Joomla Component J-MultipleHotelReservation 6
Description
Joomla Component J-MultipleHotelReservation 6
AI Analyst Comment
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Search and filter 17282 vulnerabilities with AI analyst insights
Joomla Component J-MultipleHotelReservation 6
Joomla Component J-MultipleHotelReservation 6
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Joomla JHotelReservation 6
Joomla JHotelReservation 6
---METADATA---
VENDOR: Joomla
PRODUCT: JHotelReservation
AFFECTED_VERSIONS: See vendor advisory
CONFIDENCE: low
MISSING: versions, patch, technical_details
---END_METADATA---
Description Summary:
A vulnerability in the Joomla JHotelReservation component may allow for unauthorized system access.
Executive Summary:
An unidentified vulnerability in the Joomla JHotelReservation component poses a high risk of unauthorized system access and potential data compromise.
Vulnerability Details
CVE-ID: CVE-2019-25748
Affected Software: Joomla JHotelReservation
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This is an unspecified vulnerability within the JHotelReservation component for Joomla that may allow an attacker to achieve unauthorized access to the system.
Business Impact
With a CVSS score of 8.2, this vulnerability is considered high risk. Unauthorized access can lead to the exposure of sensitive guest information, database manipulation, and potential disruption of business operations associated with the hotel reservation management system.
Remediation Plan
Immediate Action: Check the JHotelReservation vendor or developer channels for available security patches or updates and apply them immediately.
Proactive Monitoring: Monitor server access logs and application logs for unusual patterns, specifically focusing on unauthorized access attempts or unexpected privilege escalation.
Compensating Controls: Deploy a Web Application Firewall (WAF) to filter malicious requests targeting the Joomla environment and the JHotelReservation component.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of June 21, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Due to the lack of specific patch information, administrators should immediately audit their Joomla installations for this component and restrict access to the affected module until an update is confirmed. Verify the integrity of the application and monitor for signs of unauthorized activity.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Network Inventory Advisor 5
Network Inventory Advisor 5
---METADATA---
VENDOR: LizardSystems
PRODUCT: Network Inventory Advisor
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
A vulnerability in Network Inventory Advisor version 5 may allow for unauthorized access or potential compromise of the inventory management system.
Executive Summary:
A high-severity vulnerability in Network Inventory Advisor version 5 poses a significant security risk, potentially allowing unauthorized access to sensitive network topology and asset data.
Vulnerability Details
CVE-ID: CVE-2019-25747
Affected Software: LizardSystems Network Inventory Advisor
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability involves an unspecified security weakness in the Network Inventory Advisor 5 application. Such tools often require deep network integration, making any unauthenticated or authenticated flaw a significant risk to the visibility and security posture of the entire managed network.
Business Impact
The CVSS score of 7.8 underscores the severity of this issue. A successful exploit could allow an attacker to gain visibility into the internal network structure, extract sensitive asset information, or leverage the application's privileged position to facilitate further attacks on the internal infrastructure.
Remediation Plan
Immediate Action: Consult the LizardSystems official advisory and apply the latest security patch or software update to the affected inventory servers.
Proactive Monitoring: Review application access logs for unusual queries or unauthorized attempts to export network asset data.
Compensating Controls: Isolate the server running Network Inventory Advisor within a restricted management VLAN and limit access to the application interface via firewall rules.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of June 21, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Organizations relying on Network Inventory Advisor must treat this vulnerability with urgency due to the sensitive nature of the data managed by the platform. Patching should be performed as part of the next maintenance cycle to ensure the integrity of the network management environment.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Mobatek MobaXterm 12.1 contains a buffer overflow vulnerability in the username field of session files, allowing remote attackers to execute arbitrary...
Mobatek MobaXterm 12.1 contains a buffer overflow vulnerability in the username field of session files, allowing remote attackers to execute arbitrary code with user privileges.
---METADATA---
VENDOR: Mobatek
PRODUCT: MobaXterm
AFFECTED_VERSIONS: Mobatek MobaXterm 12.1
---END_METADATA---
Description Summary:
Mobatek MobaXterm 12.1 contains a buffer overflow vulnerability in the username field of session files, allowing remote attackers to execute arbitrary code with user privileges.
Executive Summary:
A structured exception handling-based buffer overflow in Mobatek MobaXterm allows remote code execution through the import of a malicious session file.
Vulnerability Details
CVE-ID: CVE-2019-25741
Affected Software: Mobatek MobaXterm
Affected Versions: Mobatek MobaXterm 12.1
Vulnerability: This is a buffer overflow vulnerability triggered via the username field within a MobaXterm session file. When a user is coerced into importing and opening a crafted session file, the application triggers an exception that allows for arbitrary code execution.
Business Impact
With a CVSS score of 9.8, this flaw poses a significant risk to workstations and corporate networks. A successful exploit allows an attacker to execute arbitrary code with the privileges of the logged-in user, potentially leading to full workstation compromise and lateral movement within the internal network.
Remediation Plan
Immediate Action: Update Mobatek MobaXterm to the latest version provided by the vendor to remediate the buffer overflow vulnerability.
Proactive Monitoring: Monitor workstations for suspicious child processes spawned by MobaXterm, such as command shells (cmd.exe, powershell.exe) or unauthorized network connections.
Compensating Controls: Enforce strict application control policies to prevent the execution of untrusted session files from unknown or unverified sources.
Exploitation Status
Public Exploit Available: Not specified
Analyst Notes: As of Jun 4, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Users of MobaXterm should update their installations immediately. Organizations should exercise caution when handling session files from external or untrusted parties to mitigate the risk of this remote code execution vector.
Update the username Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
WordPress Hybrid Composer 1.4.6 allows unauthenticated attackers to modify site options via the hc_ajax_save_option action, facilitating full account...
WordPress Hybrid Composer 1.4.6 allows unauthenticated attackers to modify site options via the hc_ajax_save_option action, facilitating full account takeover through unauthorized administrative access.
---METADATA---
VENDOR: WordPress
PRODUCT: Hybrid Composer
AFFECTED_VERSIONS: WordPress Hybrid Composer 1.4.6 and lower
---END_METADATA---
Description Summary:
WordPress Hybrid Composer 1.4.6 allows unauthenticated attackers to modify site options via the hc_ajax_save_option action, facilitating full account takeover through unauthorized administrative access.
Executive Summary:
An unauthenticated settings change vulnerability in WordPress Hybrid Composer allows remote attackers to perform full account takeover by elevating privileges to administrator.
Vulnerability Details
CVE-ID: CVE-2019-25738
Affected Software: WordPress Hybrid Composer
Affected Versions: WordPress Hybrid Composer 1.4.6 and lower
Vulnerability: This is an unauthenticated options update vulnerability occurring within the hc_ajax_save_option function. Attackers can bypass authentication to modify WordPress core settings, specifically enabling user registration and assigning the administrator role to new accounts.
Business Impact
With a CVSS score of 9.8, this vulnerability represents a critical risk to the confidentiality, integrity, and availability of the affected WordPress site. Successful exploitation grants an attacker full administrative control, which can be used to exfiltrate sensitive data, inject malicious content, or distribute malware to site visitors.
Remediation Plan
Immediate Action: Update the WordPress Hybrid Composer plugin to version 1.4.7 or the latest available release immediately to patch the vulnerable AJAX endpoint.
Proactive Monitoring: Review web server access logs for anomalous POST requests directed at admin-ajax.php containing the hc_ajax_save_option parameter.
Compensating Controls: Implement a Web Application Firewall (WAF) rule to block unauthorized access to admin-ajax.php that does not originate from a valid, authenticated session.
Exploitation Status
Public Exploit Available: True
Analyst Notes: As of Jun 4, 2026, active exploitation has been confirmed in the wild. Attackers are actively targeting this plugin to gain unauthorized administrative access, making immediate patching a top priority.
Analyst Recommendation
Given the critical severity and confirmed reports of active exploitation, organizations utilizing Hybrid Composer must prioritize this update. Failure to remediate will likely lead to total site compromise and potential data breach.
Update WordPress Hybrid Composer to the latest version. Check vendor security advisory for specific patch details. Monitor for exploitation attempts and review access logs.
PDF Signer 3.0 is vulnerable to server-side template injection via the CSRF-TOKEN cookie, allowing unauthenticated attackers to execute arbitrary syst...
PDF Signer 3.0 is vulnerable to server-side template injection via the CSRF-TOKEN cookie, allowing unauthenticated attackers to execute arbitrary system commands.
---METADATA---
VENDOR: PDF Signer
PRODUCT: PDF Signer 3.0
AFFECTED_VERSIONS: See vendor advisory
---END_METADATA---
Description Summary:
PDF Signer 3.0 is vulnerable to server-side template injection via the CSRF-TOKEN cookie, allowing unauthenticated attackers to execute arbitrary system commands.
Executive Summary:
A critical server-side template injection vulnerability in PDF Signer 3.0 allows unauthenticated attackers to execute arbitrary system commands via the CSRF-TOKEN cookie.
Vulnerability Details
CVE-ID: CVE-2019-25729
Affected Software: PDF Signer 3.0
Affected Versions: See vendor advisory
Vulnerability: The application fails to sanitize the CSRF-TOKEN cookie, which is processed by the server-side template engine. This allows an unauthenticated attacker to inject template payloads, such as shell_exec(), leading to full remote code execution on the server.
Business Impact
The CVSS score of 9.8 indicates a critical risk. Exploitation allows an attacker to gain full control over the application server, resulting in potential data theft, lateral movement within the network, and complete service disruption.
Remediation Plan
Immediate Action: Update to the latest version of PDF Signer that addresses this template injection vulnerability.
Proactive Monitoring: Inspect server logs for suspicious cookie values containing common template injection syntax or shell commands.
Compensating Controls: Implement a WAF to intercept and block malicious input in HTTP headers and cookies, specifically targeting template injection payloads.
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of Jun 4, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
This vulnerability is highly severe due to the ease of exploitation via cookie manipulation. It is imperative that all instances of PDF Signer are updated immediately. If patching is not possible, ensure that the application is isolated from the internet and that all cookie inputs are strictly validated.
Update HP commands through to the latest version. Monitor for exploitation attempts and review access logs.
WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability allowing unauthenticated attackers to read sensitive system fi...
WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability allowing unauthenticated attackers to read sensitive system files, including wp-config.php.
---METADATA---
VENDOR: WordPress
PRODUCT: Plugin ad manager wd
AFFECTED_VERSIONS: WordPress Plugin ad manager wd 1.0.11
---END_METADATA---
Description Summary:
WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability allowing unauthenticated attackers to read sensitive system files, including wp-config.php.
Executive Summary:
A critical arbitrary file download vulnerability in WordPress Plugin ad manager wd allows unauthenticated attackers to access sensitive configuration files and credentials.
Vulnerability Details
CVE-ID: CVE-2019-25727
Affected Software: WordPress Plugin ad manager wd
Affected Versions: WordPress Plugin ad manager wd 1.0.11
Vulnerability: The vulnerability is an unauthenticated arbitrary file read flaw located in the edit.php endpoint. By manipulating the path parameter during a CSV export request, an attacker can bypass access controls to download files accessible to the web server user.
Business Impact
The CVSS score of 9.8 reflects the high severity of this flaw, as it allows for the disclosure of critical site configuration files, such as wp-config.php. This file often contains database credentials, salts, and secret keys, which can be leveraged to escalate privileges or gain complete control over the underlying database.
Remediation Plan
Immediate Action: Update the Plugin ad manager wd plugin to the latest patched version available from the vendor.
Proactive Monitoring: Audit server logs for GET requests containing export=export_csv and suspicious directory traversal patterns (e.g., ../../) within the path parameter.
Compensating Controls: Deploy a WAF to filter and block requests containing directory traversal sequences in URL parameters.
Exploitation Status
Public Exploit Available: Not specified
Analyst Notes: As of Jun 4, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
This vulnerability presents a severe risk to site security. Administrators should update the plugin immediately. If an update is not currently available, consider disabling or removing the plugin until a secure version is released.
Update WordPress Plugin ad to the latest version. Check vendor security advisory for specific patch details. Monitor for exploitation attempts and review access logs.
Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4
Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4
---METADATA---
VENDOR: Dräger
PRODUCT: Infinity Acute Care System and Infinity M540
AFFECTED_VERSIONS: Software versions VG4
---END_METADATA---
Description Summary:
The Dräger Infinity Acute Care System and standalone Infinity M540 patient monitors running software version VG4 are subject to a high-severity security vulnerability.
Executive Summary:
Critical security vulnerabilities in Dräger Infinity patient monitoring systems (VG4) necessitate immediate review of vendor security guidance to ensure patient safety and device integrity.
Vulnerability Details
CVE-ID: CVE-2019-25719
Affected Software: Dräger Infinity Acute Care System and Infinity M540
Affected Versions: Software versions VG4
Vulnerability: This vulnerability affects specific patient monitoring systems used in critical care environments. While specific technical details are limited, the severity of the flaw requires that organizations running version VG4 evaluate their exposure to unauthorized access or system disruption.
Business Impact
With a CVSS score of 8.6, this vulnerability poses a significant risk to the operational continuity of patient monitoring systems. In a clinical environment, the compromise of such devices can result in severe consequences, including the manipulation of patient data, loss of monitoring capabilities, or unauthorized access to sensitive medical information.
Remediation Plan
Immediate Action: Refer to the official Dräger advisory (https://www.draeger.com/en_uk/Hospital/Products/Patient-Monitoring/Infinity-Acute-Care-System-and-M540-Patient-Monitors) and apply the documented mitigation steps or software updates.
Proactive Monitoring: Ensure that clinical devices are isolated on secure networks and monitor for any abnormal device behavior or unauthorized access attempts.
Compensating Controls: Implement network segmentation to isolate these medical devices from general-purpose IT networks, reducing the attack surface.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of June 4, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The criticality of patient monitoring systems cannot be overstated. Facilities using Dräger Infinity systems running version VG4 must prioritize reviewing the vendor's guidance and implementing necessary patches or security controls to maintain patient safety and data integrity.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode and access the underlying...
Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode and access the underlying operating system through a specific dialog interaction
---METADATA---
VENDOR: Dräger
PRODUCT: Infinity Explorer C700
AFFECTED_VERSIONS: Dräger Infinity Explorer C700
---END_METADATA---
Description Summary:
Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode to access the underlying operating system.
Executive Summary:
A high-severity privilege escalation vulnerability in the Dräger Infinity Explorer C700 allows attackers to bypass kiosk mode and gain unauthorized access to the underlying operating system.
Vulnerability Details
CVE-ID: CVE-2019-25718
Affected Software: Dräger Infinity Explorer C700
Affected Versions: Dräger Infinity Explorer C700
Vulnerability: This vulnerability involves a breakout of kiosk mode via specific dialog interactions. Successful exploitation grants the attacker control over the underlying operating system, which can disrupt services and reporting for connected Delta Family patient monitors.
Business Impact
The CVSS score of 8.4 reflects the danger of this privilege escalation, which could result in the loss of integrity and availability of critical medical monitoring data. Unauthorized access to the underlying OS may allow attackers to manipulate patient information or cause device downtime, creating significant operational and clinical safety risks.
Remediation Plan
Immediate Action: Apply the available patch from the GitHub Advisory (GHSA-gv7p-xf8g-c233) immediately to resolve the kiosk mode breakout.
Proactive Monitoring: Review user permissions and access control logs for unauthorized attempts to interact with system dialogs or administrative functions.
Compensating Controls: Isolate affected devices on a restricted network segment and disable unnecessary input interfaces to limit the attack surface.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of June 4, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
This vulnerability presents a critical threat to medical device integrity. Organizations utilizing the Dräger Infinity Explorer C700 must prioritize applying the provided patch to prevent unauthorized system access and ensure the continued reliability of patient monitoring systems.
Update to patched version immediately. Review user permissions and access controls.
MyT-PM 1
MyT-PM 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Dolibarr ERP-CRM 8
Dolibarr ERP-CRM 8
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download the application database and delete images via plaintext IDs.
CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download the application database and delete images via plaintext IDs.
---METADATA---
VENDOR: CF
PRODUCT: Image Hosting Script
AFFECTED_VERSIONS: 1.6.5
---END_METADATA---
Description Summary:
CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download the application database and delete images via plaintext IDs.
Executive Summary:
An unauthenticated remote access vulnerability in CF Image Hosting Script 1.6.5 allows attackers to fully compromise the application database and manipulate hosted content.
Vulnerability Details
CVE-ID: CVE-2019-25709
Affected Software: CF Image Hosting Script
Affected Versions: 1.6.5
Vulnerability: This vulnerability is an improper access control flaw where the imgdb.db file is exposed, allowing unauthenticated attackers to download and deserialize the database to extract sensitive delete IDs.
Business Impact
Successful exploitation results in full database compromise and unauthorized destruction of all hosted images. Given the CVSS score of 9.8, this represents a critical risk of complete data loss and total service disruption, likely leading to significant reputational damage and loss of user trust.
Remediation Plan
Immediate Action: Upgrade to a patched version of the software if available or remove the imgdb.db file from the public web directory.
Proactive Monitoring: Monitor web server logs for unauthorized access requests targeting the /upload/data/imgdb.db file.
Compensating Controls: Configure web server permissions to deny all external access to the /upload/data/ directory and implement WAF rules to block access to .db files.
Exploitation Status
Public Exploit Available: Unknown
Analyst Notes: As of Apr 12, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The severity of this vulnerability necessitates immediate remediation. Administrators should ensure the application database is not accessible via the web and apply all available security updates to prevent unauthorized data exfiltration and content deletion.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
eBrigade ERP 4
eBrigade ERP 4
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sens...
Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Echo Mirage 3
Echo Mirage 3
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the filt...
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the filter_user_mail parameter
---METADATA---
VENDOR: Infor
PRODUCT: Kados R10 GreenBee
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Kados R10 GreenBee is susceptible to SQL injection via the filter_user_mail parameter, allowing unauthorized database query manipulation.
Executive Summary:
The Kados R10 GreenBee application contains an SQL injection vulnerability that could lead to unauthorized database access and data compromise.
Vulnerability Details
CVE-ID: CVE-2019-25704
Affected Software: Infor Kados R10 GreenBee
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The filter_user_mail parameter is not properly sanitized, allowing attackers to inject malicious SQL commands into the application's database queries.
Business Impact
Successful exploitation could result in unauthorized access to sensitive data, leading to a significant breach. The CVSS score of 8.2 signifies a high-severity threat that requires immediate intervention from security teams.
Remediation Plan
Immediate Action: Apply the vendor-provided security patch to the affected system.
Proactive Monitoring: Review database and application logs for unusual query activity that might indicate an injection attempt.
Compensating Controls: Deploy WAF rules to detect and block SQL injection patterns in the filter_user_mail parameter.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Security teams must prioritize patching this vulnerability to ensure the integrity of the system's data. Immediate action is required to reduce the risk of unauthorized database interaction.
Apply vendor patches immediately. Review database access controls and enable query logging.
ImpressCMS 1
ImpressCMS 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_p...
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_project parameter
---METADATA---
VENDOR: Infor
PRODUCT: Kados R10 GreenBee
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Kados R10 GreenBee is vulnerable to SQL injection via the id_project parameter, allowing attackers to manipulate database queries.
Executive Summary:
An SQL injection vulnerability in Infor Kados R10 GreenBee enables unauthorized database manipulation, posing a significant security risk.
Vulnerability Details
CVE-ID: CVE-2019-25702
Affected Software: Infor Kados R10 GreenBee
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability exists because the id_project parameter is not properly sanitized, allowing attackers to inject SQL commands into the backend database.
Business Impact
Unauthorized database interaction could lead to data theft or system compromise, causing significant harm to business operations. The CVSS score of 8.2 highlights the severity of this issue and the importance of timely remediation.
Remediation Plan
Immediate Action: Update the Kados R10 GreenBee software to the latest version provided by the vendor.
Proactive Monitoring: Monitor database query logs for suspicious activity and unauthorized access attempts.
Compensating Controls: Use a Web Application Firewall (WAF) to filter out malicious SQL injection attempts targeting the id_project parameter.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Organizations should ensure that all security updates are applied immediately. Implementing strong database access controls and monitoring will help mitigate the potential for exploitation.
Apply vendor patches immediately. Review database access controls and enable query logging.
Easy Video to iPod Converter 1
Easy Video to iPod Converter 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the sort...
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the sort_direction parameter
---METADATA---
VENDOR: Infor
PRODUCT: Kados R10 GreenBee
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Kados R10 GreenBee is susceptible to SQL injection via the sort_direction parameter, allowing for unauthorized database query manipulation.
Executive Summary:
An SQL injection vulnerability in Infor Kados R10 GreenBee allows attackers to execute malicious database queries, threatening data integrity.
Vulnerability Details
CVE-ID: CVE-2019-25700
Affected Software: Infor Kados R10 GreenBee
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The application fails to sanitize the sort_direction parameter, permitting attackers to inject arbitrary SQL statements. This vulnerability allows for unauthorized database interaction.
Business Impact
Exploiting this vulnerability could lead to unauthorized data access or modification, potentially causing significant business disruption. The CVSS score of 8.2 emphasizes the need for rapid remediation to protect organizational assets.
Remediation Plan
Immediate Action: Apply the vendor-supplied security patch to the affected system.
Proactive Monitoring: Monitor for anomalous query patterns in database logs and review system access logs for suspicious activity.
Compensating Controls: Deploy WAF rules to block malicious SQL injection payloads targeting the sort_direction parameter.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Security teams should prioritize patching this vulnerability to prevent potential unauthorized database access. Consistent with high-severity vulnerabilities, immediate action is recommended.
Apply vendor patches immediately. Review database access controls and enable query logging.
Newsbull Haber Script 1
Newsbull Haber Script 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_t...
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_to_delete parameter
---METADATA---
VENDOR: Infor
PRODUCT: Kados R10 GreenBee
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Kados R10 GreenBee contains an SQL injection vulnerability in the id_to_delete parameter, enabling unauthorized database query manipulation.
Executive Summary:
The Kados R10 GreenBee application is vulnerable to SQL injection, which could allow an attacker to maliciously modify or delete database records.
Vulnerability Details
CVE-ID: CVE-2019-25698
Affected Software: Infor Kados R10 GreenBee
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The id_to_delete parameter is not properly sanitized, allowing attackers to inject SQL commands into the application's database queries. This vulnerability allows for unauthorized data manipulation.
Business Impact
Successful exploitation could result in the loss of data or unauthorized access to system records, leading to significant disruption. The CVSS score of 8.2 indicates a high-severity threat that requires immediate attention from security teams.
Remediation Plan
Immediate Action: Update the Kados R10 GreenBee software to the latest version as directed by the vendor.
Proactive Monitoring: Review database logs for suspicious delete or modification commands that do not align with standard user behavior.
Compensating Controls: Use a Web Application Firewall (WAF) to detect and block malicious SQL injection strings in the id_to_delete parameter.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Prompt remediation is necessary to ensure the integrity of the application's database. IT administrators should verify that all patches are applied to eliminate the risk of exploitation.
Apply vendor patches immediately. Review database access controls and enable query logging.
CMSsite 1
CMSsite 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the lang...
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the language_tag parameter
---METADATA---
VENDOR: Infor
PRODUCT: Kados R10 GreenBee
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Kados R10 GreenBee contains an SQL injection vulnerability in the language_tag parameter, allowing attackers to manipulate database queries.
Executive Summary:
An SQL injection vulnerability in Infor Kados R10 GreenBee allows unauthorized database manipulation through the language_tag parameter.
Vulnerability Details
CVE-ID: CVE-2019-25696
Affected Software: Infor Kados R10 GreenBee
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The application improperly handles the language_tag parameter, which is used in database queries. This flaw allows an attacker to inject malicious SQL commands, potentially resulting in unauthorized data access.
Business Impact
Exploitation of this flaw could lead to data exfiltration or unauthorized database modification, impacting business operations and data security. The CVSS score of 8.2 reflects the high severity and the potential for significant impact on the organization.
Remediation Plan
Immediate Action: Apply the vendor-recommended security updates to fix the input validation vulnerability.
Proactive Monitoring: Monitor for suspicious activity in application logs and ensure database query logging is enabled.
Compensating Controls: Deploy WAF rules to inspect traffic for SQL injection attempts specifically targeting the language_tag parameter.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Organizations should prioritize applying the vendor-provided patch to mitigate this risk. Regular auditing of database access is recommended to ensure no unauthorized activity occurs.
Apply vendor patches immediately. Review database access controls and enable query logging.
R 3
R 3
---METADATA---
VENDOR: R
PRODUCT: R
AFFECTED_VERSIONS: See vendor advisory for affected versions
---END_METADATA---
Description Summary:
A security vulnerability has been identified in the R programming language environment. Further technical details regarding the specific vector remain limited.
Executive Summary:
A high-severity security vulnerability exists within the R programming environment that may expose systems to unauthorized exploitation.
Vulnerability Details
CVE-ID: CVE-2019-25695
Affected Software: R Project for Statistical Computing, R
Affected Versions: See vendor advisory for affected versions
Vulnerability: This vulnerability involves an unspecified flaw within the R environment. Due to the lack of granular technical disclosure, the authentication requirements remain indeterminate; users should assume the worst-case scenario regarding potential impact.
Business Impact
The vulnerability carries a CVSS score of 8.4, classifying it as a high-severity risk. Successful exploitation could lead to arbitrary code execution, potentially resulting in complete system compromise, unauthorized data access, or significant disruption of analytical workflows and research data integrity.
Remediation Plan
Immediate Action: Upgrade to the latest stable release of R provided by the vendor to address the underlying security flaw.
Proactive Monitoring: Review system and application logs for abnormal execution patterns or unauthorized process spawning originating from R scripts.
Compensating Controls: Restrict execution permissions for the R environment and implement strict network segmentation to limit the potential blast radius of a compromised instance.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 13, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Given the high CVSS score, organizations utilizing R in production or data-sensitive environments must prioritize patching. Consult the official R project security notifications to identify the specific version update that resolves this vulnerability and deploy it across all affected infrastructure immediately.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code...
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user2reset parameter
---METADATA---
VENDOR: Infor
PRODUCT: Kados R10 GreenBee
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Kados R10 GreenBee is vulnerable to unauthenticated SQL injection via the user2reset parameter, facilitating unauthorized database interaction.
Executive Summary:
An unauthenticated SQL injection vulnerability in Infor Kados R10 GreenBee poses a critical risk to data confidentiality and database stability.
Vulnerability Details
CVE-ID: CVE-2019-25694
Affected Software: Infor Kados R10 GreenBee
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The application fails to perform sufficient input validation on the user2reset parameter, permitting unauthenticated attackers to execute arbitrary SQL commands. This allows for direct interaction with the backend database.
Business Impact
The ability for an unauthenticated attacker to manipulate database queries poses a severe risk, including the potential for complete database compromise. With a CVSS score of 8.2, this vulnerability is a high-priority threat that could lead to widespread data loss or unauthorized access.
Remediation Plan
Immediate Action: Immediately apply the latest security updates or patches provided by the vendor.
Proactive Monitoring: Review security logs for suspicious database queries and monitor for unusual traffic spikes associated with the user2reset function.
Compensating Controls: Utilize a Web Application Firewall (WAF) to sanitize inputs and block requests containing SQL injection patterns directed at the user2reset parameter.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Given the unauthenticated nature of this vulnerability, it constitutes a significant risk. Remediation should be treated as a high priority to prevent potential exploitation by malicious actors.
Apply vendor patches immediately. Review database access controls and enable query logging.
ResourceSpace 8
ResourceSpace 8
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id_...
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id_to_modify' parameter
---METADATA---
VENDOR: Infor
PRODUCT: Kados R10 GreenBee
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Kados R10 GreenBee is susceptible to SQL injection via the 'id_to_modify' parameter, allowing unauthorized database query manipulation.
Executive Summary:
The Kados R10 GreenBee platform suffers from an SQL injection vulnerability that could allow unauthorized modification or exfiltration of database records.
Vulnerability Details
CVE-ID: CVE-2019-25692
Affected Software: Infor Kados R10 GreenBee
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability occurs because the 'id_to_modify' parameter is not adequately sanitized before being used in database queries. This flaw allows an attacker to inject SQL commands, potentially altering database content.
Business Impact
Exploitation of this vulnerability could lead to the unauthorized modification of critical business data, resulting in significant operational disruption and loss of data integrity. With a CVSS score of 8.2, this issue presents a high-level risk that should be addressed immediately.
Remediation Plan
Immediate Action: Apply the vendor-supplied security patch to the Kados R10 GreenBee application.
Proactive Monitoring: Monitor database query logs for unexpected modification commands or unauthorized access to sensitive tables.
Compensating Controls: Implement WAF rules to inspect incoming traffic and block requests containing malicious SQL payloads in the 'id_to_modify' field.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Security teams must prioritize the application of vendor updates to remediate this SQL injection flaw. Failure to act may expose the organization to data integrity risks and potential regulatory non-compliance.
Apply vendor patches immediately. Review database access controls and enable query logging.
Faleemi Desktop Software 1
Faleemi Desktop Software 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the mng_...
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the mng_profile_id parameter
---METADATA---
VENDOR: Infor
PRODUCT: Kados R10 GreenBee
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Kados R10 GreenBee contains an SQL injection vulnerability in the mng_profile_id parameter, enabling attackers to manipulate database queries.
Executive Summary:
An SQL injection vulnerability in Infor Kados R10 GreenBee exposes the backend database to unauthorized manipulation and potential data breach.
Vulnerability Details
CVE-ID: CVE-2019-25690
Affected Software: Infor Kados R10 GreenBee
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The application fails to properly sanitize the mng_profile_id parameter, allowing an attacker to inject arbitrary SQL statements. This vulnerability requires authenticated access to the specific interface, though the risk remains high due to the potential for privilege escalation.
Business Impact
A successful exploit could allow an attacker to bypass authentication or extract sensitive profile data from the database. The CVSS score of 8.2 underscores the severity, necessitating prompt remediation to avoid reputational damage and unauthorized system access.
Remediation Plan
Immediate Action: Update the affected Kados R10 GreenBee installation to the latest version provided by the vendor to remediate the input validation flaw.
Proactive Monitoring: Review application and database access logs for anomalous SQL activity originating from user profiles.
Compensating Controls: Use a Web Application Firewall (WAF) to filter out requests containing suspicious SQL syntax within the mng_profile_id parameter.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The vulnerability poses a high risk to database security. IT administrators must ensure that all security patches are applied and that access controls are reviewed to limit the potential impact of a compromised account.
Apply vendor patches immediately. Review database access controls and enable query logging.
HTML5 Video Player 1
HTML5 Video Player 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code...
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the menu_lev1 parameter
---METADATA---
VENDOR: Infor
PRODUCT: Kados R10 GreenBee
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Kados R10 GreenBee is vulnerable to SQL injection via the menu_lev1 parameter, allowing unauthenticated attackers to execute arbitrary database queries.
Executive Summary:
An unauthenticated SQL injection vulnerability in Infor Kados R10 GreenBee permits remote attackers to compromise database integrity and confidentiality.
Vulnerability Details
CVE-ID: CVE-2019-25688
Affected Software: Infor Kados R10 GreenBee
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This is a classic SQL injection vulnerability occurring in the menu_lev1 parameter. The flaw is exploitable by unauthenticated remote attackers who can inject malicious SQL commands to manipulate backend database operations.
Business Impact
Successful exploitation allows unauthorized access to sensitive information stored within the database, potentially leading to full data exfiltration or unauthorized administrative modifications. With a CVSS score of 8.2 (High), this vulnerability represents a significant risk to organizational data integrity and compliance requirements.
Remediation Plan
Immediate Action: Consult the official vendor security advisory to identify and apply the necessary patches or security updates to the Kados R10 GreenBee environment.
Proactive Monitoring: Implement database query logging and monitor for unusual query patterns or syntax errors that indicate injection attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) with strict input validation rules to block malicious SQL payloads targeting the menu_lev1 parameter.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Given the ability for unauthenticated attackers to interact directly with the database, immediate action is required. Organizations should prioritize patching or applying virtual mitigations to prevent unauthorized access to the underlying data store.
Apply vendor patches immediately. Review database access controls and enable query logging.
Pegasus CMS 1.0 is vulnerable to unauthenticated remote code execution via the extra_fields.php plugin due to unsafe eval() usage.
Pegasus CMS 1.0 is vulnerable to unauthenticated remote code execution via the extra_fields.php plugin due to unsafe eval() usage.
---METADATA---
VENDOR: Pegasus
PRODUCT: CMS
AFFECTED_VERSIONS: 1.0
---END_METADATA---
Description Summary:
Pegasus CMS 1.0 is vulnerable to unauthenticated remote code execution via the extra_fields.php plugin due to unsafe eval() usage.
Executive Summary:
An unauthenticated remote code execution vulnerability in Pegasus CMS 1.0 poses a critical risk of full system compromise.
Vulnerability Details
CVE-ID: CVE-2019-25687
Affected Software: Pegasus CMS
Affected Versions: 1.0
Vulnerability: The application fails to sanitize input within the extra_fields.php plugin, allowing unauthenticated attackers to inject arbitrary PHP code via the action parameter in submit.php. This flaw leverages unsafe eval() functionality to execute commands at the web server level.
Business Impact
With a CVSS score of 9.8, this vulnerability represents a critical risk to organizational security. Successful exploitation grants an attacker an interactive shell, enabling unauthorized data exfiltration, complete system takeover, and potential lateral movement within the network. This exposure could lead to significant reputational damage and catastrophic service disruption.
Remediation Plan
Immediate Action: Update Pegasus CMS to the latest version immediately to patch the vulnerable plugin. If an update is unavailable, disable the extra_fields.php plugin until a secure version is deployed.
Proactive Monitoring: Review web access logs for anomalous POST requests directed at submit.php containing suspicious PHP payloads or encoded characters.
Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to detect and block malicious PHP injection attempts in HTTP parameters.
Exploitation Status
Public Exploit Available: true
Analyst Notes: As of April 5, 2026, this vulnerability is known to be exploitable. Given the availability of public exploit code and the critical nature of the flaw, immediate remediation is required to prevent unauthorized access.
Analyst Recommendation
This vulnerability is highly critical due to the ease of exploitation and the level of access granted to attackers. Security teams should prioritize patching this instance immediately and perform a thorough forensic review of the server logs to ensure no prior unauthorized access has occurred.
Update ASUS CMS to the latest version. Check vendor security advisory for specific patch details. Monitor for exploitation attempts and review access logs.
Core FTP 2
Core FTP 2
---METADATA---
VENDOR: Core
PRODUCT: FTP 2
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Core FTP 2 contains an unspecified vulnerability that requires immediate remediation to prevent potential security compromise.
Executive Summary:
A high-severity vulnerability in Core FTP 2 requires immediate attention to protect the integrity and security of file transfer operations.
Vulnerability Details
CVE-ID: CVE-2019-25686
Affected Software: Core FTP 2
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The exact nature of this vulnerability is currently limited in detail, but it is classified as a high-severity flaw. Users should treat this as a significant security risk requiring urgent review of vendor documentation.
Business Impact
The vulnerability in Core FTP 2 could potentially allow attackers to compromise file transfer security, leading to unauthorized access to sensitive files. With a CVSS score of 7.5, this issue presents a significant risk to organizational data security.
Remediation Plan
Immediate Action: Check the official Core FTP vendor website for security advisories and apply all recommended updates or patches immediately.
Proactive Monitoring: Review FTP access logs for unauthorized connections or unusual file transfer activity.
Compensating Controls: Restrict FTP access to authorized IP addresses only and ensure that encrypted protocols like SFTP or FTPS are enforced to protect data in transit.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Given the high-severity classification, organizations must verify their version of Core FTP 2 and apply necessary patches. Proactive monitoring and restricting access will serve as essential layers of defense until full remediation is achieved.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functio...
phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
OpenDocMan 1
OpenDocMan 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Xlight FTP Server 3
Xlight FTP Server 3
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Advance Gift Shop Pro Script 2
Advance Gift Shop Pro Script 2
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
RealTerm Serial Terminal 2
RealTerm Serial Terminal 2
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
C4G Basic Laboratory Information System 3
C4G Basic Laboratory Information System 3
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Ask Expert Script 3
Ask Expert Script 3
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
eDirectory contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to bypass administrator authentication and disclose se...
eDirectory contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to bypass administrator authentication and disclose sensitive files by injecting SQL code into parameters
Apply vendor patches immediately. Review database access controls and enable query logging.
CMSsite 1
CMSsite 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
UniSharp Laravel File Manager v2
UniSharp Laravel File Manager v2
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
PilusCart 1
PilusCart 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
VA MAX 8
VA MAX 8
---METADATA---
VENDOR: Apache
PRODUCT: VA MAX
AFFECTED_VERSIONS: See vendor advisory for affected versions
---END_METADATA---
Description Summary:
A security vulnerability has been identified in the Apache VA MAX software platform.
Executive Summary:
A high-severity vulnerability in Apache VA MAX could lead to unauthorized access, presenting a critical risk to systems utilizing this platform.
Vulnerability Details
CVE-ID: CVE-2019-25671
Affected Software: Apache VA MAX
Affected Versions: See vendor advisory for affected versions
Vulnerability: This vulnerability involves a flaw in Apache VA MAX that may allow an attacker to gain unauthorized access or influence application behavior. The high CVSS score of 8.8 suggests a severe security gap, potentially allowing for remote code execution or significant privilege escalation.
Business Impact
The CVSS score of 8.8 reflects a critical threat to the business, as an exploitation could result in a complete compromise of the affected server. This includes potential loss of sensitive data, service disruption, and significant reputational damage.
Remediation Plan
Immediate Action: Apply the latest security updates provided by Apache for the VA MAX platform to remediate the underlying flaw.
Proactive Monitoring: Perform a comprehensive audit of system logs and investigate any anomalous execution patterns or unexpected changes to system files.
Compensating Controls: Implement strong network access controls and utilize a Web Application Firewall to mitigate potential exploitation attempts while the patching process is underway.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Due to the high CVSS score of 8.8, this vulnerability must be treated as a priority. Administrators should ensure that all instances of Apache VA MAX are patched immediately, and a thorough review of system access should be performed to ensure no prior unauthorized activity has occurred.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
River Past Video Cleaner 7
River Past Video Cleaner 7
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
qdPM 9
qdPM 9
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
News Website Script 2
News Website Script 2
---METADATA---
VENDOR: Code-Projects
PRODUCT: News Website Script
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
A critical security vulnerability exists within the Code-Projects News Website Script that may allow for unauthorized system interaction.
Executive Summary:
The News Website Script is susceptible to a high-severity vulnerability that poses a significant risk of unauthorized access or system compromise.
Vulnerability Details
CVE-ID: CVE-2019-25668
Affected Software: Code-Projects News Website Script
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability affects the News Website Script, potentially allowing an unauthenticated attacker to exploit weaknesses in the application's processing logic. The lack of proper input validation or session management may facilitate remote malicious activities.
Business Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive news content, database manipulation, or full system compromise. With a CVSS score of 8.2, this flaw represents a high risk to organizational data integrity and availability, potentially resulting in significant reputational damage.
Remediation Plan
Immediate Action: Upgrade to the latest version provided by the vendor to remediate the underlying flaw.
Proactive Monitoring: Audit application access logs for suspicious activity, such as unusual URL parameters or unauthorized administrative attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) to block malicious traffic patterns and known exploit signatures targeting the script.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 6, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the high CVSS score, the potential for exploitation is significant, and immediate patching is required.
Analyst Recommendation
Given the high severity of this vulnerability, organizations must prioritize the identification and update of all instances of the News Website Script. Failure to apply the necessary patches exposes the environment to unnecessary risk of exploitation.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
SuiteCRM 7
SuiteCRM 7
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Joomla
PRODUCT: J-MultipleHotelReservation
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
A vulnerability in the J-MultipleHotelReservation component for Joomla could lead to unauthorized system compromise.
Executive Summary:
The Joomla J-MultipleHotelReservation component is susceptible to a high-severity vulnerability that could allow an attacker to gain unauthorized access to the application.
Vulnerability Details
CVE-ID: CVE-2019-25750
Affected Software: Joomla J-MultipleHotelReservation
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability resides within the J-MultipleHotelReservation component, likely stemming from poor validation of user-supplied data. Without proper security controls, an attacker could potentially execute unauthorized actions or bypass intended application logic.
Business Impact
An exploit targeting this component could result in severe business disruption, including the loss of customer reservation data and potential compromise of the Joomla CMS environment. A CVSS score of 8.2 underscores the urgency of addressing this flaw to prevent unauthorized access or system-wide compromise.
Remediation Plan
Immediate Action: Identify all instances of the J-MultipleHotelReservation component within your environment and apply all recommended vendor security updates immediately.
Proactive Monitoring: Review web server and application logs for anomalous traffic or unauthorized access attempts specifically directed at component-related directories.
Compensating Controls: Utilize a Web Application Firewall (WAF) to filter malicious requests targeting the component until a permanent patch is deployed.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of June 21, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Organizations must treat this vulnerability with high priority. We recommend an immediate audit of Joomla components to identify vulnerable versions and the implementation of vendor-supplied patches to mitigate the risk of unauthorized system access.