VulDB Recent Entries

A vulnerability described as critical has been identified in code-projects Online Music Site 1.0. This vulnerability affects unknown code of the file /Administrator/PHP/AdminDeleteAlbum.php. The manipulation of the argument ID results in sql injection. This vulnerability was named CVE-2026-11489. The attack may be performed from remote. In addition, an exploit is available.

A vulnerability marked as critical has been reported in code-projects Simple Flight Ticket Booking System 1.0. This affects an unknown part of the file checkUser.php of the component POST Parameter Handler. The manipulation of the argument Username leads to sql injection. This vulnerability is uniquely identified as CVE-2026-11488. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability labeled as critical has been found in Neovim up to 0.12.2. Affected by this issue is the function M.read of the file runtime/lua/vim/secure.lua of the component View Branch. Executing a manipulation of the argument path can lead to command injection. This vulnerability is handled as CVE-2026-11487. It is possible to launch the attack on the local host. Additionally, an exploit exists. A patch should be applied to remediate this issue.

A vulnerability identified as critical has been detected in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /archive1.php. Performing a manipulation of the argument sy results in sql injection. This vulnerability is known as CVE-2026-11486. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability categorized as critical has been discovered in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /archive2.php. Such manipulation of the argument sy leads to sql injection. This vulnerability is traded as CVE-2026-11485. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. It has been rated as critical. This impacts an unknown function of the file /archive3.php. This manipulation of the argument sy causes sql injection. This vulnerability appears as CVE-2026-11484. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. It has been declared as critical. This affects an unknown function of the file /archive4.php. The manipulation of the argument sy results in sql injection. This vulnerability is reported as CVE-2026-11483. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. It has been classified as critical. The impacted element is an unknown function of the file /archive5.php. The manipulation of the argument sy leads to sql injection. This vulnerability is documented as CVE-2026-11482. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability was found in yoanbernabeu grepai up to 0.35.0 and classified as problematic. The affected element is the function PostgresStore.LookupByContentHash of the file indexer/chunker.go of the component Postgres Embedding Cache. Executing a manipulation of the argument content_hash can lead to use of weak hash. This vulnerability is registered as CVE-2026-11481. The attack needs to be launched locally. Furthermore, an exploit is available. The pull request to fix this issue awaits acceptance.

A vulnerability has been found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22 and classified as critical. Impacted is an unknown function of the file beike/Admin/Routes/admin.php of the component Admin Design Builder Endpoint. Performing a manipulation of the argument settings.value results in sql injection. This vulnerability is cataloged as CVE-2026-11480. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. To fix this issue, it is recommended to deploy a patch.

A vulnerability, which was classified as problematic, was found in yoanbernabeu grepai 0.35.0. This issue affects some unknown processing of the file indexer/chunker.go of the component Qdrant Backend. Such manipulation leads to use of weak hash. This vulnerability is listed as CVE-2026-11479. The attack may be performed from remote. In addition, an exploit is available. The pull request to fix this issue awaits acceptance.

A vulnerability, which was classified as problematic, has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb. This vulnerability affects the function matchstar of the file re.c of the component Pattern Handler. This manipulation causes inefficient regular expression complexity. This vulnerability is tracked as CVE-2026-11478. The attack is restricted to local execution. Moreover, an exploit is present. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability classified as problematic was found in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. This vulnerability is identified as CVE-2026-11477. The attack can be executed remotely. Additionally, an exploit exists. Applying a patch is advised to resolve this issue.

A vulnerability classified as critical has been found in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. This vulnerability is referenced as CVE-2026-11476. Remote exploitation of the attack is possible. Furthermore, an exploit is available. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability described as critical has been identified in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this vulnerability is the function getStatus of the file controllers/GradeController.php of the component Certificate Verification Endpoint. Executing a manipulation of the argument nic can lead to sql injection. The identification of this vulnerability is CVE-2026-11475. The attack may be launched remotely. Furthermore, there is an exploit available. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability marked as critical has been reported in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument stimg results in unrestricted upload. This vulnerability was named CVE-2026-11474. The attack may be initiated remotely. In addition, an exploit is available. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability labeled as critical has been found in jflyfox jfinal_cms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. This vulnerability is uniquely identified as CVE-2026-11473. The attack can be launched remotely. No exploit exists. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability identified as critical has been detected in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /index1.php. This manipulation of the argument Password causes sql injection. This vulnerability is handled as CVE-2026-11472. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability categorized as critical has been discovered in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /index2.php. The manipulation of the argument Password results in sql injection. This vulnerability is known as CVE-2026-11471. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability was found in hs-web hsweb-framework up to 5.0.1. It has been rated as critical. The affected element is the function denied of the file hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java of the component File Upload. The manipulation of the argument filename leads to path traversal. This vulnerability is traded as CVE-2026-11470. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is suggested to install a patch to address this issue.