Xmyronn

17 exploits Active since May 2025
CVE-2026-11344 NOMISEC HIGH WRITEUP
code-projects Vehicle Management System New Driver Registration Form newdriver.php unrestricted upload
A vulnerability was found in code-projects Vehicle Management System 1.0. This impacts an unknown function of the file newdriver.php of the component New Driver Registration Form. Performing a manipulation of the argument photo results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used.
CVSS 7.3
CVE-2026-10288 GITHUB HIGH WRITEUP
code-projects Hotel and Tourism Reservation System 1.0 - Improper Authentication via Admin Login Password Parameter
A vulnerability was identified in code-projects Hotel and Tourism Reservation System 1.0. This issue affects the function password_verify of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Password leads to improper authentication. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
CVSS 7.3
CVE-2026-10290 GITHUB HIGH WRITEUP
Hotel and Tourism Reservation System 1.0 - SQL Injection via tour.php GET Parameter
A weakness has been identified in code-projects Hotel and Tourism Reservation System 1.0. The affected element is an unknown function of the file tour.php of the component GET Parameter Handler. Executing a manipulation of the argument tour can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
CVSS 7.3
CVE-2026-10170 NOMISEC MEDIUM WRITEUP
code-projects Visitor Management System phone_0.php sql injection
A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone_0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
CVSS 6.3
CVE-2026-7229 GITHUB MEDIUM WRITEUP
code-projects Coaching Management System POST reply.php sql injection
A vulnerability was found in code-projects Coaching Management System 1.0. This affects an unknown function of the file /cims/modules/admin/reply.php of the component POST Handler. Performing a manipulation of the argument complaintreply results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
CVSS 6.3
CVE-2026-7401 GITHUB MEDIUM WRITEUP
SourceCodester CET Automated Grading System with AI Predictive Analytics Registration index.php register cross site scripting
A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This vulnerability affects unknown code of the file /index.php?action=register of the component Registration. The manipulation of the argument student_id/full_name/section/username results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.
CVSS 4.3
CVE-2026-7394 NOMISEC MEDIUM WRITEUP
SourceCodester Pizzafy Ecommerce System GET Parameter view_order.php sql injection
A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/view_order.php of the component GET Parameter Handler. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
CVSS 4.7
CVE-2026-7393 NOMISEC MEDIUM WRITEUP
SourceCodester Pizzafy Ecommerce System File Extension admin_class_novo.php save_menu unrestricted upload
A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function save_menu of the file /admin/admin_class_novo.php of the component File Extension Handler. Performing a manipulation of the argument img results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
CVSS 4.7
CVE-2026-7222 NOMISEC LOW WRITEUP
code-projects Coaching Management System Complaint Form complaint.php cross site scripting
A vulnerability was determined in code-projects Coaching Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /cims/modules/student/complaint.php of the component Complaint Form Page. This manipulation of the argument Complaint causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
CVSS 3.5
CVE-2026-6201 NOMISEC MEDIUM WRITEUP
CodeAstro Online Job Portal Delete Job Posting job-delete.php access control
A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit is publicly available and might be used.
CVSS 5.4
CVE-2026-7071 NOMISEC MEDIUM WRITEUP
CodeAstro Online Job Portal user-cvs file information disclosure
A security vulnerability has been detected in CodeAstro Online Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /users/user-cvs/. The manipulation leads to file and directory information exposure. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
CVSS 5.3
CVE-2026-7089 NOMISEC MEDIUM WRITEUP
code-projects Home Service System Appointment Booking booking.php cross site scripting
A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
CVSS 4.3
CVE-2026-7028 NOMISEC MEDIUM WRITEUP
CodeAstro Online Job Portal All Jobs delete-jobs.php sql injection
A security flaw has been discovered in CodeAstro Online Job Portal 1.0. The affected element is an unknown function of the file /admin/jobs-admins/delete-jobs.php of the component All Jobs Page. Performing a manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
CVSS 4.7
CVE-2026-6184 NOMISEC LOW WRITEUP
code-projects Simple Content Management System welcome.php cross site scripting
A weakness has been identified in code-projects Simple Content Management System 1.0. This affects an unknown part of the file /web/admin/welcome.php. Executing a manipulation of the argument News Title can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
CVSS 2.4
CVE-2026-6183 NOMISEC HIGH WRITEUP
code-projects Simple Content Management System index.php sql injection
A security flaw has been discovered in code-projects Simple Content Management System 1.0. Affected by this issue is some unknown functionality of the file /web/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
CVSS 7.3
CVE-2026-6182 NOMISEC HIGH WORKING POC
code-projects Simple Content Management System login.php sql injection
A vulnerability was identified in code-projects Simple Content Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /web/admin/login.php. Such manipulation of the argument User leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
CVSS 7.3
CVE-2025-4720 NOMISEC MEDIUM WRITEUP
SourceCodester Student Result Management System 1.0 - Path Traversal via academic/core/drop_student.php img Parameter
A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file academic/core/drop_student.php. The manipulation of the argument img leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS 5.4