All CosmicBytez Labs articles tagged #PHP, across news, security advisories, how-to guides, and projects.
A critical authenticated RCE vulnerability in ChurchCRM allows administrators to achieve remote code execution by uploading a malicious plugin ZIP containing a PHP webshell. CVSS 9.1. Fixed in v7.4.0.
A high-severity unrestricted file upload vulnerability in shiroiAdmin versions 1.1 and 1.3 allows unauthenticated remote attackers to upload PHP webshells and achieve remote code execution.
A high-severity SQL injection vulnerability in the TOKO-ONLINE-ROTI bakery management system allows remote attackers to manipulate the login.php Username parameter and compromise the backend database without authentication.
A high-severity SQL injection vulnerability in the TOKO-ONLINE-ROTI PHP bakery system allows remote attackers to manipulate the kode_produk and kd_cs parameters in proses/add.php, enabling database compromise.
A local file inclusion vulnerability in the WANotifier WordPress plugin (before v2.6) allows any authenticated subscriber-level user to include and...
A high-severity unrestricted file upload vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows authenticated vendor users to upload...
A high-severity PHP deserialization vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows attackers to inject malicious serialized...
A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to dump the...
A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to fully...
A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to manipulate the admin...
A high-severity SQL injection flaw in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the men's product delete query to remote...
A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to exploit the girls...
A high-severity SQL injection vulnerability in itsourcecode Online Hotel Management System 1.0 allows remote attackers to exploit the admin login page via...
A high-severity SQL injection vulnerability in SourceCodester's Multi-Vendor Online Grocery Management System 1.0 allows remote attackers to manipulate...
A remotely exploitable SQL injection flaw in SourceCodester Pizzafy E-Commerce System 1.0 allows attackers to manipulate the confirm_order endpoint via an...
A high-severity improper privilege management flaw in SourceCodester's Online Examination and Learning Management System 1.0 allows remote attackers to...
A missing authentication vulnerability (CVSS 7.3) in the jairiidriss/restaurant-website-php-mysql project exposes the /admin/ajax_files endpoint to...
CISA has added a maximum-severity vulnerability in the Joomla Content Editor (JCE) plugin to its Known Exploited Vulnerabilities catalog, warning that the...
A CVSS 7.3 authorization bypass vulnerability in ShopXO up to 6.7.1 allows unauthenticated access to scheduled task endpoints in the Crontab controller,...
A remotely exploitable improper authorization vulnerability in the SourceCodester Water Billing Management System 1.0 allows unauthenticated attackers to…
A high-severity authentication bypass vulnerability in OUSL-GROUP BrinaryBrains School Student Management System allows manipulation of the sign_auth_cookie…
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Online Music Site 1.0, affecting the Administrator PHP AdminEditAlbum…
HaPe PKH 1.1, a PHP-based web application, fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to...
A remotely exploitable SQL injection vulnerability in code-projects Student Details Management System 1.0 allows attackers to manipulate database queries...
CVSS 9.8 PHP object injection in Mirasvit Full Page Cache Warmer for Magento 2 lets unauthenticated attackers achieve RCE — patch to 1.11.12 now.
Twitter-Clone 1 contains a high-severity SQL injection vulnerability in follow.php that allows attackers to extract sensitive database information through.
A supply chain attack targeting Laravel Lang localization packages has exposed developers to credential-stealing malware after attackers abused GitHub...
Multiple PHP packages belonging to the Laravel-Lang organization have been poisoned in a software supply chain attack, delivering a cross-platform...
A coordinated supply chain attack campaign has infected eight Packagist Composer packages with malicious code that downloads and executes a Linux binary...
A high-severity SQL injection vulnerability (CVE-2026-8785, CVSS 7.3) has been disclosed in projectworlds Hospital Management System in PHP 1.0, allowing...
OpenCATS 0.9.4 allows unauthenticated attackers to upload malicious PHP files through the careers job application endpoint, achieving remote code...
The Custom css-js-php WordPress plugin through version 2.0.7 fails to sanitize user input before using it in a SQL query, and passes the result to dynamic...
A critical vulnerability (CVSS 9.4) in phpVMS before version 7.0.6 allows unauthenticated attackers to access a legacy import feature, potentially...
A high-severity SQL injection vulnerability has been discovered in SourceCodester Pizzafy Ecommerce System 1.0, allowing remote attackers to manipulate...
A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Courier Management System 1.0, affecting the edit_parcel.php file...
A CVSS 7.3 server-side request forgery vulnerability in Typecho up to 1.3.0 allows attackers to manipulate the X-Pingback/link argument in Service.php to...
Open Source Social Network (OSSN) versions prior to 9.0 are vulnerable to resource exhaustion via specially crafted image uploads with extreme pixel...
ThinkPHP 5.0.23 contains a critical unauthenticated remote code execution vulnerability allowing attackers to invoke arbitrary PHP functions via a crafted...
Vvveb CMS versions prior to 1.0.8.1 allow unauthenticated attackers to inject arbitrary PHP code through the installation endpoint's unsanitized subdir...
A medium-severity SQL injection vulnerability has been disclosed in ProjectsAndPrograms School Management System, allowing remote attackers to manipulate...
A high-severity SQL injection vulnerability in WeGIA, a web manager for charitable institutions, allows authenticated attackers to escalate privileges by...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Simple IT Discussion Forum 1.0, affecting the /delete-category.php...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Concert Ticket Reservation System 1.0, affecting the...
An unauthenticated SQL injection vulnerability has been disclosed in code-projects Concert Ticket Reservation System 1.0, affecting the login.php file via...
A remotely exploitable SQL injection vulnerability has been disclosed in SourceCodester/jkev Record Management System 1.0, affecting the Login page's...
A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Free Hotel Reservation System 1.0, affecting the login page's email...
Microsoft Defender researchers have documented a stealthy PHP web shell technique that uses HTTP cookies as a covert command-and-control channel on Linux...
The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows an editor-level attacker to achieve Remote Code Execution by logging a crafted...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Simple Food Order System 1.0, affecting the /all-tickets.php file...
A remotely exploitable SQL injection vulnerability exists in code-projects Simple Food Order System 1.0, where the Name parameter in register-router.php...
A SQL injection vulnerability has been disclosed in code-projects Simple Food Order System 1.0, where the Status parameter in all-orders.php enables...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Accounting System 1.0, where the cos_id parameter in...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Accounting System 1.0, allowing unauthenticated attackers to...
A stored cross-site scripting vulnerability in RealtyScript 4.0.2 allows attackers to inject malicious JavaScript via the location_name parameter in the...
CVE-2015-20115 is a stored cross-site scripting vulnerability in RealtyScript 4.0.2 that allows authenticated attackers to upload malicious script files...
A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Free Hotel Reservation System 1.0, affecting the amenities admin...
A remotely exploitable improper authorization vulnerability has been disclosed in SourceCodester Client Database Management System 1.0, allowing...
A high-severity SQL injection vulnerability has been disclosed in itsourcecode University Management System 1.0, allowing remote attackers to execute...
A remotely exploitable SQL injection vulnerability has been disclosed in SourceCodester Simple Responsive Tourism Website 1.0, allowing attackers to...