CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-14700
High

A SQL injection vulnerability has been found in code-projects Internship Management System 1.0 in the employer/login.php file. Remote manipulation of the email/password arguments allows SQL injection. The exploit is publicly disclosed.

CVE-2026-14695
High

A SQL injection vulnerability was found in SourceCodester Multi-Vendor Online Grocery Management System 1.0 in the save_client function of classes/Users.php. Manipulation of the Name argument in the Registration Handler allows remote SQL injection. The exploit has been made public and could be used.

CVE-2026-14690
High

A weakness in SourceCodester Multi-Vendor Online Grocery Management System 1.0 affects the save_users function in classes/Users.php, causing improper authorization. Remote exploitation is possible, and the exploit has been publicly disclosed.

CVE-2026-14688
High

A SQL injection vulnerability was found in itsourcecode Online Hotel Management System 1.0 in the file /admin/login.php. An attacker can remotely manipulate the email argument, leading to SQL injection. The exploit is publicly available.

CVE-2026-14660
High

A vulnerability was found in Online Job Portal 1.0, specifically in the login.php file. An unknown function allows manipulation of the txtUser and txtPass arguments, leading to SQL injection. The attack can be performed remotely and the exploit has been made public.

CVE-2026-14654
High

A SQL injection vulnerability was found in SourceCodester Simple and Nice Shopping Cart Script 1.0 in the file /admin/girlsproductdeletequery.php. An unknown function allows manipulation of the user_id argument, enabling remote SQL injection. The exploit is publicly available and may be used.

CVE-2026-14653
High

A SQL injection vulnerability was found in SourceCodester Simple and Nice Shopping Cart Script 1.0 in the file /admin/mensproductdeletequery.php. An attacker can remotely manipulate the user_id argument, leading to SQL injection. The exploit has been publicly disclosed.

CVE-2026-14652
High

A SQL injection vulnerability was found in SourceCodester Simple and Nice Shopping Cart Script 1.0 in the file /admin/login.php. An attacker can remotely manipulate the Username argument, leading to SQL injection. The exploit has been made public and could be used.

CVE-2026-14649
High

A SQL injection vulnerability was found in Online Voting System 1.0 in the /saveVote.php file. The test_input function fails to sanitize the voterName, voterEmail, voterID, and selectedCandidate arguments, allowing remote exploitation.

CVE-2026-14648
High

A SQL injection vulnerability has been found in the Online Voting System up to version 1.0 in the test_input function of /authentication.php (Login component). Manipulation of adminUserName/adminPassword arguments allows remote SQL injection. The exploit has been publicly disclosed.

CVE-2026-14642
High

A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0 in the /edit_class2.php file. Manipulation of the ID argument allows remote SQL injection. The exploit is publicly available.

CVE-2026-14641
High

A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0 in the /edit_course.php file. Manipulating the ID argument allows remote SQL injection. The exploit has been publicly disclosed and may be used.

CVE-2026-14640
High

A SQL injection vulnerability was found in CodeAstro Apartment Visitor Management System 1.0 in the /index.php file within the login component. Manipulating the Username argument allows remote attackers to execute unauthorized database queries. The exploit has been made public and could be used.

CVE-2026-14637
High

A deserialization vulnerability was found in the getCartItems function of ShoppingCart.php in Ecommerce-CodeIgniter-Bootstrap. The attack can be performed remotely by manipulating the shopping_cart argument. The exploit has been publicly disclosed, increasing the risk of exploitation.

CVE-2026-14635
High

A path traversal vulnerability has been discovered in Ecommerce-CodeIgniter-Bootstrap up to commit 222ff31c06687b1c6d0e1ab63953f82c3674c52b, specifically in the AddProduct.php file of the Vendor Multi-Image Endpoint. An attacker can remotely manipulate the folder argument, leading to unauthorized file access. The exploit has been publicly released and may be used in attacks.

CVE-2026-14535
High

In fickling up to version 0.1.11, the UnsafeImportsML analysis pass stores shortened import representations in a shared set, causing the MLAllowlist pass to skip all checks as already reported. This renders MLAllowlist ineffective, allowing imports of modules outside the allowlist to be considered safe.

CVE-2026-14534
High

The vulnerability in fickling up to version 0.1.10 is due to missing Python standard library modules (_posixsubprocess, site, atexit) from the UNSAFE_IMPORTS denylist. This causes check_safety() to incorrectly classify malicious pickle payloads as LIKELY_SAFE, allowing deserialization and execution of dangerous functions like fork_exec, execsitecustomize, or _run_exitfuncs.

CVE-2026-12196
High

The cronjob feature in HestiaCP panel is affected by a broken access control vulnerability. Low privilege users can modify panel cronjobs to execute HestiaCP management scripts with passwordless sudo.

CVE-2026-12195
High

myVesta is affected by an authenticated remote code execution vulnerability. Low privileged users can inject arbitrary commands via the v_ftp_user parameter when deleting FTP usernames.

CVE-2026-14622
High

A missing authentication vulnerability was found in the AJAX Endpoint component of restaurant-website-php-mysql, specifically in the /admin/ajax_files file. This allows remote manipulation without authentication. The exploit has been publicly disclosed, increasing attack risk.

PreviousPage 1 of 3330Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS