lakshayyverma

19 exploits Active since Oct 2025
CVE-2026-4907 WRITEUP MEDIUM WRITEUP
Page-Replica Page Replica Endpoint sitemap sitemap.fetch server-side request forgery
A vulnerability was identified in Page-Replica Page Replica up to e4a7f52e75093ee318b4d5a9a9db6751050d2ad0. The impacted element is the function sitemap.fetch of the file /sitemap of the component Endpoint. The manipulation of the argument url leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 6.3
CVE-2025-11551 WRITEUP MEDIUM WRITEUP
Student Result Manager 1.0 - SQL Injection via Roll/Name/GPA Argument
A vulnerability was determined in code-projects Student Result Manager 1.0. This affects an unknown function of the file src/students/Database.java. This manipulation of the argument roll/name/gpa causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
CVSS 6.3
CVE-2025-11608 WRITEUP HIGH WRITEUP
code-projects E-Banking System 1.0 - SQL Injection via Username/Password Parameter
A security vulnerability has been detected in code-projects E-Banking System 1.0. This affects an unknown function of the file /register.php of the component POST Parameter Handler. The manipulation of the argument username/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
CVSS 7.3
CVE-2025-11609 WRITEUP LOW WRITEUP
Code-projects Hospital Management System 1.0 - Code Injection
A flaw has been found in code-projects Hospital Management System 1.0. Affected is the function session of the component express-session. This manipulation of the argument secret with the input secret causes use of hard-coded cryptographic key . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been published and may be used.
CVSS 3.7
CVE-2025-11864 WRITEUP HIGH WRITEUP
NucleoidAI Nucleoid < 0.7.10 - Server-Side Request Forgery via Outbound Request Handler
A vulnerability was identified in NucleoidAI Nucleoid up to 0.7.10. The impacted element is the function extension.apply of the file /src/cluster.ts of the component Outbound Request Handler. Such manipulation of the argument https/ip/port/path/headers leads to server-side request forgery. The attack may be performed from remote.
CVSS 7.3
CVE-2025-12247 WRITEUP HIGH WRITEUP
Hasleo Backup Suite <5.2 - Path Traversal
A weakness has been identified in Hasleo Backup Suite up to 5.2. Impacted is an unknown function of the component HasleoImageMountService/HasleoBackupSuiteService. This manipulation causes unquoted search path. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been made available to the public and could be exploited. Upgrading the affected component is advised.
CVSS 7.0
CVE-2025-12286 WRITEUP HIGH WRITEUP
VeePN <1.6.2 - Unquoted Search Path
A weakness has been identified in VeePN up to 1.6.2. This affects an unknown function of the file C:\Program Files (x86)\VeePN\avservice\avservice.exe of the component AVService. This manipulation causes unquoted search path. The attack requires local access. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 7.0
CVE-2025-12928 WRITEUP HIGH WRITEUP
Code-projects Online Job Search Engine 1.0 - SQL Injection
A vulnerability was detected in code-projects Online Job Search Engine 1.0. This affects an unknown function of the file /login.php. Performing manipulation of the argument username/phone results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
CVSS 7.3
CVE-2025-12929 WRITEUP HIGH WRITEUP
SourceCodester Survey Application System 1.0 - SQL Injection
A flaw has been found in SourceCodester Survey Application System 1.0. This impacts the function save_user/update_user of the file /LoginRegistration.php. Executing manipulation of the argument fullname can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. Other parameters might be affected as well.
CVSS 7.3
CVE-2025-13130 WRITEUP HIGH WRITEUP
Radarr 5.28.0.10274 - Privilege Escalation
A vulnerability has been found in Radarr 5.28.0.10274. The affected element is an unknown function of the file C:\ProgramData\Radarr\bin\Radarr.Console.exe of the component Service. Such manipulation leads to incorrect default permissions. The attack can only be performed from a local environment. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 7.8
CVE-2025-13131 WRITEUP HIGH WRITEUP
Sonarr 4.0.15.2940 - Local Privilege Escalation
A vulnerability was found in Sonarr 4.0.15.2940. The impacted element is an unknown function of the file C:\ProgramData\Sonarr\bin\Sonarr.Console.exe of the component Service. Performing manipulation results in incorrect default permissions. The attack is only possible with local access. The vendor confirms this vulnerability but classifies it as a "low severity issue due to the default service user being used as it would either require someone to intentionally change the service to a highly privileged account or an attacker would need an admin level account". It is planned to fix this issue in the next major release v5.
CVSS 7.8
CVE-2025-13433 WRITEUP HIGH WRITEUP
Muse Group MuseHub 2.1.0.1567 - Path Traversal
A security flaw has been discovered in Muse Group MuseHub 2.1.0.1567. The affected element is an unknown function of the file C:\Program Files\WindowsApps\Muse.MuseHub_2.1.0.1567_x64__rb9pth70m6nz6\Muse.Updater.exe of the component Windows Service. The manipulation results in unquoted search path. The attack is only possible with local access. A high complexity level is associated with this attack. The exploitability is described as difficult. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 7.0
CVE-2025-13434 WRITEUP MEDIUM WRITEUP
jameschz Hush Framework 2.0 - HTTP Header Injection via Host Header
A weakness has been identified in jameschz Hush Framework 2.0. The impacted element is an unknown function of the file Hush\hush-lib\hush\Util.php of the component HTTP Host Header Handler. This manipulation of the argument $_SERVER['HOST'] causes improper neutralization of http headers for scripting syntax. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 5.3
CVE-2025-13588 WRITEUP MEDIUM WRITEUP
lKinderBueno Streamity Xtream IPTV Player <2.8 - SSRF
A vulnerability was found in lKinderBueno Streamity Xtream IPTV Player up to 2.8. The impacted element is an unknown function of the file public/proxy.php. Performing manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been made public and could be used. Upgrading to version 2.8.1 is sufficient to resolve this issue. The patch is named c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92. It is suggested to upgrade the affected component.
CVSS 6.3
CVE-2025-13803 WRITEUP HIGH WRITEUP
MediaCrush 1.0.0 and 1.0.1 - HTTP Header Injection via Host Parameter
A vulnerability was identified in MediaCrush 1.0.0/1.0.1. The affected element is an unknown function of the file /mediacrush/paths.py of the component Header Handler. Such manipulation of the argument Host leads to improper neutralization of http headers for scripting syntax. The attack can be launched remotely.
CVSS 7.3
CVE-2026-2183 WRITEUP MEDIUM WRITEUP
Great Developers Certificate Generation System <97171bb0e5e22e52eac...
A security vulnerability has been detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This affects an unknown part of the file /restructured/csv.php. The manipulation leads to unrestricted upload. Remote exploitation of the attack is possible. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The code repository of the project has not been active for many years.
CVSS 6.3
CVE-2026-2184 WRITEUP HIGH WRITEUP
Great Developers Certificate Generation System - OS Command Injection
A vulnerability was detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This vulnerability affects unknown code of the file /restructured/csv.php. The manipulation of the argument photo results in os command injection. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The code repository of the project has not been active for many years.
CVSS 7.3
CVE-2026-2543 WRITEUP LOW WRITEUP
vichan-devel vichan <5.1.5 - Auth Bypass
A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 2.7
CVE-2026-2544 WRITEUP HIGH WRITEUP
yued-fe LuLu UI <3.0.0 - Command Injection
A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function child_process.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 7.3