EverydaySparkling

CVE

SSRF via Referrer field in ChurchCRM v5.16.0

ChurchCRM doesn't validate the referrer properly and sends a HEAD request to the provided referrer. When a user is logged in and does a GET request to the Dashboard for example with an external referrer, a HEAD request is sent.

Stored Cross Site Scripting in webERP

A stored XSS vulnerability in webERP (≤v4.15.2, 5.0.0.rc+13) allows script injection via the Narrative field in orders, leading to privilege escalation. This was a fun one to create, but despite providing a demo and a simple fix, the vendor stopped responding after initial contact.

Cross Site Scripting in OpenXE v1.12

A cross-site scripting (XSS) vulnerability was found in OpenXE versions up to 1.12. Manipulating the Notizen argument on the Ticket Bearbeiten page could allow attackers to inject malicious scripts. Successful exploitation requires user interaction. CVE-2025-2130.

First CVE: SQL Injection in PiHome v1.77

As a web developer with a strong interest in security, I recently decided to hunt for vulnerabilities just for fun—and it led to my first-ever CVE! 🎉 I discovered an SQL Injection vulnerability in PiHome v1.77, a smart home automation system, earning CVE-2025-1184. The Discovery While exploring PiHome’s