Aliaz

**Name of the Vulnerable Software and Affected Versions** osTicket versions prior to 1.18.4 **Description** A cross-site request forgery issue exists in the Dispatcher component within the `include/class.dispatcher.php` file. The flaw allows remote exploitation through the manipulation of the ` method` argument. **Recommendations** As a temporary workaround, restrict access to the ` method` argument in the `include/class.dispatcher.php` file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** alexta69 MeTube versions prior to 2026.04.10 **Description** A permissive cross-domain policy exists in the CORS Policy component, specifically within the `on prepare()` function of the `app/main.py` file. This allows untrusted domains to bypass cross-domain restrictions, enabling remote exploitation. **Recommendations** Upgrade to version 2026.04.10.

**Name of the Vulnerable Software and Affected Versions** LinkStackOrg LinkStack versions prior to 4.8.7 **Description** A weakness in the `editPage()` function within the `app/Http/Controllers/UserController.php` file allows for remote cross-site scripting (XSS), which occurs when a user-supplied value is included in a web page without proper validation or escaping. This is triggered by manipulating the `pageDescription` argument. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `editPage()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LinkStackOrg LinkStack versions prior to 4.8.7 **Description** An authorization bypass exists in the Management Endpoint component. This issue occurs within the `saveLink()` function located in the `app/Http/Controllers/UserController.php` file, allowing a remote attacker to bypass authorization controls. **Recommendations** As a temporary workaround, restrict access to the `saveLink()` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: code-projects Inventory Management version 1.0 Description: A critical vulnerability was found in the code-projects Inventory Management software. The issue affects an unknown functionality of the file /model/viewProduct.php of the component Products Table Page. The manipulation of the `id` argument leads to SQL injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Recommendations: For code-projects Inventory Management version 1.0, consider disabling the `id` argument in the /model/viewProduct.php file until a patch is available. Restrict access to the Products Table Page to minimize the risk of exploitation. Avoid using the `id` argument in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: code-projects Inventory Management version 1.0 Description: A problematic issue was found in the Registration Form component, specifically in the /view/registration.php file. The issue allows for cross-site scripting when an attacker manipulates the input with malicious code, such as `<script>alert(1)</script>`. This can be initiated remotely. Recommendations: For code-projects Inventory Management version 1.0, consider disabling the Registration Form component or restricting access to the /view/registration.php file until a fix is available. Avoid using the Registration Form with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.