Imad Alvi

10 exploits Active since May 2025
CVE-2026-10288 GITHUB HIGH WRITEUP
code-projects Hotel and Tourism Reservation System 1.0 - Improper Authentication via Admin Login Password Parameter
A vulnerability was identified in code-projects Hotel and Tourism Reservation System 1.0. This issue affects the function password_verify of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Password leads to improper authentication. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
CVSS 7.3
CVE-2026-10170 NOMISEC MEDIUM WRITEUP
code-projects Visitor Management System phone_0.php sql injection
A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone_0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
CVSS 6.3
CVE-2026-7401 GITHUB MEDIUM WRITEUP
SourceCodester CET Automated Grading System with AI Predictive Analytics Registration index.php register cross site scripting
A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This vulnerability affects unknown code of the file /index.php?action=register of the component Registration. The manipulation of the argument student_id/full_name/section/username results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.
CVSS 4.3
CVE-2026-7393 NOMISEC MEDIUM WRITEUP
SourceCodester Pizzafy Ecommerce System File Extension admin_class_novo.php save_menu unrestricted upload
A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function save_menu of the file /admin/admin_class_novo.php of the component File Extension Handler. Performing a manipulation of the argument img results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
CVSS 4.7
CVE-2026-7089 NOMISEC MEDIUM WRITEUP
code-projects Home Service System Appointment Booking booking.php cross site scripting
A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
CVSS 4.3
CVE-2026-7071 NOMISEC MEDIUM WRITEUP
CodeAstro Online Job Portal user-cvs file information disclosure
A security vulnerability has been detected in CodeAstro Online Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /users/user-cvs/. The manipulation leads to file and directory information exposure. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
CVSS 5.3
CVE-2026-6184 NOMISEC LOW WRITEUP
code-projects Simple Content Management System welcome.php cross site scripting
A weakness has been identified in code-projects Simple Content Management System 1.0. This affects an unknown part of the file /web/admin/welcome.php. Executing a manipulation of the argument News Title can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
CVSS 2.4
CVE-2026-6183 NOMISEC HIGH WRITEUP
code-projects Simple Content Management System index.php sql injection
A security flaw has been discovered in code-projects Simple Content Management System 1.0. Affected by this issue is some unknown functionality of the file /web/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
CVSS 7.3
CVE-2026-6182 NOMISEC HIGH WORKING POC
code-projects Simple Content Management System login.php sql injection
A vulnerability was identified in code-projects Simple Content Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /web/admin/login.php. Such manipulation of the argument User leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
CVSS 7.3
CVE-2025-4720 NOMISEC MEDIUM WRITEUP
SourceCodester Student Result Management System 1.0 - Path Traversal via academic/core/drop_student.php img Parameter
A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file academic/core/drop_student.php. The manipulation of the argument img leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS 5.4