All CosmicBytez Labs articles tagged #Web Security, across news, security advisories, how-to guides, and projects.
CISA has added two Joomla extension vulnerabilities to its KEV catalog after attackers began exploiting arbitrary file upload flaws in iCagenda and Balbooa Forms to achieve remote code execution on vulnerable websites.
CISA has added two maximum-severity flaws in iCagenda and Balbooa Forms Joomla extensions to its KEV catalog following confirmed zero-day exploitation in the wild. Administrators should patch or mitigate immediately.
A high-severity SQL injection vulnerability in the TOKO-ONLINE-ROTI bakery management system allows remote attackers to manipulate the login.php Username parameter and compromise the backend database without authentication.
A high-severity SQL injection vulnerability in the TOKO-ONLINE-ROTI PHP bakery system allows remote attackers to manipulate the kode_produk and kd_cs parameters in proses/add.php, enabling database compromise.
The Australian Cyber Security Centre has issued an alert about a coordinated global campaign actively exploiting unpatched vulnerabilities in WordPress,...
A critical unrestricted file upload vulnerability in JoomShaper's SP Page Builder allows unauthenticated attackers to upload arbitrary PHP files and...
A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via...
A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via...
A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via...
A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to manipulate the admin...
A high-severity SQL injection flaw in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the men's product delete query to remote...
A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to exploit the girls...
A high-severity SQL injection vulnerability in itsourcecode Online Hotel Management System 1.0 allows remote attackers to exploit the admin login page via...
A high-severity SQL injection vulnerability in SourceCodester's Multi-Vendor Online Grocery Management System 1.0 allows remote attackers to manipulate...
A remotely exploitable SQL injection flaw in SourceCodester Pizzafy E-Commerce System 1.0 allows attackers to manipulate the confirm_order endpoint via an...
A high-severity improper privilege management flaw in SourceCodester's Online Examination and Learning Management System 1.0 allows remote attackers to...
A missing authentication vulnerability (CVSS 7.3) in the jairiidriss/restaurant-website-php-mysql project exposes the /admin/ajax_files endpoint to...
A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate the...
A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate the...
A high-severity SQL injection vulnerability in yashpokharna2555's restaurant management system allows unauthenticated attackers to exploit the...
Active exploitation of CVE-2026-4020 in the Gravity SMTP WordPress plugin has generated over 17 million malicious requests, allowing unauthenticated...
CVSS 9.1 session fixation flaw in Perl's Catalyst auth plugin (before 0.10_027) lets attackers impersonate authenticated users by pre-planting a known...
Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro WordPress plugin, enabling them to take complete control of…
Tech giant Toshiba and mega-retailer Muji have warned visitors that suspicious sign-in screens appearing on their websites could be harvesting credentials — a…
A critical CVSS 9.8 vulnerability in M3WebServer hard-codes backend API keys in the production build. Attackers intercept them through verbose error handling…
Hackers are actively exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the widely-used Kirki Customizer Framework plugin for…
Hackers are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin that allows unauthenticated attackers to create rogue…
Multiple unauthenticated SQL injection vulnerabilities in eNdonesia Portal 8.7 allow attackers to extract sensitive database contents via the artid, cid,...
Multiple unauthenticated SQL injection vulnerabilities in eNdonesia Portal 8.7 expose the publisher, artikel, and info modules to database extraction...
An unauthenticated SQL injection vulnerability in MGB OpenSource Guestbook 0.7.0.2 allows attackers to extract sensitive database contents via the 'id'...
A critical unauthenticated arbitrary file upload vulnerability in Delta Sql 1.8.2 allows attackers to upload malicious PHP files and achieve remote code...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Online Music Site 1.0, affecting the Administrator PHP AdminEditAlbum…
A high-severity remote code execution vulnerability in the Spectra Gutenberg Blocks plugin for WordPress allows authenticated Contributor-level attackers...
The Fortis for WooCommerce WordPress plugin before version 1.3.1 exposes sensitive API keys to unauthenticated attackers, enabling unauthorized access to...
A high-severity SQL injection vulnerability (CVE-2026-8785, CVSS 7.3) has been disclosed in projectworlds Hospital Management System in PHP 1.0, allowing...
Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files...
A reflected cross-site scripting vulnerability in the dfm-menu_alerts.php component of GmbH Mecury docuForm v11.11c allows attackers to execute arbitrary...
The Brizy Page Builder plugin for WordPress contains a critical unauthenticated Stored Cross-Site Scripting flaw in versions up to 2.8.11, enabling...
A high-severity SQL injection vulnerability has been discovered in SourceCodester Pizzafy Ecommerce System 1.0, allowing remote attackers to manipulate...
A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Courier Management System 1.0, affecting the edit_parcel.php file...
Threat actors are mass-exploiting a critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin, uploading PHP webshells to...
A critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin allows attackers to upload arbitrary files to affected servers...
A medium-severity SQL injection vulnerability has been disclosed in ProjectsAndPrograms School Management System, allowing remote attackers to manipulate...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Simple IT Discussion Forum 1.0, affecting the /delete-category.php...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Concert Ticket Reservation System 1.0, affecting the...
An unauthenticated SQL injection vulnerability has been disclosed in code-projects Concert Ticket Reservation System 1.0, affecting the login.php file via...
A remotely exploitable SQL injection vulnerability has been disclosed in SourceCodester/jkev Record Management System 1.0, affecting the Login page's...
A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Free Hotel Reservation System 1.0, affecting the login page's email...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Simple Food Order System 1.0, affecting the /all-tickets.php file...
A remotely exploitable SQL injection vulnerability exists in code-projects Simple Food Order System 1.0, where the Name parameter in register-router.php...
A SQL injection vulnerability has been disclosed in code-projects Simple Food Order System 1.0, where the Status parameter in all-orders.php enables...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Accounting System 1.0, where the cos_id parameter in...
A remotely exploitable SQL injection vulnerability has been disclosed in code-projects Accounting System 1.0, allowing unauthenticated attackers to...
A stored cross-site scripting vulnerability in RealtyScript 4.0.2 allows attackers to inject malicious JavaScript via the location_name parameter in the...
Attackers hijacked AppsFlyer's CDN domain via a registrar incident, serving a sophisticated 170 KB crypto-stealing JavaScript payload to every site...
A remotely exploitable SQL injection vulnerability has been disclosed in itsourcecode Free Hotel Reservation System 1.0, affecting the amenities admin...
A remotely exploitable improper authorization vulnerability has been disclosed in SourceCodester Client Database Management System 1.0, allowing...
A high-severity SQL injection vulnerability has been disclosed in itsourcecode University Management System 1.0, allowing remote attackers to execute...
A SQL injection vulnerability in Galaxy Forces MMORPG version 0.5.8 has been formally catalogued by NVD, enabling authenticated attackers to extract...
A critical unauthenticated arbitrary file upload vulnerability in the WPvivid Backup & Migration plugin allows remote code execution on over 900,000...
CVE-2026-1642 affects NGINX OSS and Plus when proxying to upstream TLS servers, allowing attackers to inject plaintext data into responses.
Maximum severity flaw in Modular DS WordPress plugin allows unauthenticated privilege escalation. All versions through 2.5.1 affected with active...