Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1941+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
All tags
62 articles

#Web Security

All CosmicBytez Labs articles tagged #Web Security, across news, security advisories, how-to guides, and projects.

  • NewsJul 13, 2026

    CISA Warns of Actively Exploited RCE Flaws in Joomla Extensions

    CISA has added two Joomla extension vulnerabilities to its KEV catalog after attackers began exploiting arbitrary file upload flaws in iCagenda and Balbooa Forms to achieve remote code execution on vulnerable websites.

  • NewsJul 13, 2026

    iCagenda and Balbooa Forms Joomla Flaws Exploited as Zero-Days

    CISA has added two maximum-severity flaws in iCagenda and Balbooa Forms Joomla extensions to its KEV catalog following confirmed zero-day exploitation in the wild. Administrators should patch or mitigate immediately.

  • SecurityJul 12, 2026

    CVE-2026-15489: SQL Injection in TOKO-ONLINE-ROTI Login Endpoint

    A high-severity SQL injection vulnerability in the TOKO-ONLINE-ROTI bakery management system allows remote attackers to manipulate the login.php Username parameter and compromise the backend database without authentication.

  • SecurityJul 12, 2026

    CVE-2026-15490: SQL Injection in TOKO-ONLINE-ROTI Product Add Endpoint

    A high-severity SQL injection vulnerability in the TOKO-ONLINE-ROTI PHP bakery system allows remote attackers to manipulate the kode_produk and kd_cs parameters in proses/add.php, enabling database compromise.

  • NewsJul 11, 2026

    Australia Warns of Global Campaign Targeting Vulnerable CMS Platforms

    The Australian Cyber Security Centre has issued an alert about a coordinated global campaign actively exploiting unpatched vulnerabilities in WordPress,...

  • SecurityJul 8, 2026

    CVE-2026-48908: JoomShaper SP Page Builder Unrestricted File Upload RCE

    A critical unrestricted file upload vulnerability in JoomShaper's SP Page Builder allows unauthenticated attackers to upload arbitrary PHP files and...

  • SecurityJul 6, 2026

    CVE-2026-14732: SQL Injection in SourceCodester Timetabling System via /edit_exam.php

    A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via...

  • SecurityJul 6, 2026

    CVE-2026-14733: SQL Injection in SourceCodester Timetabling System via /edit_coursea.php

    A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via...

  • SecurityJul 6, 2026

    CVE-2026-14734: SQL Injection in SourceCodester Timetabling System via /edit_product.php

    A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via...

  • SecurityJul 5, 2026

    CVE-2026-14652: SQL Injection in SourceCodester Shopping Cart Admin Login

    A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to manipulate the admin...

  • SecurityJul 5, 2026

    CVE-2026-14653: SQL Injection in Shopping Cart Men's Product Delete Endpoint

    A high-severity SQL injection flaw in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the men's product delete query to remote...

  • SecurityJul 5, 2026

    CVE-2026-14654: SQL Injection in Shopping Cart Girls Product Delete Endpoint

    A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to exploit the girls...

  • SecurityJul 5, 2026

    CVE-2026-14688: SQL Injection in itsourcecode Hotel Management Admin Login

    A high-severity SQL injection vulnerability in itsourcecode Online Hotel Management System 1.0 allows remote attackers to exploit the admin login page via...

  • SecurityJul 5, 2026

    SQL Injection in Multi-Vendor Online Grocery Management System (CVE-2026-14695)

    A high-severity SQL injection vulnerability in SourceCodester's Multi-Vendor Online Grocery Management System 1.0 allows remote attackers to manipulate...

  • SecurityJul 5, 2026

    SQL Injection in Pizzafy E-Commerce System Exposes Order Data (CVE-2026-14713)

    A remotely exploitable SQL injection flaw in SourceCodester Pizzafy E-Commerce System 1.0 allows attackers to manipulate the confirm_order endpoint via an...

  • SecurityJul 5, 2026

    Privilege Escalation via Role Manipulation in Online Exam LMS (CVE-2026-14719)

    A high-severity improper privilege management flaw in SourceCodester's Online Examination and Learning Management System 1.0 allows remote attackers to...

  • SecurityJul 4, 2026

    CVE-2026-14622: Missing Authentication in Restaurant Website PHP/MySQL AJAX Endpoint

    A missing authentication vulnerability (CVSS 7.3) in the jairiidriss/restaurant-website-php-mysql project exposes the /admin/ajax_files endpoint to...

  • SecurityJun 28, 2026

    CVE-2026-13487: SQL Injection in SourceCodester Timetabling System (/archive.php)

    A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate the...

  • SecurityJun 28, 2026

    CVE-2026-13488: SQL Injection in SourceCodester Timetabling System (/preview7.php)

    A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate the...

  • SecurityJun 28, 2026

    CVE-2026-13498: SQL Injection in Restaurant Management System via Password Reset

    A high-severity SQL injection vulnerability in yashpokharna2555's restaurant management system allows unauthenticated attackers to exploit the...

  • NewsJun 21, 2026

    Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

    Active exploitation of CVE-2026-4020 in the Gravity SMTP WordPress plugin has generated over 17 million malicious requests, allowing unauthenticated...

  • SecurityJun 10, 2026

    CVE-2009-10007: Catalyst::Plugin::Authentication Session Fixation

    CVSS 9.1 session fixation flaw in Perl's Catalyst auth plugin (before 0.10_027) lets attackers impersonate authenticated users by pre-planting a known...

  • NewsJun 6, 2026

    Critical Everest Forms Pro Flaw Exploited to Take Over WordPress Sites

    Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro WordPress plugin, enabling them to take complete control of…

  • NewsJun 6, 2026

    Suspicious Polyfill Login Prompts Pop Up on Toshiba, Muji Websites

    Tech giant Toshiba and mega-retailer Muji have warned visitors that suspicious sign-in screens appearing on their websites could be harvesting credentials — a…

  • SecurityJun 4, 2026

    CVE-2026-49191: M3WebServer Hard-Coded API Keys Exposed via Error Pages

    A critical CVSS 9.8 vulnerability in M3WebServer hard-codes backend API keys in the production build. Attackers intercept them through verbose error handling…

  • NewsJun 3, 2026

    Critical Kirki Flaw Exploited to Hijack WordPress Admin Accounts

    Hackers are actively exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the widely-used Kirki Customizer Framework plugin for…

  • NewsMay 31, 2026

    WP Maps Pro Bug Exploited to Create Admin Accounts on WordPress Sites

    Hackers are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin that allows unauthenticated attackers to create rogue…

  • SecurityMay 31, 2026

    CVE-2018-25405: Multiple SQL Injections in eNdonesia Portal 8.7

    Multiple unauthenticated SQL injection vulnerabilities in eNdonesia Portal 8.7 allow attackers to extract sensitive database contents via the artid, cid,...

  • SecurityMay 31, 2026

    CVE-2018-25406: SQL Injection Across eNdonesia Portal 8.7 Modules

    Multiple unauthenticated SQL injection vulnerabilities in eNdonesia Portal 8.7 expose the publisher, artikel, and info modules to database extraction...

  • SecurityMay 31, 2026

    CVE-2018-25411: SQL Injection in MGB OpenSource Guestbook 0.7.0.2

    An unauthenticated SQL injection vulnerability in MGB OpenSource Guestbook 0.7.0.2 allows attackers to extract sensitive database contents via the 'id'...

  • SecurityMay 31, 2026

    CVE-2018-25412: Arbitrary File Upload RCE in Delta Sql 1.8.2

    A critical unauthenticated arbitrary file upload vulnerability in Delta Sql 1.8.2 allows attackers to upload malicious PHP files and achieve remote code...

  • SecurityMay 31, 2026

    CVE-2026-10178: SQL Injection in Online Music Site 1.0 Admin Panel

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Online Music Site 1.0, affecting the Administrator PHP AdminEditAlbum…

  • SecurityMay 30, 2026

    CVE-2026-7465: RCE in Spectra Gutenberg Blocks WordPress Plugin (CVSS 8.8)

    A high-severity remote code execution vulnerability in the Spectra Gutenberg Blocks plugin for WordPress allows authenticated Contributor-level attackers...

  • SecurityMay 19, 2026

    CVE-2025-15609: Fortis for WooCommerce Plugin Leaks API

    The Fortis for WooCommerce WordPress plugin before version 1.3.1 exposes sensitive API keys to unauthenticated attackers, enabling unauthorized access to...

  • SecurityMay 18, 2026

    CVE-2026-8785: SQL Injection in Hospital Management System

    A high-severity SQL injection vulnerability (CVE-2026-8785, CVSS 7.3) has been disclosed in projectworlds Hospital Management System in PHP 1.0, allowing...

  • NewsMay 15, 2026

    Avada Builder WordPress Plugin Flaws Allow Site Credential

    Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files...

  • SecurityMay 12, 2026

    CVE-2025-61311: Reflected XSS in docuForm Managed Print

    A reflected cross-site scripting vulnerability in the dfm-menu_alerts.php component of GmbH Mecury docuForm v11.11c allows attackers to execute arbitrary...

  • SecurityMay 3, 2026

    CVE-2026-5324: WordPress Brizy Page Builder Unauthenticated

    The Brizy Page Builder plugin for WordPress contains a critical unauthenticated Stored Cross-Site Scripting flaw in versions up to 2.8.11, enabling...

  • SecurityApr 28, 2026

    CVE-2026-7224: SQL Injection in Pizzafy Ecommerce System 1.0

    A high-severity SQL injection vulnerability has been discovered in SourceCodester Pizzafy Ecommerce System 1.0, allowing remote attackers to manipulate...

  • SecurityApr 27, 2026

    CVE-2026-7077: SQL Injection in itsourcecode Courier

    A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Courier Management System 1.0, affecting the edit_parcel.php file...

  • NewsApr 23, 2026

    Hackers Actively Exploiting Breeze Cache File Upload Bug in WordPress Attacks

    Threat actors are mass-exploiting a critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin, uploading PHP webshells to...

  • SecurityApr 23, 2026

    CVE-2026-3844 — Breeze Cache WordPress Plugin

    A critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin allows attackers to upload arbitrary files to affected servers...

  • SecurityApr 20, 2026

    CVE-2026-6595: SQL Injection in ProjectsAndPrograms School

    A medium-severity SQL injection vulnerability has been disclosed in ProjectsAndPrograms School Management System, allowing remote attackers to manipulate...

  • SecurityApr 10, 2026

    CVE-2026-6004: SQL Injection in code-projects Simple IT

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Simple IT Discussion Forum 1.0, affecting the /delete-category.php...

  • SecurityApr 6, 2026

    CVE-2026-5554: SQL Injection in Concert Ticket Reservation

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Concert Ticket Reservation System 1.0, affecting the...

  • SecurityApr 6, 2026

    CVE-2026-5555: SQL Injection in Concert Ticket Reservation

    An unauthenticated SQL injection vulnerability has been disclosed in code-projects Concert Ticket Reservation System 1.0, affecting the login.php file via...

  • SecurityApr 6, 2026

    CVE-2026-5575: SQL Injection in SourceCodester Record

    A remotely exploitable SQL injection vulnerability has been disclosed in SourceCodester/jkev Record Management System 1.0, affecting the Login page's...

  • SecurityApr 5, 2026

    CVE-2026-5551: SQL Injection in itsourcecode Free Hotel

    A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Free Hotel Reservation System 1.0, affecting the login page's email...

  • SecurityMar 29, 2026

    CVE-2026-5017: SQL Injection in code-projects Simple Food

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Simple Food Order System 1.0, affecting the /all-tickets.php file...

  • SecurityMar 29, 2026

    CVE-2026-5018: SQL Injection in code-projects Simple Food

    A remotely exploitable SQL injection vulnerability exists in code-projects Simple Food Order System 1.0, where the Name parameter in register-router.php...

  • SecurityMar 29, 2026

    CVE-2026-5019: SQL Injection in code-projects Simple Food

    A SQL injection vulnerability has been disclosed in code-projects Simple Food Order System 1.0, where the Status parameter in all-orders.php enables...

  • SecurityMar 29, 2026

    CVE-2026-5033: SQL Injection in code-projects Accounting

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Accounting System 1.0, where the cos_id parameter in...

  • SecurityMar 29, 2026

    CVE-2026-5034: SQL Injection in code-projects Accounting

    A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Accounting System 1.0, allowing unauthenticated attackers to...

  • SecurityMar 17, 2026

    CVE-2015-20118: Stored XSS in RealtyScript 4.0.2 Admin

    A stored cross-site scripting vulnerability in RealtyScript 4.0.2 allows attackers to inject malicious JavaScript via the location_name parameter in the...

  • NewsMar 14, 2026

    AppsFlyer Web SDK Supply Chain Attack Spread

    Attackers hijacked AppsFlyer's CDN domain via a registrar incident, serving a sophisticated 170 KB crypto-stealing JavaScript payload to every site...

  • SecurityMar 9, 2026

    CVE-2026-3730: SQL Injection in itsourcecode Free Hotel

    A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Free Hotel Reservation System 1.0, affecting the amenities admin...

  • SecurityMar 9, 2026

    CVE-2026-3734: Improper Authorization in SourceCodester

    A remotely exploitable improper authorization vulnerability has been disclosed in SourceCodester Client Database Management System 1.0, allowing...

  • SecurityMar 9, 2026

    CVE-2026-3740: SQL Injection in itsourcecode University

    A high-severity SQL injection vulnerability has been disclosed in itsourcecode University Management System 1.0, allowing remote attackers to execute...

  • SecurityMar 7, 2026

    CVE-2018-25165: SQL Injection Disclosed in Galaxy Forces MMORPG

    A SQL injection vulnerability in Galaxy Forces MMORPG version 0.5.8 has been formally catalogued by NVD, enabling authenticated attackers to extract...

  • SecurityFeb 12, 2026

    Critical RCE in WPvivid Backup Plugin Threatens 900,000+

    A critical unauthenticated arbitrary file upload vulnerability in the WPvivid Backup & Migration plugin allows remote code execution on over 900,000...

  • SecurityFeb 5, 2026

    NGINX TLS Vulnerability Enables Man-in-the-Middle Attacks

    CVE-2026-1642 affects NGINX OSS and Plus when proxying to upstream TLS servers, allowing attackers to inject plaintext data into responses.

  • SecurityJan 25, 2026

    WordPress Plugin Vulnerability (CVSS 10.0) Under Active

    Maximum severity flaw in Modular DS WordPress plugin allows unauthenticated privilege escalation. All versions through 2.5.1 affected with active...