Search Results (37327 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-25729 1 Lintsinghua 1 Deepaudit 2026-04-18 6.5 Medium
DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresses, phone numbers, full names, and role information.
CVE-2026-2073 1 Itsourcecode 1 School Management System 2026-04-18 7.3 High
A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
CVE-2026-2089 2 Janobe, Sourcecodester 2 Online Class Record System, Online Class Record System 2026-04-18 7.3 High
A vulnerability was found in SourceCodester Online Class Record System 1.0. This vulnerability affects unknown code of the file /admin/subject/controller.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
CVE-2026-2090 2 Janobe, Sourcecodester 2 Online Class Record System, Online Class Record System 2026-04-18 7.3 High
A vulnerability was determined in SourceCodester Online Class Record System 1.0. This issue affects some unknown processing of the file /admin/message/search.php. Executing a manipulation of the argument term can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2026-2114 2 Angeljudesuarez, Itsourcecode 2 Society Management System, Society Management System 2026-04-18 7.3 High
A vulnerability was detected in itsourcecode Society Management System 1.0. This vulnerability affects unknown code of the file /admin/edit_admin.php. The manipulation of the argument admin_id results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.
CVE-2026-2208 1 Wekan Project 1 Wekan 2026-04-18 4.3 Medium
A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded.
CVE-2026-2158 2 Carmelo, Code-projects 2 Student Web Portal, Student Web Portal 2026-04-18 7.3 High
A vulnerability was detected in code-projects Student Web Portal 1.0. This impacts an unknown function of the file /check_user.php. Performing a manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely.
CVE-2026-2162 2 Clive 21, Itsourcecode 2 News Portal Project, News Portal Project 2026-04-18 4.7 Medium
A vulnerability was determined in itsourcecode News Portal Project 1.0. This affects an unknown part of the file /admin/aboutus.php. This manipulation of the argument pagetitle causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2026-2176 2 Code-projects, Fabian 2 Contact Management System, Contact Management System 2026-04-18 6.3 Medium
A security vulnerability has been detected in code-projects Contact Management System 1.0. This issue affects some unknown processing of the file index.py. Such manipulation of the argument selecteditem[0] leads to sql injection. The attack can be executed remotely.
CVE-2026-2197 2 Code-projects, Fabian 2 Online Reviewer System, Online Reviewer System 2026-04-18 7.3 High
A vulnerability was determined in code-projects Online Reviewer System 1.0. Impacted is an unknown function of the file /system/system/admins/assessments/pretest/exam-delete.php. This manipulation of the argument test_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2026-2199 2 Code-projects, Fabian 2 Online Reviewer System, Online Reviewer System 2026-04-18 7.3 High
A security flaw has been discovered in code-projects Online Reviewer System 1.0. The impacted element is an unknown function of the file /reviewer/system/system/admins/manage/users/user-delete.php. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
CVE-2026-2217 2 Admerc, Itsourcecode 2 Event Management System, Event Management System 2026-04-18 7.3 High
A vulnerability was found in itsourcecode Event Management System 1.0. The impacted element is an unknown function of the file /admin/manage_user.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
CVE-2026-2220 2 Code-projects, Fabian 2 Online Reviewer System, Online Reviewer System 2026-04-18 7.3 High
A vulnerability was identified in code-projects Online Reviewer System 1.0. This impacts an unknown function of the file /system/system/admins/assessments/pretest/btn_functions.php. Such manipulation of the argument difficulty_id leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
CVE-2026-2236 1 Hgiga 1 C&cm@il Package Olln-base 2026-04-18 7.5 High
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
CVE-2026-24095 1 Checkmk 1 Checkmk 2026-04-18 N/A
Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p21, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows users with the "Use WATO" permission to access the "Analyze configuration" page by directly navigating to its URL, bypassing the intended "Access analyze configuration" permission check. If these users also have the "Make changes, perform actions" permission, they can perform unauthorized actions such as disabling checks or acknowledging results.
CVE-2026-24491 1 Freerdp 1 Freerdp 2026-04-18 7.5 High
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.
CVE-2026-24681 1 Freerdp 1 Freerdp 2026-04-18 7.5 High
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, aAsynchronous bulk transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after free in urb_write_completion. This vulnerability is fixed in 3.22.0.
CVE-2026-24777 2 Openproject, Opf 2 Openproject, Openproject 2026-04-18 6.7 Medium
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.
CVE-2026-25495 1 Craftcms 2 Craft Cms, Craftcms 2026-04-18 8.8 High
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
CVE-2026-25808 2 Fedify, Fedify-dev 2 Hollo, Hollo 2026-04-18 7.5 High
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2.