Threat Intelligence Database

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.

CVE-2026-11531 is a SQL injection vulnerability in the imvks786 student_management_system affecting the Administrator Login Endpoint (admin/admin_login.php). The flaw allows remote attackers to manipulate the a_usr/a_pwd parameters to perform SQL injection. The product uses a rolling release strategy, so specific affected versions are not identified. The issue was reported early but the project has not yet responded or provided a fix. The vulnerability has a medium severity rating with a CVSS score of 6.9.

A security vulnerability has been detected in SourceCodester Ship Ferry Ticket Reservation System up to 1.0. This impacts an unknown function of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Username leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

A vulnerability was identified in code-projects Hotel and Tourism Reservation System 1.0. This issue affects the function password_verify of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Password leads to improper authentication. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controllers/Login.php of the component Forgot Password Endpoint. The manipulation of the argument email results in weak password recovery. The attack can be launched remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.

CVE-2026-10167 is a medium severity vulnerability in the OUSL-GROUP-BrinaryBrains School Student Management System affecting the sign_auth_cookie function in the Login.php controller. The flaw allows remote attackers to manipulate the role argument, leading to improper authentication. The vulnerability is publicly known and exploitable, but no official patch or remediation has been released yet. The product uses rolling releases, so specific fixed versions are not identified. The vendor has been informed but has not responded or provided a fix.

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow in controle/FuncionarioControle.php follows the same pattern. SHA-256 is a general-purpose cryptographic hash built for speed, not password storage. Without a salt, identical passwords produce identical digests, making the entire hash database vulnerable to a single precomputed rainbow table lookup. This vulnerability is fixed in 3.7.3.

A vulnerability has been found in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /intrams/admin/login.php. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

CVE-2026-8132 is a SQL injection vulnerability in CodeAstro Leave Management System version 1.0, specifically in an unknown function within /login.php. The vulnerability arises from improper handling of the txt_username parameter, allowing remote attackers to manipulate SQL queries. The exploit code has been publicly disclosed. The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity. No official patch or remediation guidance is currently available from the vendor. There are no confirmed exploits observed in the wild at this time.

CVE-2026-8098 is a medium severity SQL injection vulnerability in code-projects Feedback System version 1.0. The issue exists in an unknown function within /admin/checklogin.php where manipulation of the email argument allows remote attackers to perform SQL injection. The vulnerability has been publicly disclosed but no official patch or remediation guidance is currently available.