
Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0.
CVE-2026-0687 1 Wordpress 1 Wordpress 2026-04-18 4.3 Medium
The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access and above, to create and publish galleries.