Search Results (37529 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-9484 1 Gitlab 1 Gitlab 2026-04-15 4.3 Medium
GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries.
CVE-2026-34734 1 Hdfgroup 1 Hdf5 2026-04-15 7.8 High
HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term.
CVE-2026-36234 1 Itsourcecode 1 Online Student Enrollment System 2026-04-15 9.8 Critical
itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter.
CVE-2026-36235 1 Itsourcecode 1 Online Student Enrollment System 2026-04-15 9.8 Critical
A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or validation.
CVE-2026-36232 1 Itsourcecode 1 Online Student Enrollment System 2026-04-15 9.8 Critical
A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly concatenated into the SQL query without any sanitization or validation.
CVE-2026-36233 1 Itsourcecode 1 Online Student Enrollment System 2026-04-15 9.8 Critical
A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries without the need for appropriate cleaning or validation.
CVE-2026-36236 2 Janobe, Sourcecodester 2 Engineers Online Portal, Engineers Online Portal 2026-04-15 9.8 Critical
SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter.
CVE-2026-39381 2 Parse Community, Parseplatform 2 Parse Server, Parse-server 2026-04-15 4.3 Medium
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.
CVE-2026-40189 2 Goshs, Patrickhener 2 Goshs, Goshs 2026-04-15 9.8 Critical
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.
CVE-2026-36872 2 Razormist, Sourcecodester 2 Basic Library System, Basic Library System 2026-04-15 2.7 Low
Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_book.php.
CVE-2026-36873 2 Razormist, Sourcecodester 2 Basic Library System, Basic Library System 2026-04-15 2.7 Low
Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_admin.php.
CVE-2026-36874 2 Razormist, Sourcecodester 2 Basic Library System, Basic Library System 2026-04-15 2.7 Low
Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php.
CVE-2026-36946 2 Oretnom23, Sourcecodester 2 Computer And Mobile Repair Shop Management System, Computer And Mobile Repair Shop Management System 2026-04-15 2.7 Low
Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/inquiries/view_details.php.
CVE-2026-36947 2 Oretnom23, Sourcecodester 2 Computer And Mobile Repair Shop Management System, Computer And Mobile Repair Shop Management System 2026-04-15 2.7 Low
Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL Injection in the file /rsms/admin/services/view_service.php.
CVE-2026-36922 2 Oretnom23, Sourcecodester 2 Cab Management System, Cab Management System 2026-04-15 2.7 Low
Sourcecodester Cab Management System v1.0 is vulnerable to SQL injection in the file /cms/admin/categories/view_category.php.
CVE-2026-36923 2 Oretnom23, Sourcecodester 2 Cab Management System, Cab Management System 2026-04-15 2.7 Low
Sourcecodester Cab Management System 1.0 is vulnerable to SQL Injection in the file /cms/admin/bookings/view_booking.php.
CVE-2019-25635 1 Zeeways 2 Matrimony Cms, Zeeways Matrimony Cms 2026-04-15 8.2 High
Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint. Attackers can inject SQL code via the up_cast, s_mother, and s_religion parameters to extract sensitive database information using time-based or error-based techniques.
CVE-2019-16738 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2026-04-15 5.3 Medium
In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.
CVE-2018-11802 1 Apache 1 Solr 2026-04-15 4.3 Medium
In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).
CVE-2025-15445 2 Restaurant Cafeteria, Wordpress 2 Restaurant Cafeteria, Wordpress 2026-04-15 5.4 Medium
The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP code execution, and also import demo content that rewrites site configuration, including Restaurant Cafeteria WordPress theme through 0.4.6_mods, pages, menus, and front page settings.