Varad AP Mene - Security Researcher - Exploit Intelligence Platform

CVE-2026-37748 NOMISEC HIGH WORKING POC

Visitor Management System 1.0 - RCE

Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() function is called without any MIME type, extension, or content validation, allowing an authenticated admin to upload a PHP webshell and achieve Remote Code Execution on the server.

CVSS 7.2

View Code

CVE-2026-37749 NOMISEC CRITICAL WORKING POC

Simple Attendance Management System 1.0 - SQL Injection

A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php.

CVSS 9.8

View Code

CVE-2026-37750 NOMISEC MEDIUM WORKING POC

School Management System - XSS

A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php.

CVSS 6.1

View Code

CVE-2026-37750 WRITEUP MEDIUM WORKING POC

School Management System - XSS

A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php.

CVSS 6.1

View Code

CVE-2026-37748 WRITEUP HIGH WORKING POC

Visitor Management System 1.0 - RCE

Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() function is called without any MIME type, extension, or content validation, allowing an authenticated admin to upload a PHP webshell and achieve Remote Code Execution on the server.

CVSS 7.2

View Code

CVE-2026-37749 WRITEUP CRITICAL WORKING POC

Simple Attendance Management System 1.0 - SQL Injection

A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php.

CVSS 9.8

View Code