5.1
CVE-2026-4238 - itsourcecode College Management System courses.php sql injection
A vulnerability has been found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/courses.php. The manipulation of the argument course_code leads to sql injection. It is possible to initiate the attack remotely. The exploit has been discloseโฆ
4.5
CVE-2025-52637 - Multiple security vulnerabilities affect HCL AION
HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactions or limited information exposure under specific coโฆ
4.3
CVE-2026-4265 - Guest user can upload files without permission across teams
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the fileโฆ
4.3
CVE-2026-25783 - Denial of service via malformed User-Agent header in getBrowserVersion
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586
7.5
CVE-2026-24458 - DoS attack via login attempts with multi-megabyte passwords
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587
6.9
CVE-2026-4237 - itsourcecode Free Hotel Reservation System index.php sql injection
A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /hotel/admin/mod_reports/index.php. Executing a manipulation of the argument Home can lead to sql injection. The attack may be performed from remote. The exploit has been pubโฆ
6.6
CVE-2026-2462 - Admin RCE via Malicious Plugin Upload on CI Test Instances
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS anโฆ
4.3
CVE-2026-2578 - Information Disclosure via WebSocket Event When Deleting Unrevealed Burn on Read Posts
Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579
6.9
CVE-2025-69246 - Lack of bruteforce protection in Raytha CMS
Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges. This issue was fixed in version 1.4.6.
5.1
CVE-2025-69245 - Reflected XSS in Raytha CMS
Raytha CMS is vulnerable to Reflected XSS via returnUrlย parameter in logon functionality. An attacker can craft a malicious URL which, when opened by the authenticated victim, results in arbitrary JavaScript execution in the victimโs browser. This issue was fixed in 1.4.6.