Security Vulnerabilities
PHPGurukul Complaint Management System 2.0 is vulnerable to Cross Site Scripting (XSS) via the search parameter in user-search.php.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-11-17
PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the subcategory and category parameters in subcategory.php.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-11-17
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-11-17
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS Score
6.8
EPSS Score
0.001
Published
2025-11-17
Multiple CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
CVSS Score
4.8
EPSS Score
0.0
Published
2025-11-17
Multiple CWE-352 Cross-Site Request Forgery (CSRF)
CVSS Score
4.5
EPSS Score
0.0
Published
2025-11-17
CWE-20 Improper Input Validation
CVSS Score
4.5
EPSS Score
0.001
Published
2025-11-17
CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
CVSS Score
4.8
EPSS Score
0.0
Published
2025-11-17
A security vulnerability has been detected in itsourcecode Web-Based Internet Laboratory Management System 1.0. The impacted element is an unknown function of the file /course/controller.php. Such manipulation leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-11-17
Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settings—including model selection and connection parameters—are read from the global configuration and concatenated into a shell command that is executed via shell_exec() without proper input handling or command-line argument sanitation. An authenticated user with access to the 'Global Settings' page can supply crafted values in these fields to inject additional shell commands, resulting in arbitrary command execution as the 'www-data' user and compromise of the Log Server host.
CVSS Score
7.2
EPSS Score
0.004
Published
2025-11-17