CVE-2026-15523
A weakness has been identified in CodeAstro Simple Online Leave Management System 1.0. Affected by this issue is some unknown functionality
CVSS
6.3
Medium
EPSS
0.2%
p10
KEV
—
Exploit Today
3
0-100
Published: Jul 13, 2026 · Last modified: Jul 14, 2026 · CWE-74 · CWE-89
0.2%EPSS · 30 days0.2%
2026-07-132026-07-17
A weakness has been identified in CodeAstro Simple Online Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /SimpleOnlineLeave/admin/dashboard.php. This manipulation of the argument Name causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-422089.8 CRI99.7%
KEV—80BerriAI LiteLLM SQL Injection Vulnerability3dCVE-2026-222007.5 HIG99.4%
——30Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.4dCVE-2020-249139.8 CRI98.5%
——30A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.9dCVE-2026-479927.2 HIG97.1%
——29Adobe Commerce is affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to execute malicious SQL commands, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction.3dCVE-2022-366358.8 HIG96.7%
——29ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.9dCVE-2021-271329.8 CRI96.6%
——29SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.9d