Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through 6.6.1) allows attackers to upload PHP files that execute on the server, leading to full site compromise. CVSS 4.0 base score is 10.0 with the vendor flagging exploitation as Active (E:A), and no public exploit identified at time of analysis. Given the unauthenticated network vector and direct RCE outcome, this is a critical-priority issue for any Joomla site running the extension.
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the event attachment feature to upload and execute server-side code, leading to full web application compromise. The flaw affects iCagenda 1.0.0-3.9.14 and 4.0.0-4.0.7 and carries a CVSS 4.0 score of 10.0 with exploitation marked as Attacked (E:A) in the vector, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Remote code execution in Prefect 3.6.23 allows any user holding deployment-creation permissions to run arbitrary commands on shared worker machines by abusing the GitRepository storage class. The commit_sha and directories parameters are concatenated into git invocations without a `--` separator or validation, letting attackers smuggle flags such as `--upload-pack` to execute external programs. No public exploit identified at time of analysis, but the bug was reported via huntr and is particularly dangerous for multi-tenant work pools where worker compromise crosses trust boundaries.
Unauthenticated account takeover in the Branda (white-labeling) plugin for WordPress through version 3.4.29 allows remote attackers to reset arbitrary user passwords, including administrators, by abusing a password update flow that fails to verify the requester's identity. Wordfence-reported flaw is tracked as CVE-2026-11551 with a CVSS 9.8; no public exploit identified at time of analysis, but the trivial exploitability of the vulnerable signup-password module makes weaponization straightforward once the patched code is diffed.
Unauthenticated remote code execution in JoomShaper's SP LMS (com_splms) Joomla extension versions 1.0.0 through 4.1.3 allows network attackers to run arbitrary code on the server by sending a crafted cookie that the component deserializes without validation. The flaw is a textbook PHP object injection (CWE-502) with a CVSS 4.0 base score of 9.5, but at time of analysis there is no public exploit identified and the issue is not on the CISA KEV list. Risk is elevated because the trigger is a cookie value parsed before any authentication check.
Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.
Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen() on the result and pass the inflated length to newSVpvn(), copying attacker-influenced adjacent heap bytes into a Perl scalar.