8.8
CVE-2026-28805 - OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $supeβ¦
7.2
CVE-2026-29782 - OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parametβ¦
6.9
CVE-2026-5333 - DefaultFuction Content-Management-System tools.php command injection
A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument host results in command injection. The attack can be executed remotely. The exploit has been released to theβ¦
8.5
CVE-2026-2737 - Possibility of unintended actions when an administrator clicks a malicious link in the Progress Floβ¦
A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.
8.7
CVE-2026-3692 - Unintended command execution during report generation in Progress Flowmon
In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server.
5.1
CVE-2026-5332 - Xiaopi Panel WAF Firewall demo.php cross site scripting
A vulnerability was identified in Xiaopi Panel 1.0.0. This vulnerability affects unknown code of the file /demo.php of the component WAF Firewall. The manipulation of the argument param leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available aβ¦
9.1
CVE-2026-2701 - RCE vulnerability in Progress ShareFile Storage Zones Controller (SZC)
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
9.8
CVE-2026-2699 - EAR vulnerability in Progress ShareFile Storage Zones Controller (SZC)
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
5.1
CVE-2026-5331 - OpenCart Extension Installer installer.php path traversal
A vulnerability was determined in OpenCart 4.1.0.3. This affects an unknown part of the file installer.php of the component Extension Installer Page. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilizedβ¦
6.5
CVE-2026-34890 - WordPress MSTW League Manager plugin <= 2.10 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark OβDonnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10.