Search Results (37389 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-2173 2 Code-projects, Fabian 2 Online Examination System, Online Examination System 2026-04-17 7.3 High
A vulnerability was identified in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely.
CVE-2026-35596 2 Go-vikunja, Vikunja 2 Vikunja, Vikunja 2026-04-17 4.3 Medium
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0.
CVE-2026-35598 2 Go-vikunja, Vikunja 2 Vikunja, Vikunja 2026-04-17 4.3 Medium
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance. This vulnerability is fixed in 2.3.0.
CVE-2026-2189 1 Itsourcecode 1 School Management System 2026-04-17 7.3 High
A vulnerability was identified in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/report/index.php. The manipulation of the argument ay leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
CVE-2026-2190 1 Itsourcecode 1 School Management System 2026-04-17 7.3 High
A security flaw has been discovered in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/user/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
CVE-2026-2195 2 Code-projects, Fabian 2 Online Reviewer System, Online Reviewer System 2026-04-17 7.3 High
A vulnerability has been found in code-projects Online Reviewer System 1.0. This vulnerability affects unknown code of the file /system/system/admins/assessments/pretest/questions-view.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
CVE-2026-2196 2 Code-projects, Fabian 2 Online Reviewer System, Online Reviewer System 2026-04-17 7.3 High
A vulnerability was found in code-projects Online Reviewer System 1.0. This issue affects some unknown processing of the file /system/system/admins/assessments/pretest/exam-update.php. The manipulation of the argument test_id results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.
CVE-2026-2198 2 Code-projects, Fabian 2 Online Reviewer System, Online Reviewer System 2026-04-17 7.3 High
A vulnerability was identified in code-projects Online Reviewer System 1.0. The affected element is an unknown function of the file /system/system/admins/assessments/pretest/loaddata.php. Such manipulation of the argument difficulty_id leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
CVE-2026-2211 2 Code-projects, Fabian 2 Online Music Site, Online Music Site 2026-04-17 7.3 High
A vulnerability was determined in code-projects Online Music Site 1.0. Affected is an unknown function of the file /Administrator/PHP/AdminDeleteCategory.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2026-2212 2 Code-projects, Fabian 2 Online Music Site, Online Music Site 2026-04-17 7.3 High
A vulnerability was identified in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /Administrator/PHP/AdminEditCategory.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
CVE-2026-2221 2 Code-projects, Fabian 2 Online Reviewer System, Online Reviewer System 2026-04-17 7.3 High
A security flaw has been discovered in code-projects Online Reviewer System 1.0. Affected is an unknown function of the file /login/index.php of the component Login. Performing a manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
CVE-2026-2235 1 Hgiga 1 C&cm@il Package Olln-base 2026-04-17 6.5 Medium
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
CVE-2026-2223 2 Code-projects, Fabian 2 Online Reviewer System, Online Reviewer System 2026-04-17 7.3 High
A security vulnerability has been detected in code-projects Online Reviewer System 1.0. Affected by this issue is some unknown functionality of the file /system/system/students/assessments/pretest/take/index.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
CVE-2026-2225 2 Clive 21, Itsourcecode 2 News Portal Project, News Portal Project 2026-04-17 7.3 High
A flaw has been found in itsourcecode News Portal Project 1.0. This vulnerability affects unknown code of the file /admin/index.php of the component Administrator Login. This manipulation of the argument email causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
CVE-2026-24675 1 Freerdp 1 Freerdp 2026-04-17 7.5 High
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can free the device's MS config on error but later code still dereferences it, leading to a use after free in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
CVE-2026-24677 1 Freerdp 1 Freerdp 2026-04-17 9.1 Critical
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, ecam_encoder_compress_h264 trusts server-controlled dimensions and does not validate the source buffer size, leading to an out-of-bounds read in sws_scale. This vulnerability is fixed in 3.22.0.
CVE-2026-24683 1 Freerdp 1 Freerdp 2026-04-17 7.5 High
FreeRDP is a free implementation of the Remote Desktop Protocol. ainput_send_input_event caches channel_callback in a local variable and later uses it without synchronization; a concurrent channel close can free or reinitialize the callback, leading to a use after free. Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
CVE-2026-33141 1 Chamilo 1 Chamilo Lms 2026-04-17 6.5 Medium
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3.
CVE-2026-33899 1 Imagemagick 1 Imagemagick 2026-04-17 5.3 Medium
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
CVE-2026-25876 2 Praskla-technology, Prasklatechnology 2 Assessment-placipy, Placipy 2026-04-17 9.1 Critical
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this can be used to return all results for an assessment.