All CosmicBytez Labs articles tagged #PHP, across news, security advisories, how-to guides, and projects.
A remotely exploitable improper authorization vulnerability in the SourceCodester Water Billing Management System 1.0 allows unauthenticated attackers to perform unauthorized actions via the User Management endpoint.
A high-severity authentication bypass vulnerability in OUSL-GROUP BrinaryBrains School Student Management System allows manipulation of the sign_auth_cookie function, enabling unauthorized access via crafted cookie values. CVSS 7.3.
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Online Music Site 1.0, affecting the Administrator PHP AdminEditAlbum endpoint. A public exploit is available and no patch exists.
HaPe PKH 1.1, a PHP-based web application, fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to...
A remotely exploitable SQL injection vulnerability in code-projects Student Details Management System 1.0 allows attackers to manipulate database queries...
CVSS 9.8 PHP object injection in Mirasvit Full Page Cache Warmer for Magento 2 lets unauthenticated attackers achieve RCE — patch to 1.11.12 now.
Twitter-Clone 1 contains a high-severity SQL injection vulnerability in follow.php that allows attackers to extract sensitive database information through.
A supply chain attack targeting Laravel Lang localization packages has exposed developers to credential-stealing malware after attackers abused GitHub...
Multiple PHP packages belonging to the Laravel-Lang organization have been poisoned in a software supply chain attack, delivering a cross-platform...
A coordinated supply chain attack campaign has infected eight Packagist Composer packages with malicious code that downloads and executes a Linux binary...
A high-severity SQL injection vulnerability (CVE-2026-8785, CVSS 7.3) has been disclosed in projectworlds Hospital Management System in PHP 1.0, allowing...
OpenCATS 0.9.4 allows unauthenticated attackers to upload malicious PHP files through the careers job application endpoint, achieving remote code...
The Custom css-js-php WordPress plugin through version 2.0.7 fails to sanitize user input before using it in a SQL query, and passes the result to dynamic...
A critical vulnerability (CVSS 9.4) in phpVMS before version 7.0.6 allows unauthenticated attackers to access a legacy import feature, potentially...
A high-severity SQL injection vulnerability has been discovered in SourceCodester Pizzafy Ecommerce System 1.0, allowing remote attackers to manipulate...
A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Courier Management System 1.0, affecting the edit_parcel.php file...
A CVSS 7.3 server-side request forgery vulnerability in Typecho up to 1.3.0 allows attackers to manipulate the X-Pingback/link argument in Service.php to...
Open Source Social Network (OSSN) versions prior to 9.0 are vulnerable to resource exhaustion via specially crafted image uploads with extreme pixel...
ThinkPHP 5.0.23 contains a critical unauthenticated remote code execution vulnerability allowing attackers to invoke arbitrary PHP functions via a crafted...
Vvveb CMS versions prior to 1.0.8.1 allow unauthenticated attackers to inject arbitrary PHP code through the installation endpoint's unsanitized subdir...
A medium-severity SQL injection vulnerability has been disclosed in ProjectsAndPrograms School Management System, allowing remote attackers to manipulate...
A high-severity SQL injection vulnerability in WeGIA, a web manager for charitable institutions, allows authenticated attackers to escalate privileges by...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Simple IT Discussion Forum 1.0, affecting the /delete-category.php...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Concert Ticket Reservation System 1.0, affecting the...
An unauthenticated SQL injection vulnerability has been disclosed in code-projects Concert Ticket Reservation System 1.0, affecting the login.php file via...
A remotely exploitable SQL injection vulnerability has been disclosed in SourceCodester/jkev Record Management System 1.0, affecting the Login page's...
A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Free Hotel Reservation System 1.0, affecting the login page's email...
Microsoft Defender researchers have documented a stealthy PHP web shell technique that uses HTTP cookies as a covert command-and-control channel on Linux...
The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows an editor-level attacker to achieve Remote Code Execution by logging a crafted...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Simple Food Order System 1.0, affecting the /all-tickets.php file...
A remotely exploitable SQL injection vulnerability exists in code-projects Simple Food Order System 1.0, where the Name parameter in register-router.php...
A SQL injection vulnerability has been disclosed in code-projects Simple Food Order System 1.0, where the Status parameter in all-orders.php enables...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Accounting System 1.0, where the cos_id parameter in...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Accounting System 1.0, allowing unauthenticated attackers to...
A stored cross-site scripting vulnerability in RealtyScript 4.0.2 allows attackers to inject malicious JavaScript via the location_name parameter in the...
CVE-2015-20115 is a stored cross-site scripting vulnerability in RealtyScript 4.0.2 that allows authenticated attackers to upload malicious script files...
A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Free Hotel Reservation System 1.0, affecting the amenities admin...
A remotely exploitable improper authorization vulnerability has been disclosed in SourceCodester Client Database Management System 1.0, allowing...
A high-severity SQL injection vulnerability has been disclosed in itsourcecode University Management System 1.0, allowing remote attackers to execute...
A remotely exploitable SQL injection vulnerability has been disclosed in SourceCodester Simple Responsive Tourism Website 1.0, allowing attackers to...