CVE Portfolio — Tağmaç Security Research | Tağmaç - root@Tagoletta:~#
Security Research

CVE Portfolio

Zero-day vulnerabilities discovered, reported, and assigned CVE IDs. Each entry includes a full technical write-up with exploit code.

5
CVEs Found
4
RCE
3
Critical
4
Products
CVE-2023-38890 Critical RCE SQLi 2023

Online Shopping Portal 3.1 — SQL Injection to RCE (Unauthenticated)

Unauthenticated SQL injection in the login form allows bypassing authentication. A second SQL injection using INTO OUTFILE writes a PHP webshell to the server, achieving remote code execution without any credentials.

Affected: SourceCodester Online Shopping Portal 3.1 Read Write-up →
CVE-2025-69457 Critical RCE File Upload 2025

Responsive Tourism Website 3.1 — Remote Code Execution (Unauthenticated)

SQL injection in the login form bypasses authentication, then an unrestricted file upload vulnerability allows uploading a PHP webshell directly to the server. Full RCE achieved without any credentials required.

Affected: SourceCodester Responsive Tourism Website 3.1 Read Write-up →
CVE-2025-69458 High RCE SQLi 2025

Movie Rating System 1.0 — SQL Injection to RCE (Unauthenticated)

Unauthenticated SQL injection vulnerability in Movie Rating System 1.0 allows authentication bypass, followed by exploitation of a file upload mechanism to achieve remote code execution.

Affected: SourceCodester Movie Rating System 1.0 Read Write-up →
CVE-2025-69459 High Access Control Privilege Escalation 2025

Movie Rating System 1.0 — Broken Access Control (Admin Account Creation)

The user management endpoint lacks authentication checks, allowing any unauthenticated attacker to create admin-level accounts directly via a crafted HTTP request — no credentials or session token required.

Affected: SourceCodester Movie Rating System 1.0 Read Write-up →
CVE-2025-69460 Critical RCE File Upload 2025

Simple Image Gallery 1.0 — Remote Code Execution (Unauthenticated)

SQL injection bypasses login authentication, and an unrestricted file upload vulnerability allows uploading arbitrary PHP files. An attacker can achieve full remote code execution on the server without any credentials.

Affected: SourceCodester Simple Image Gallery 1.0 Read Write-up →

Responsible Disclosure

All vulnerabilities listed here were discovered through independent security research and reported via responsible disclosure channels before public release. CVE assignments were handled through MITRE / NVD. Each finding includes a full technical write-up, PoC code, and remediation guidance.

Related research

SQL Injection Cheatsheet File Upload Bypass Cheatsheet IDOR Cheatsheet RCE Hub →