Below are listed all the CVEs I have discovered and reported.
+-----------------------+----------------------------------------------------+ | CVE ID | Technical description | +-----------------------+----------------------------------------------------+ | CVE-2026-30996 | The file parameter in download.php and | | | open_pdf.php is vulnerable to Path Traversal due | | | to a lack of sanitization. An unauthenticated | | | attacker can exploit this to download sensitive | | | files across different OS environments, such as | | | /etc/passwd (Linux) or C:\Windows\win.ini | | | (Windows), resulting in full source code | | | disclosure and exposure of system credentials. | +-----------------------+----------------------------------------------------+ | CVE-2026-30995 | The application fails to sanitize the id parameter | | | before concatenating it into a dynamic SQL query | | | on line 32. This allows an unauthenticated | | | attacker to inject malicious SQL commands, leading | | | to full database exfiltration and unauthorized | | | access to sensitive records. | +-----------------------+----------------------------------------------------+ | CVE-2026-30994 | The application uses the file_put_contents() | | | function on line 59 to log session keys and | | | values, including plaintext credentials, into a | | | publicly accessible file (logged.js). Because this | | | file is stored within the web root without access | | | restrictions, any unauthenticated attacker can | | | retrieve sensitive user data, leading to a full | | | account compromise. | +-----------------------+----------------------------------------------------+
Note: certain CVEs are still in the verification process due to MITRE's response time or the vendor's 90-day responsible disclosure period.
This list is constantly updated.