Jackson Mittag

3 exploits Active since Jun 2026
CVE-2026-38579 GITHUB MEDIUM WRITEUP
damasac thaipalliative_lte <= 3.0 - Reflected Cross-Site Scripting via idFormMain, id, and ptid_key Parameters
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parameter (line 24), the id parameter (lines 25, 75), and the ptid_key parameter (lines 26, 42) in /substudy/ezform.php. User input is echoed into HTML attributes and JavaScript contexts without encoding.
CVSS 6.1
CVE-2026-38581 WRITEUP CRITICAL WRITEUP
damasac thaipalliative_lte <= 3.0 - SQL Injection via idFormMain or id Parameter
SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.
CVSS 9.8
CVE-2026-38579 WRITEUP MEDIUM WRITEUP
damasac thaipalliative_lte <= 3.0 - Reflected Cross-Site Scripting via idFormMain, id, and ptid_key Parameters
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parameter (line 24), the id parameter (lines 25, 75), and the ptid_key parameter (lines 26, 42) in /substudy/ezform.php. User input is echoed into HTML attributes and JavaScript contexts without encoding.
CVSS 6.1