Total
345132 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65135 | 1 Manikandan580 | 1 School-management-system | 2026-04-17 | 9.8 Critical |
| In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter. | ||||
| CVE-2025-70936 | 1 Vtiger | 1 Crm | 2026-04-17 | 5.4 Medium |
| Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s session. | ||||
| CVE-2026-26460 | 1 Vtiger | 1 Crm | 2026-04-17 | 6.1 Medium |
| A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser | ||||
| CVE-2026-38528 | 1 Krayin | 1 Laravel-crm | 2026-04-17 | 7.1 High |
| Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php. | ||||
| CVE-2026-39940 | 1 Churchcrm | 1 Churchcrm | 2026-04-17 | N/A |
| ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of 'linkBack' should be assessed. This vulnerability is fixed in 7.0.0. | ||||
| CVE-2026-37591 | 1 Sourcecodester | 1 Storage Unit Rental Management System | 2026-04-17 | 2.7 Low |
| Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL injection in the file /storage/admin/tenants/view_details.php. | ||||
| CVE-2026-37594 | 1 Sourcecodester | 1 Online Employees Work From Home Attendance System | 2026-04-17 | 2.7 Low |
| SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php. | ||||
| CVE-2026-37597 | 1 Sourcecodester | 1 Online Employees Work From Home Attendance System | 2026-04-17 | 2.7 Low |
| SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php. | ||||
| CVE-2026-37600 | 1 Sourcecodester | 1 Patient Appointment Scheduler System | 2026-04-17 | 2.7 Low |
| SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view_details.php. | ||||
| CVE-2026-37590 | 1 Sourcecodester | 1 Storage Unit Rental Management System | 2026-04-17 | 2.7 Low |
| SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/rents/manage_rent.php. | ||||
| CVE-2026-37592 | 1 Sourcecodester | 1 Storage Unit Rental Management System | 2026-04-17 | 2.7 Low |
| Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL in the file /storage/admin/maintenance/manage_pricing.php. | ||||
| CVE-2026-37593 | 1 Sourcecodester | 1 Online Employees Work From Home Attendance System | 2026-04-17 | 2.7 Low |
| SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_att.php. | ||||
| CVE-2026-37595 | 1 Sourcecodester | 1 Online Employees Work From Home Attendance System | 2026-04-17 | 2.7 Low |
| SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_employee.php. | ||||
| CVE-2026-37596 | 1 Sourcecodester | 1 Online Employees Work From Home Attendance System | 2026-04-17 | 2.7 Low |
| SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_department.php. | ||||
| CVE-2026-37598 | 1 Sourcecodester | 1 Patient Appointment Scheduler System | 2026-04-17 | 2.7 Low |
| SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings. | ||||
| CVE-2026-37601 | 1 Sourcecodester | 1 Patient Appointment Scheduler System | 2026-04-17 | 2.7 Low |
| SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/manage_appointment.php. | ||||
| CVE-2026-37602 | 1 Sourcecodester | 1 Patient Appointment Scheduler System | 2026-04-17 | 2.7 Low |
| SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php. | ||||
| CVE-2026-3146 | 1 Libvips | 1 Libvips | 2026-04-17 | 3.3 Low |
| A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null pointer dereference. The attack needs to be performed locally. The identifier of the patch is d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. To fix this issue, it is recommended to deploy a patch. | ||||
| CVE-2026-27743 | 1 Spip | 2 Referer Spam, Spip | 2026-04-17 | 9.8 Critical |
| The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read the url parameter from a GET request and interpolate it directly into SQL LIKE clauses without input validation or parameterization. The endpoints do not enforce authorization checks and do not use SPIP action protections such as securiser_action(), allowing remote attackers to execute arbitrary SQL queries. | ||||
| CVE-2026-27637 | 2 Freescout, Freescout Helpdesk | 2 Freescout, Freescout | 2026-04-17 | 9.8 Critical |
| FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` — a well-documented and common exposure vector in Laravel applications — they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities. | ||||