2.7
CVE-2026-37594 -
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php.
2.7
CVE-2026-37597 -
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php.
6.5
CVE-2026-30480 - Authenticated LFI in LibreNMS NFSen Module Exposes Arbitrary PHP Files
A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the nfsen parameter.
2.7
CVE-2026-37602 -
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php.
8.1
CVE-2026-38532 - Webkul Krayin CRM v2.2.x BOLA Enables Authenticated Users to Read, Modify, or Delete Other Users' Cβ¦
A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.
9.8
CVE-2025-61260 - OpenAI Codex CLI Command Injection via Malicious Configuration Files
A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads prβ¦
0.0
CVE-2025-65134 - Reflected XSS via Email Parameter in School Management System 1.0
In manikandan580 School-management-system 1.0, a reflected cross-site scripting (XSS) vulnerability exists in /studentms/admin/contact-us.php via the email POST parameter.
8.8
CVE-2026-38529 - Broken Object-Level Authorization Allows Authenticated Password Reset and Account Takeover
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
8.7
CVE-2026-35469 - SpdyStream: DOS on CRI
spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count inβ¦
5.3
CVE-2026-34069 - nimiq-consensus panics via RequestMacroChain micro-block locator
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. In versions 1.2.2 and below, an unauthenticated p2p peer can cause the RequestMacroChain message handler task to panic. Sending a RequestMacroChain message where the firβ¦