Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1941+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
All tags
59 articles

#PHP

All CosmicBytez Labs articles tagged #PHP, across news, security advisories, how-to guides, and projects.

  • SecurityJul 14, 2026

    ChurchCRM Plugin RCE via Malicious ZIP Upload — CVE-2026-58409

    A critical authenticated RCE vulnerability in ChurchCRM allows administrators to achieve remote code execution by uploading a malicious plugin ZIP containing a PHP webshell. CVSS 9.1. Fixed in v7.4.0.

  • SecurityJul 12, 2026

    CVE-2026-15488: Unrestricted File Upload in shiroiAdmin Enables Remote Code Execution

    A high-severity unrestricted file upload vulnerability in shiroiAdmin versions 1.1 and 1.3 allows unauthenticated remote attackers to upload PHP webshells and achieve remote code execution.

  • SecurityJul 12, 2026

    CVE-2026-15489: SQL Injection in TOKO-ONLINE-ROTI Login Endpoint

    A high-severity SQL injection vulnerability in the TOKO-ONLINE-ROTI bakery management system allows remote attackers to manipulate the login.php Username parameter and compromise the backend database without authentication.

  • SecurityJul 12, 2026

    CVE-2026-15490: SQL Injection in TOKO-ONLINE-ROTI Product Add Endpoint

    A high-severity SQL injection vulnerability in the TOKO-ONLINE-ROTI PHP bakery system allows remote attackers to manipulate the kode_produk and kd_cs parameters in proses/add.php, enabling database compromise.

  • SecurityJul 6, 2026

    CVE-2024-6228: WordPress WANotifier Plugin Local File Inclusion

    A local file inclusion vulnerability in the WANotifier WordPress plugin (before v2.6) allows any authenticated subscriber-level user to include and...

  • SecurityJul 5, 2026

    CVE-2026-14635: Unrestricted File Upload RCE in CodeIgniter Ecommerce Bootstrap

    A high-severity unrestricted file upload vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows authenticated vendor users to upload...

  • SecurityJul 5, 2026

    CVE-2026-14637: PHP Deserialization RCE in CodeIgniter Ecommerce Bootstrap Shopping Cart

    A high-severity PHP deserialization vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows attackers to inject malicious serialized...

  • SecurityJul 5, 2026

    CVE-2026-14641: Remote SQL Injection in SourceCodester Class and Exam Timetabling System

    A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to dump the...

  • SecurityJul 5, 2026

    CVE-2026-14642: Remote SQL Injection in SourceCodester Timetabling System edit_class2.php

    A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to fully...

  • SecurityJul 5, 2026

    CVE-2026-14652: SQL Injection in SourceCodester Shopping Cart Admin Login

    A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to manipulate the admin...

  • SecurityJul 5, 2026

    CVE-2026-14653: SQL Injection in Shopping Cart Men's Product Delete Endpoint

    A high-severity SQL injection flaw in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the men's product delete query to remote...

  • SecurityJul 5, 2026

    CVE-2026-14654: SQL Injection in Shopping Cart Girls Product Delete Endpoint

    A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to exploit the girls...

  • SecurityJul 5, 2026

    CVE-2026-14688: SQL Injection in itsourcecode Hotel Management Admin Login

    A high-severity SQL injection vulnerability in itsourcecode Online Hotel Management System 1.0 allows remote attackers to exploit the admin login page via...

  • SecurityJul 5, 2026

    SQL Injection in Multi-Vendor Online Grocery Management System (CVE-2026-14695)

    A high-severity SQL injection vulnerability in SourceCodester's Multi-Vendor Online Grocery Management System 1.0 allows remote attackers to manipulate...

  • SecurityJul 5, 2026

    SQL Injection in Pizzafy E-Commerce System Exposes Order Data (CVE-2026-14713)

    A remotely exploitable SQL injection flaw in SourceCodester Pizzafy E-Commerce System 1.0 allows attackers to manipulate the confirm_order endpoint via an...

  • SecurityJul 5, 2026

    Privilege Escalation via Role Manipulation in Online Exam LMS (CVE-2026-14719)

    A high-severity improper privilege management flaw in SourceCodester's Online Examination and Learning Management System 1.0 allows remote attackers to...

  • SecurityJul 4, 2026

    CVE-2026-14622: Missing Authentication in Restaurant Website PHP/MySQL AJAX Endpoint

    A missing authentication vulnerability (CVSS 7.3) in the jairiidriss/restaurant-website-php-mysql project exposes the /admin/ajax_files endpoint to...

  • NewsJun 17, 2026

    CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

    CISA has added a maximum-severity vulnerability in the Joomla Content Editor (JCE) plugin to its Known Exploited Vulnerabilities catalog, warning that the...

  • SecurityJun 15, 2026

    CVE-2026-12204: ShopXO Scheduled Task Authorization Bypass

    A CVSS 7.3 authorization bypass vulnerability in ShopXO up to 6.7.1 allows unauthenticated access to scheduled task endpoints in the Crontab controller,...

  • SecurityJun 2, 2026

    CVE-2026-10236: Improper Authorization in SourceCodester Water Billing Management System

    A remotely exploitable improper authorization vulnerability in the SourceCodester Water Billing Management System 1.0 allows unauthenticated attackers to…

  • SecurityMay 31, 2026

    CVE-2026-10167: School Student Management System Cookie Auth Bypass

    A high-severity authentication bypass vulnerability in OUSL-GROUP BrinaryBrains School Student Management System allows manipulation of the sign_auth_cookie…

  • SecurityMay 31, 2026

    CVE-2026-10178: SQL Injection in Online Music Site 1.0 Admin Panel

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Online Music Site 1.0, affecting the Administrator PHP AdminEditAlbum…

  • SecurityMay 30, 2026

    CVE-2018-25391: HaPe PKH 1.1 Unauthenticated Record Deletion via Missing Authorization

    HaPe PKH 1.1, a PHP-based web application, fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to...

  • SecurityMay 30, 2026

    CVE-2026-10110: SQL Injection in Student Details Management System 1.0

    A remotely exploitable SQL injection vulnerability in code-projects Student Details Management System 1.0 allows attackers to manipulate database queries...

  • SecurityMay 27, 2026

    CVE-2026-45247 — Mirasvit Magento 2 Cache Warmer PHP Object Injection RCE

    CVSS 9.8 PHP object injection in Mirasvit Full Page Cache Warmer for Magento 2 lets unauthenticated attackers achieve RCE — patch to 1.11.12 now.

  • SecurityMay 26, 2026

    CVE-2018-25362: Twitter-Clone SQL Injection via follow.php

    Twitter-Clone 1 contains a high-severity SQL injection vulnerability in follow.php that allows attackers to extract sensitive database information through.

  • NewsMay 23, 2026

    Laravel Lang Packages Hijacked to Deploy

    A supply chain attack targeting Laravel Lang localization packages has exposed developers to credential-stealing malware after attackers abused GitHub...

  • NewsMay 23, 2026

    Laravel-Lang PHP Packages Compromised to Deliver

    Multiple PHP packages belonging to the Laravel-Lang organization have been poisoned in a software supply chain attack, delivering a cross-platform...

  • NewsMay 23, 2026

    Packagist Supply Chain Attack Infects 8 Packages Using

    A coordinated supply chain attack campaign has infected eight Packagist Composer packages with malicious code that downloads and executes a Linux binary...

  • SecurityMay 18, 2026

    CVE-2026-8785: SQL Injection in Hospital Management System

    A high-severity SQL injection vulnerability (CVE-2026-8785, CVSS 7.3) has been disclosed in projectworlds Hospital Management System in PHP 1.0, allowing...

  • SecurityMay 11, 2026

    CVE-2021-47936: OpenCATS 0.9.4 Unauthenticated RCE via PHP

    OpenCATS 0.9.4 allows unauthenticated attackers to upload malicious PHP files through the careers job application endpoint, achieving remote code...

  • SecurityMay 11, 2026

    CVE-2026-6433: WordPress Plugin SQLi Enables

    The Custom css-js-php WordPress plugin through version 2.0.7 fails to sanitize user input before using it in a SQL query, and passes the result to dynamic...

  • SecurityMay 10, 2026

    CVE-2026-42569: phpVMS Critical Unauthenticated Legacy

    A critical vulnerability (CVSS 9.4) in phpVMS before version 7.0.6 allows unauthenticated attackers to access a legacy import feature, potentially...

  • SecurityApr 28, 2026

    CVE-2026-7224: SQL Injection in Pizzafy Ecommerce System 1.0

    A high-severity SQL injection vulnerability has been discovered in SourceCodester Pizzafy Ecommerce System 1.0, allowing remote attackers to manipulate...

  • SecurityApr 27, 2026

    CVE-2026-7077: SQL Injection in itsourcecode Courier

    A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Courier Management System 1.0, affecting the edit_parcel.php file...

  • SecurityApr 26, 2026

    Typecho 1.3.0 Pingback SSRF via X-Pingback Manipulation

    A CVSS 7.3 server-side request forgery vulnerability in Typecho up to 1.3.0 allows attackers to manipulate the X-Pingback/link argument in Service.php to...

  • SecurityApr 24, 2026

    CVE-2026-41309: OSSN Resource Exhaustion via Crafted Pixel

    Open Source Social Network (OSSN) versions prior to 9.0 are vulnerable to resource exhaustion via specially crafted image uploads with extreme pixel...

  • SecurityApr 23, 2026

    CVE-2018-25270: ThinkPHP 5.0.23 Remote Code Execution via Routing Parameter

    ThinkPHP 5.0.23 contains a critical unauthenticated remote code execution vulnerability allowing attackers to invoke arbitrary PHP functions via a crafted...

  • SecurityApr 21, 2026

    CVE-2026-39918: Vvveb CMS Unauthenticated PHP Code

    Vvveb CMS versions prior to 1.0.8.1 allow unauthenticated attackers to inject arbitrary PHP code through the installation endpoint's unsanitized subdir...

  • SecurityApr 20, 2026

    CVE-2026-6595: SQL Injection in ProjectsAndPrograms School

    A medium-severity SQL injection vulnerability has been disclosed in ProjectsAndPrograms School Management System, allowing remote attackers to manipulate...

  • SecurityApr 18, 2026

    CVE-2026-40285: WeGIA SQL Injection via PHP extract()

    A high-severity SQL injection vulnerability in WeGIA, a web manager for charitable institutions, allows authenticated attackers to escalate privileges by...

  • SecurityApr 10, 2026

    CVE-2026-6004: SQL Injection in code-projects Simple IT

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Simple IT Discussion Forum 1.0, affecting the /delete-category.php...

  • SecurityApr 6, 2026

    CVE-2026-5554: SQL Injection in Concert Ticket Reservation

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Concert Ticket Reservation System 1.0, affecting the...

  • SecurityApr 6, 2026

    CVE-2026-5555: SQL Injection in Concert Ticket Reservation

    An unauthenticated SQL injection vulnerability has been disclosed in code-projects Concert Ticket Reservation System 1.0, affecting the login.php file via...

  • SecurityApr 6, 2026

    CVE-2026-5575: SQL Injection in SourceCodester Record

    A remotely exploitable SQL injection vulnerability has been disclosed in SourceCodester/jkev Record Management System 1.0, affecting the Login page's...

  • SecurityApr 5, 2026

    CVE-2026-5551: SQL Injection in itsourcecode Free Hotel

    A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Free Hotel Reservation System 1.0, affecting the login page's email...

  • NewsApr 4, 2026

    Microsoft Details Cookie-Controlled PHP Web Shells

    Microsoft Defender researchers have documented a stealthy PHP web shell technique that uses HTTP cookies as a covert command-and-control channel on Linux...

  • SecurityApr 2, 2026

    CVE-2026-1540: Spam Protect CF7 WordPress Plugin PHP Log RCE

    The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows an editor-level attacker to achieve Remote Code Execution by logging a crafted...

  • SecurityMar 29, 2026

    CVE-2026-5017: SQL Injection in code-projects Simple Food

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Simple Food Order System 1.0, affecting the /all-tickets.php file...

  • SecurityMar 29, 2026

    CVE-2026-5018: SQL Injection in code-projects Simple Food

    A remotely exploitable SQL injection vulnerability exists in code-projects Simple Food Order System 1.0, where the Name parameter in register-router.php...

  • SecurityMar 29, 2026

    CVE-2026-5019: SQL Injection in code-projects Simple Food

    A SQL injection vulnerability has been disclosed in code-projects Simple Food Order System 1.0, where the Status parameter in all-orders.php enables...

  • SecurityMar 29, 2026

    CVE-2026-5033: SQL Injection in code-projects Accounting

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Accounting System 1.0, where the cos_id parameter in...

  • SecurityMar 29, 2026

    CVE-2026-5034: SQL Injection in code-projects Accounting

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Accounting System 1.0, allowing unauthenticated attackers to...

  • SecurityMar 17, 2026

    CVE-2015-20118: Stored XSS in RealtyScript 4.0.2 Admin

    A stored cross-site scripting vulnerability in RealtyScript 4.0.2 allows attackers to inject malicious JavaScript via the location_name parameter in the...

  • SecurityMar 16, 2026

    CVE-2015-20115: RealtyScript 4.0.2 Stored XSS via File

    CVE-2015-20115 is a stored cross-site scripting vulnerability in RealtyScript 4.0.2 that allows authenticated attackers to upload malicious script files...

  • SecurityMar 9, 2026

    CVE-2026-3730: SQL Injection in itsourcecode Free Hotel

    A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Free Hotel Reservation System 1.0, affecting the amenities admin...

  • SecurityMar 9, 2026

    CVE-2026-3734: Improper Authorization in SourceCodester

    A remotely exploitable improper authorization vulnerability has been disclosed in SourceCodester Client Database Management System 1.0, allowing...

  • SecurityMar 9, 2026

    CVE-2026-3740: SQL Injection in itsourcecode University

    A high-severity SQL injection vulnerability has been disclosed in itsourcecode University Management System 1.0, allowing remote attackers to execute...

  • SecurityMar 9, 2026

    CVE-2026-3746: SQL Injection in SourceCodester Simple

    A remotely exploitable SQL injection vulnerability has been disclosed in SourceCodester Simple Responsive Tourism Website 1.0, allowing attackers to...