6.9
CVE-2026-2952 - Vaelsys HTTP POST Request tree_server.php os command injection
A flaw has been found in Vaelsys 4.1.0. This vulnerability affects unknown code of the file /tree/tree_server.php of the component HTTP POST Request Handler. This manipulation of the argument xajaxargs causes os command injection. The attack is possible to be carried out remotely. The exploit has b…
8.8
CVE-2019-25391 - Ashop Shopping Cart Software Lastest Latest SQL Injection via bannedcustomers.php
Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. Attackers can send POST requests to the admin/bannedcustomers.php endpoint with crafted SQL payloads using SLEEP functions…
8.8
CVE-2019-25366 - microASP Portal+ CMS SQL Injection via pagina.phtml
microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.phtml with SQL injection payloads using extractvalue and con…
8.8
CVE-2019-25440 - WebIncorp ERP Every version SQL Injection via product_detail.php
WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. Attackers can send GET requests to product_detail.php with malicious prod_id values to extract sensitive database informati…
8.8
CVE-2019-25439 - NoviSmart CMS SQL Injection via Referer HTTP Header
NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injection payloads in the Referer header to extract sensitive datab…
8.8
CVE-2019-25433 - XOOPS CMS 2.5.9 SQL Injection via gerar_pdf.php
XOOPS CMS 2.5.9 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. Attackers can send GET requests to the gerar_pdf.php endpoint with malicious cid values to extract sensitive database informa…
5.1
CVE-2026-2947 - rymcu forest User Profile UserInfoController.java updateUserInfo cross site scripting
A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. The manipulation results in cross site scripting. The attack can be executed re…
8.8
CVE-2019-25452 - Dolibarr ERP/CRM 10.0.1 SQL Injection via elemid
Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract …
7.1
CVE-2019-25450 - Dolibarr ERP/CRM 10.0.1 SQL Injection via card.php
Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in ca…
8.8
CVE-2019-25446 - DIGIT CENTRIS ERP Every version SQL Injection via datum1 Parameter
DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /korisnikinfo.php with malicious SQL syntax in these paramete…