Total
344743 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-37593 | 1 Sourcecodester | 1 Online Employees Work From Home Attendance System | 2026-04-15 | 2.7 Low |
| SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_att.php. | ||||
| CVE-2026-37594 | 1 Sourcecodester | 1 Online Employees Work From Home Attendance System | 2026-04-15 | 2.7 Low |
| SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php. | ||||
| CVE-2026-37595 | 1 Sourcecodester | 1 Online Employees Work From Home Attendance System | 2026-04-15 | 2.7 Low |
| SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_employee.php. | ||||
| CVE-2026-37596 | 1 Sourcecodester | 1 Online Employees Work From Home Attendance System | 2026-04-15 | 2.7 Low |
| SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_department.php. | ||||
| CVE-2026-37597 | 1 Sourcecodester | 1 Online Employees Work From Home Attendance System | 2026-04-15 | 2.7 Low |
| SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php. | ||||
| CVE-2026-37598 | 1 Sourcecodester | 1 Patient Appointment Scheduler System | 2026-04-15 | 2.7 Low |
| SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings. | ||||
| CVE-2026-37600 | 1 Sourcecodester | 1 Patient Appointment Scheduler System | 2026-04-15 | 2.7 Low |
| SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view_details.php. | ||||
| CVE-2026-32614 | 1 Emmansun | 1 Gmsm | 2026-04-15 | 7.5 High |
| Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity. In the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a critical part of the key derivation input becomes a predictable constant. An attacker who only knows the target user's UID can derive the decryption key material and then forge a ciphertext that passes the integrity check. This vulnerability is fixed in 0.41.1. | ||||
| CVE-2026-3649 | 2 Colbeinformatik, Wordpress | 2 Katalogportal-pdf-sync Widget, Wordpress | 2026-04-15 | 5.3 Medium |
| The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can()) or nonce verification. This allows any authenticated user, including Subscribers, to call the endpoint and retrieve a list of all synchronized PDF attachments (including those attached to private or draft posts) along with their titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status => 'any' which returns attachments regardless of the parent post's visibility status. | ||||
| CVE-2026-21882 | 1 Asfhtgkdavid | 1 Theshit | 2026-04-15 | 8.4 High |
| theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.2.0, improper privilege dropping allows local privilege escalation via command re-execution. This issue has been patched in version 0.2.0. | ||||
| CVE-2026-28741 | 1 Mattermost | 1 Mattermost | 2026-04-15 | 6.8 Medium |
| Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625 | ||||
| CVE-2019-25635 | 1 Zeeways | 2 Matrimony Cms, Zeeways Matrimony Cms | 2026-04-15 | 8.2 High |
| Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint. Attackers can inject SQL code via the up_cast, s_mother, and s_religion parameters to extract sensitive database information using time-based or error-based techniques. | ||||
| CVE-2026-37601 | 1 Sourcecodester | 1 Patient Appointment Scheduler System | 2026-04-15 | 2.7 Low |
| SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/manage_appointment.php. | ||||
| CVE-2026-37602 | 1 Sourcecodester | 1 Patient Appointment Scheduler System | 2026-04-15 | 2.7 Low |
| SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php. | ||||
| CVE-2025-65132 | 2026-04-15 | 6.1 Medium | ||
| alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter. | ||||
| CVE-2025-65134 | 2026-04-15 | N/A | ||
| In manikandan580 School-management-system 1.0, a reflected cross-site scripting (XSS) vulnerability exists in /studentms/admin/contact-us.php via the email POST parameter. | ||||
| CVE-2025-65135 | 2026-04-15 | 9.8 Critical | ||
| In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter. | ||||
| CVE-2025-65136 | 2026-04-15 | 6.1 Medium | ||
| In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter. | ||||
| CVE-2026-38529 | 2026-04-15 | 8.8 High | ||
| A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. | ||||
| CVE-2026-38532 | 2026-04-15 | 8.1 High | ||
| A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request. | ||||