Export limit exceeded: 341177 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (341177 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-30303 | 1 Matterai | 1 Axon Code | 2026-03-30 | 9.8 Critical |
| The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the Windows platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^" & malicious_command ^". The Axon Code parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD interpreter ignores the escaped quotes, parsing and executing the subsequent malicious command directly. This allows attackers to achieve arbitrary Remote Code Execution (RCE) after bypassing what appears to be a legitimate Git whitelist check. | ||||
| CVE-2026-30304 | 1 Tianguaduizhang | 1 Ai Code | 2026-03-30 | 9.6 Critical |
| In its design for automatic terminal command execution, AI Code offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution. | ||||
| CVE-2026-30689 | 1 Anjoy8 | 1 Blog.admin | 2026-03-30 | 7.5 High |
| A blog.admin v.8.0 and before system's getinfobytoken API interface contains an improper access control which leads to sensitive data exposure. Unauthorized parties can obtain sensitive administrator account information via a valid token, threatening system security. | ||||
| CVE-2026-30567 | 1 Sourcecodester | 1 Inventory System | 2026-03-30 | N/A |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | ||||
| CVE-2026-30568 | 1 Sourcecodester | 1 Inventory System | 2026-03-30 | 4.8 Medium |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | ||||
| CVE-2026-30569 | 1 Sourcecodester | 1 Inventory System | 2026-03-30 | N/A |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | ||||
| CVE-2026-30570 | 1 Sourcecodester | 1 Inventory System | 2026-03-30 | N/A |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_sales.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | ||||
| CVE-2026-30571 | 1 Sourcecodester | 1 Inventory System | 2026-03-30 | N/A |
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_category.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | ||||
| CVE-2026-30574 | 1 Sourcecodester | 1 Pharmacy Product Management System | 2026-03-30 | 7.5 High |
| A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase a quantity that is significantly higher than the actual available stock. | ||||
| CVE-2026-30575 | 1 Sourcecodester | 1 Pharmacy Product Management System | 2026-03-30 | 7.5 High |
| A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtqty" parameter during stock entry, allowing negative values to be processed. This causes the system to decrease the inventory level instead of increasing it, leading to inventory corruption and potential Denial of Service by depleting stock records. | ||||
| CVE-2026-30576 | 1 Sourcecodester | 1 Pharmacy Product Management System | 2026-03-30 | 7.5 High |
| A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters during stock entry, allowing negative financial values to be submitted. This leads to corruption of financial records, allowing attackers to manipulate inventory asset values and procurement costs. | ||||
| CVE-2026-30302 | 1 Coderider | 1 Coderider-kilo | 2026-03-30 | 10 Critical |
| The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the Windows platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^" & malicious_command ^". The CodeRider-Kilo parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD interpreter ignores the escaped quotes, parsing and executing the subsequent malicious command directly. This allows attackers to achieve arbitrary Remote Code Execution (RCE) after bypassing what appears to be a legitimate Git whitelist check. | ||||
| CVE-2026-30527 | 1 Sourcecodester | 1 Online Food Ordering System | 2026-03-30 | N/A |
| A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. When an administrator or user visits the Category list page (or any page where this category is rendered), the injected JavaScript executes immediately in their browser. | ||||
| CVE-2026-30529 | 1 Sourcecodester | 1 Online Food Ordering System | 2026-03-30 | 8.8 High |
| A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_user action). The application fails to properly sanitize user input supplied to the "username" parameter. This allows an authenticated attacker to inject malicious SQL commands. | ||||
| CVE-2026-30530 | 1 Sourcecodester | 1 Online Food Ordering System | 2026-03-30 | 9.8 Critical |
| A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_customer action). The application fails to properly sanitize user input supplied to the "username" parameter. This allows an attacker to inject malicious SQL commands. | ||||
| CVE-2026-30531 | 1 Sourcecodester | 1 Online Food Ordering System | 2026-03-30 | 8.8 High |
| A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_category action). The application fails to properly sanitize user input supplied to the "name" parameter. This allows an authenticated attacker to inject malicious SQL commands. | ||||
| CVE-2026-30532 | 1 Sourcecodester | 1 Online Food Ordering System | 2026-03-30 | 9.8 Critical |
| A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/view_product.php file via the "id" parameter. | ||||
| CVE-2026-30533 | 1 Sourcecodester | 1 Online Food Ordering System | 2026-03-30 | 9.8 Critical |
| A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the "id" parameter. | ||||
| CVE-2026-30534 | 1 Sourcecodester | 1 Online Food Ordering System | 2026-03-30 | 8.3 High |
| A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in admin/manage_category.php via the "id" parameter. | ||||
| CVE-2026-29871 | 1 Shubhamsaboo | 1 Awesome-llm-apps | 2026-03-30 | 7.5 High |
| A path traversal vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19) in the Beifong AI News and Podcast Agent backend in FastAPI backend, stream-audio endpoint, in file routers/podcast_router.py, in function stream_audio. The stream-audio endpoint accepts a user-controlled path parameter that is concatenated into a filesystem path without proper validation or restriction. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary files from the server filesystem, potentially disclosing sensitive information such as configuration files and credentials. | ||||