Choco094late

9 exploits Active since Nov 2025
CVE-2026-2654 WRITEUP MEDIUM WRITEUP
huggingface smolagents 1.24.0 - SSRF
A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 6.3
CVE-2026-3744 WRITEUP HIGH WRITEUP
Student Web Portal 1.0 - SQL Injection
A vulnerability has been found in code-projects Student Web Portal 1.0. This impacts the function valreg_passwdation of the file signup.php. The manipulation of the argument reg_passwd leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS 7.3
CVE-2026-3746 WRITEUP HIGH WRITEUP
SourceCodester Tourism Website 1.0 - SQL Injection
A vulnerability was determined in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Login.php?f=login of the component Login. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
CVSS 7.3
CVE-2026-3744 WRITEUP HIGH WRITEUP
Student Web Portal 1.0 - SQL Injection
A vulnerability has been found in code-projects Student Web Portal 1.0. This impacts the function valreg_passwdation of the file signup.php. The manipulation of the argument reg_passwd leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS 7.3
CVE-2026-3745 WRITEUP MEDIUM WRITEUP
Student Web Portal 1.0 - SQL Injection
A vulnerability was found in code-projects Student Web Portal 1.0. Affected is an unknown function of the file profile.php. The manipulation of the argument User results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.
CVSS 6.3
CVE-2026-3746 WRITEUP HIGH WRITEUP
SourceCodester Tourism Website 1.0 - SQL Injection
A vulnerability was determined in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Login.php?f=login of the component Login. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
CVSS 7.3
CVE-2026-2654 WRITEUP MEDIUM WRITEUP
huggingface smolagents 1.24.0 - SSRF
A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 6.3
CVE-2025-13278 WRITEUP MEDIUM WRITEUP
projectworlds Advanced Library Management System 1.0 - SQL Injection via Date Range Parameters
A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Impacted is an unknown function of the file /borrowed_book_search.php. Such manipulation of the argument datefrom/dateto leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS 6.3
CVE-2026-2160 WRITEUP MEDIUM WRITEUP
Simple Responsive Tourism Website 1.0 - Cross-Site Scripting via Title Parameter in Master.php
A vulnerability has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Master.php?f=save_package. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS 4.3