6.9
CVE-2026-2223 - code-projects Online Reviewer System index.php sql injection
A security vulnerability has been detected in code-projects Online Reviewer System 1.0. Affected by this issue is some unknown functionality of the file /system/system/students/assessments/pretest/take/index.php. The manipulation of the argument ID leads to sql injection. It is possible to initiateโฆ
9.8
CVE-2026-22906 - Hardcoded Key Allows Credential Disclosure
User credentials are stored using AESโECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.
7.5
CVE-2026-22905 - Authentication Bypass via URI Traversal
An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access to protected CGI endpoints and configuration downloads.
9.8
CVE-2026-22904 - Stack Overflow via Oversized Cookie Fields in lighttpd
Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denialโofโservice condition and possible remote code execution.
9.8
CVE-2026-22903 - Stack Overflow via SESSIONID Cookie in lighttpd
An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections.
4.8
CVE-2026-2222 - code-projects Online Reviewer System btn_functions.php cross site scripting
A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. Executing a manipulation of the argument firstname can lead to cross site scripting. The attack maโฆ
8.7
CVE-2026-2236 - HGiga๏ฝC&Cm@il - SQL Injection
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
7.1
CVE-2026-2235 - HGiga๏ฝC&Cm@il - SQL Injection
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
9.3
CVE-2026-2234 - HGiga๏ฝC&Cm@il - Missing Authentication
C&Cm@il developed by HGiga has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read and modify any user's mail content.
6.9
CVE-2026-2221 - code-projects Online Reviewer System Login index.php sql injection
A security flaw has been discovered in code-projects Online Reviewer System 1.0. Affected is an unknown function of the file /login/index.php of the component Login. Performing a manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The eโฆ