Total
3565 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-13423 | 1 Campcodes | 1 Retro Basketball Shoes Online Store | 2026-02-24 | 5.8 MEDIUM | 4.7 MEDIUM |
| A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_product.php. Executing a manipulation of the argument product_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2025-13411 | 1 Campcodes | 1 Retro Basketball Shoes Online Store | 2026-02-24 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Performing a manipulation of the argument product_image results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | |||||
| CVE-2025-13238 | 1 Bdtask | 1 Flight Booking Software | 2026-02-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in Bdtask Flight Booking Software 4. Affected by this vulnerability is an unknown functionality of the file /agent/profile/edit of the component Edit Profile Page. This manipulation causes unrestricted upload. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-12862 | 1 Projectworlds | 1 Online Notes Sharing Platform | 2026-02-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was identified in projectworlds Online Notes Sharing Platform 1.0. Affected by this issue is some unknown functionality of the file /dashboard/userprofile.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be performed from remote. The exploit is publicly available and might be used. | |||||
| CVE-2025-11426 | 1 Projectworlds | 1 Advanced Library Management System | 2026-02-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit_book.php. The manipulation of the argument image results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2025-14583 | 1 Campcodes | 1 Online Student Enrollment System | 2026-02-24 | 7.5 HIGH | 7.3 HIGH |
| A flaw has been found in campcodes Online Student Enrollment System 1.0. This impacts an unknown function of the file /admin/register.php. Executing a manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2025-14582 | 1 Campcodes | 1 Online Student Enrollment System | 2026-02-24 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was detected in campcodes Online Student Enrollment System 1.0. This affects an unknown function of the file /admin/index.php?page=user-profile. Performing a manipulation of the argument userphoto results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2025-14219 | 1 Campcodes | 1 Retro Basketball Shoes Online Store | 2026-02-24 | 5.8 MEDIUM | 4.7 MEDIUM |
| A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_running.php. Executing a manipulation of the argument product_image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2025-14195 | 1 Carmelogarcia | 1 Employee Profile Management System | 2026-02-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in code-projects Employee Profile Management System 1.0. Impacted is an unknown function of the file /profiling/add_file_query.php. The manipulation of the argument per_file results in unrestricted upload. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2025-70064 | 1 Phpgurukul | 1 Hospital Management System | 2026-02-23 | N/A | 8.8 HIGH |
| PHPGurukul Hospital Management System v4.0 contains a Privilege Escalation vulnerability. A low-privileged user (Patient) can directly access the Administrator Dashboard and all sub-modules (e.g., User Logs, Doctor Management) by manually browsing to the /admin/ directory after authentication. This allows any self-registered user to takeover the application, view confidential logs, and modify system data. | |||||
| CVE-2026-2938 | 1 Munyweki | 1 Student Result Management System | 2026-02-23 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in SourceCodester Student Result Management System 1.0. The affected element is an unknown function of the file /srms/script/admin/core/update_smtp.php. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-26325 | 1 Openclaw | 1 Openclaw | 2026-02-23 | N/A | 7.2 HIGH |
| OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation). | |||||
| CVE-2026-1895 | 1 Wekan Project | 1 Wekan | 2026-02-23 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. Upgrading to version 8.21 is able to address this issue. This patch is called 8c0b4f79d8582932528ec2fdf2a4487c86770fb9. It is recommended to upgrade the affected component. | |||||
| CVE-2026-1170 | 1 Birkir | 1 Prime | 2026-02-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was detected in birkir prime up to 0.4.0.beta.0. This issue affects some unknown processing of the file /graphql of the component GraphQL API. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-1126 | 2026-02-23 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security vulnerability has been detected in lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641. This affects the function uploadFile of the file \flow-master\flow-front-rest\src\main\java\com\dragon\flow\web\resource\flow\FormResource.java of the component SVG File Handler. The manipulation of the argument File leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-0577 | 1 Fabian | 1 Online Product Reservation System | 2026-02-23 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing a manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. | |||||
| CVE-2026-24904 | 1 Adguard | 1 Trusttunnel | 2026-02-20 | N/A | 5.3 MEDIUM |
| TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(...)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean "block non-matching prefixes" by itself. A rule with `client_random_prefix = ...` triggers its `action` only when the prefix matches (and the field is available to evaluate). Non-matches (or `None`) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115. | |||||
| CVE-2023-38005 | 1 Ibm | 1 Cloud Pak System | 2026-02-20 | N/A | 4.3 MEDIUM |
| IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could allow an authenticated user to perform unauthorized tasks due to improper access controls. | |||||
| CVE-2026-21535 | 1 Microsoft | 1 Teams | 2026-02-20 | N/A | 8.2 HIGH |
| Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2026-26977 | 1 Frappe | 1 Learning | 2026-02-20 | N/A | 5.3 MEDIUM |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release. | |||||