PHP
Monthly
Reflected cross-site scripting in MantisBT's /admin/install.php (versions 2.28.3 and earlier) lets remote attackers inject HTML through six unescaped, user-supplied parameters echoed by print_test_result(). Although the page's Content-Security-Policy (script-src 'self') blocks inline JavaScript, the missing form-action directive permits credential-phishing form injection, <meta>-based open redirects, and CSS overlay attacks against the trusted admin origin. The advisory states no authentication is required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Full-read SSRF in Koel's podcast subscription feature allows any authenticated user to coerce the server into fetching internal HTTP endpoints - including cloud instance metadata services - and receive the full response. The vulnerability exists because PHP's `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` does not unwrap NAT64 (`64:ff9b::/96`) or 6to4 (`2002::/16`) IPv6 transition addresses, both of which deterministically embed a private IPv4 that the OS kernel routes internally. This affects all Koel deployments through v9.7.0 on NAT64 or dual-stack networks (the default for IPv6-only AWS and GCP subnets); a detailed proof-of-concept with verbatim server output is published in the advisory. No public exploit code is in KEV at time of analysis, but the PoC substantially lowers the exploitation barrier.
Server-side request forgery in Koel (self-hosted PHP music-streaming server, all releases up to and including 9.7.0) lets any authenticated low-privilege user coerce the server into requesting arbitrary internal or cloud-metadata endpoints. The flaw is an incomplete fix for CVE-2026-47260: the initial isSafeUrl() check was added to several podcast/radio fetchers, but per-redirect-hop re-validation was wired into only one path (EpisodePlayable), leaving every sibling fetcher bypassable via an attacker-controlled host that returns an HTTP 302 to an internal address, and all paths bypassable via DNS rebinding. A researcher mechanism PoC confirms exploitation; not listed in CISA KEV and no evidence of active exploitation.
{id}. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but it is not in CISA KEV and no active exploitation is identified.
Authenticated blind SSRF in Koel v9.6.0 allows any logged-in user to trigger server-side HTTP requests to private, loopback, and RFC1918 destinations by exploiting a missing SafeUrl validation guard on the Subsonic-compatible createPodcastChannel.view route. The main podcast API correctly rejects private URLs with a 422 error, but the Subsonic compatibility layer omits the same SafeUrl rule, and the attacker-supplied URL is fetched synchronously during channel creation via Poddle::fromUrl() - no separate step required. No public exploit identified at time of analysis per KEV status, but a fully documented public PoC with step-by-step curl commands is available in GHSA-w79m-f3jx-779v, validated against the official phanan/koel:9.6.0 Docker image.
MantisBT's REST and SOAP APIs fail to enforce the $g_set_status_threshold authorization gate, allowing any authenticated user holding the UPDATER role (the default update permission) to change an issue's workflow status to values that should require DEVELOPER-level access or higher. The vulnerability is confirmed patched in release 2.28.4 with no public exploit or KEV listing. Because UPDATER is the default role for ordinary authenticated contributors, this flaw is broadly reachable on any MantisBT instance where the API is accessible without further hardening of role assignments.
Authenticated remote code execution in MantisBT versions 1.3.0 through 2.28.3 allows an administrator to run arbitrary PHP as the web server user (www-data) via the 'Manage Configuration' page (adm_config_set.php). When a config value is stored with a non-string type, the ConfigParser/Tokenizer path calls eval() on attacker-controlled code guarded only by a 'return;' prefix; because PHP hoists class and function declarations at compile time regardless of the return, an attacker can plant a class that later hijacks the autoloader. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported privately by watchTowr and fixed in 2.28.4.
Privilege escalation to administrator in MantisBT 2.28.3 and earlier lets a low-privileged or self-registered user impersonate any account, including the administrator, through the SOAP API's flawed mci_check_login() function. Because the function accepts any valid cookie_string without checking that it belongs to the supplied username, an attacker who knows a target username (e.g. 'administrator') and possesses their own MANTIS_STRING_COOKIE can authenticate as that user without a password. With self-registration enabled by default ($g_allow_signup = ON), this is exploitable from zero prior access, granting full read/write and destructive control over all projects, issues, and user data. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the underlying bug is trivially reliable.
SQL injection in MantisBT 2.28.3 and earlier (fixed in 2.28.4) lets an administrator poison the history_order configuration value, which core/history_api.php concatenates unsanitized into an ORDER BY clause; the injected SQL then fires whenever any authenticated user views a bug that has history entries. This converts an administrator's config-write into database-wide data theft (password hashes, cookie_strings, API tokens, private issues) and, where the MySQL account holds the FILE privilege, remote code execution via INTO OUTFILE dropping a PHP webshell in the web root. No public exploit identified at time of analysis; reported by McCaulay Hudson of watchTowr and tracked as GitHub advisory GHSA-mw6p-33vw-46cc.
Authenticated arbitrary file write in the Grav CMS Form plugin (versions before 9.1.8) allows attackers to plant PHP webshells in the web root by abusing the process.save.filename parameter. The filename is checked for path traversal before Twig rendering but never re-validated afterward, so traversal sequences reconstructed during template evaluation bypass the guard. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the flaw was disclosed by VulnCheck via a coordinated GitHub security advisory.
Remote code execution in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 is achievable by authenticated API users holding the api.media.write permission via a double-extension file upload bypass. The HandlesMediaUploads::validateFileExtension() method uses PHP's pathinfo() to inspect only the final file extension, meaning a file named shell.php.jpg passes the dangerous-extension blocklist while retaining a .php segment that certain web server configurations will execute as PHP. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique is well-understood and exploitation is low-complexity once permission prerequisites are met.
Broken function-level authorization in Prospero Flow CRM before 5.5.3 lets any authenticated low-privileged user (e.g. the standard 'User'/'Usuario' role) read every bank account record belonging to their company via GET /api/bank-account. The API route is guarded only by auth:api with no permission gate — unlike the web equivalent, which enforces can('read bank') — so any valid bearer token returns sensitive banking data (IBAN, SWIFT/BIC, account identifiers). A vendor patch exists (5.5.3) and the fixing commit is public; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV.
Stored cross-site scripting in EasyAdminBundle (Symfony admin generator) versions 5.0.0 through 5.0.12 allows a lower-privileged user with access to a form using FileField or ImageField to upload a browser-executable .html or .svg file that EasyAdmin then links to inline, executing attacker-controlled JavaScript in a viewing administrator's authenticated session. Impact includes session/CSRF-token theft and privilege escalation; it is explicitly NOT remote code execution because filenames come from Symfony's guessExtension(). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available in 5.0.13.
Arbitrary file write in Anyquery Server Mode (versions < 0.4.5) allows unauthenticated remote attackers to write files to any path the process can access by abusing SQLite's native ATTACH DATABASE command exposed over the MySQL-compatible listener. Because the server blindly proxies SQL to the underlying SQLite engine, an attacker can create files such as cron jobs, PHP web shells, or SSH authorized_keys and escalate the file write into remote code execution or denial of service. A working step-by-step proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-xrcf-6jh3-ggvx); there is no CISA KEV entry and no confirmed in-the-wild exploitation at time of analysis.
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
{ $items = []; foreach ($this->variantes() as $item) { $match = $item->{$this->match}; $description = Tools::textBreak($item->description(), 300); ... $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' ... ``` `$this->match` defaults to `'referencia'` (`WidgetVariante::__construct`, line 42). `$item->referencia` was sanitised at write time by `Variante::test()` (`Core/Model/Variante.php:392`) which calls `Tools::noHtml($this->referencia)`. `Tools::noHtml` (`Core/Tools.php:499-504`) replaces `'`, `"`, `<`, `>` with `'`, `"`, `<`, `>`. The defender therefore expects that any apostrophe a user typed becomes `'` in the database, which renders inside the `onclick` attribute as `'` and cannot break out of the surrounding `'...'` JS string literal. `Core/Lib/Widget/WidgetSubcuenta.php:290-305` has the identical shape: ```php foreach ($this->subcuentas() as $item) { $match = $item->{$this->match}; ... $items[] = '<tr class="clickableRow" onclick="widgetSubaccountSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' . '<a href="' . $item->url() . '" target="_blank" onclick="event.stopPropagation();">' ... ``` `$this->match` defaults to `'codsubcuenta'`; the value is `Tools::noHtml`-encoded by `Subcuenta::test()` (`Core/Model/Subcuenta.php:213`). Per the HTML5 spec (and what every browser actually does), the value of an HTML attribute is processed by the **character reference state** of the tokenizer before any consumer sees it. By the time the `onclick` attribute value reaches the script engine, the bytes inside are the *decoded* string. Concretely, the HTML the browser receives is: ```html <tr onclick="widgetVarianteSelect('id', '1',alert(1),'2');"> ``` After the tokenizer decodes `'` to `'`, the JavaScript fragment passed to the script engine is: ```javascript widgetVarianteSelect('id', '1',alert(1),'2'); ``` `alert(1)` runs as a third positional argument that JavaScript happily evaluates while building the call. The `widgetVarianteSelect` function ends up being called with four arguments and the side-effect of `alert(1)` (or any payload) has already occurred. The recent `40bc701` AccountingModalHTML and `8586b97` SalesModalHTML / PurchasesModalHTML fix recognised this. Both replaced the `onclick="...('"+ value +"')"` pattern with: ```php $tbody .= '<tr ... data-subaccount="' . $code . '" onclick="$(...).modal(\'hide\');' . ' return newLineAction(this.dataset.subaccount);">' ``` Where `$code = static::html($subaccount->codsubcuenta)` and `static::html` is `htmlspecialchars(html_entity_decode($text, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')`. The HTML5 entity decode is deliberate: it normalises any double-encoded data so that the subsequent `htmlspecialchars` produces stable single-encoded output. The JavaScript then reads the value from `this.dataset.*`, which is the post-decoded attribute value, where the original quote is now literally inside a string property and cannot break out of any quote context. `WidgetSubcuenta` and `WidgetVariante` were not migrated to this pattern. `Variante::test()` (`Core/Model/Variante.php:389-401`) accepts up to 30 characters in `referencia`. The minimum payload is 13 bytes (`1',alert(1),'2`), comfortably under the limit. The `Tools::noHtml` pass during `test()` produces the stored form `1',alert(1),'2`, which is 22 bytes. Three plant primitives are practical: 1. **Direct create** via `EditProducto?action=save` with the attacker-controlled `referencia` field. Because `EditProducto` is exposed to any user with the `EditProducto` permission (which roles like *sales agent* and *warehouse manager* commonly carry), this is a within-tenant primitive: a low-privilege salesperson plants the payload, an admin opens any sales document and clicks the variant picker. 2. **DB write** by anyone with raw SQL access (DBA or shared-hosting admin). `INSERT INTO variantes (referencia, ...) VALUES ('1\',alert(1),\'2', ...)`. This is what I used for the live test; the plant is permanent until the row is deleted. 3. **Plugin / API import.** `ApiAttachedFiles` and the various import endpoints allow a low-privilege API key to land arbitrary `referencia` values that bypass the `EditProducto` `permissions->onlyOwnerData` filter. For `WidgetSubcuenta`, the `codsubcuenta` field is constrained to the exercise's `longsubcuenta` length (10 by default), and the regex-free `Tools::noHtml` pass turns one apostrophe into 5 bytes (`'`), so the post-noHtml string must equal the configured length exactly. A 5-byte payload (`1','` is 4) plus padding is workable for compact bypass payloads such as `'+x+'` (where `x` is a previously-loaded global). DB-write planting (primitive 2) bypasses the length check entirely. The fix wave centred on the `Lib/AjaxForms/*ModalHTML.php` files. Both audited widgets live in `Lib/Widget/` and look superficially safe to a reviewer because every value is `Tools::noHtml`-escaped at storage. The actual decoding step happens inside the browser, not the PHP code, so the defect is not visible in a `grep`-based review of the PHP source unless the reviewer specifically looks for `onclick="...('+ $field +')'` shapes that put a `Tools::noHtml`-escaped value in a JavaScript string position inside an HTML attribute. > **Live PoC verified 2026-05-01** against `http://127.0.0.1:8081/` running facturascripts at commit `24281ca`. A `Variante.referencia` value of `1',alert(1),'2` (planted via raw DB write below) renders inside `widgetVarianteSelect('0', '1',alert(1),'2');` in the modal grid; opening the variant-picker modal in any user's browser (low-priv or admin) fires `alert(1)` from the host page's realm. Setup: the admin session at `http://127.0.0.1:8081/` is at `/tmp/fs-cookie2`. Step 1 - plant the payload (any of the three primitives works). DB-write primitive: ```bash mysql -h127.0.0.1 -ufs -pfs facturascripts <<'SQL' INSERT INTO productos (referencia, descripcion, codimpuesto, sevende, secompra, bloqueado, nostock, publico, stockfis, ventasinstock, observaciones) VALUES ('XSSPRD', 'XSS via WidgetVariante', 'IVA21', 1, 1, 0, 1, 0, 0, 1, ''); INSERT INTO variantes (referencia, idproducto, precio, coste, margen, stockfis, codbarras) SELECT "1',alert('XSS-WidgetVariante'),'2", idproducto, 0, 0, 0, 0, '' FROM productos WHERE referencia='XSSPRD'; SQL ``` After the insert, `Variante::test()` did not run (the row was created via SQL), so the literal `'` survives. Even via the EditProducto UI primitive, the round trip through `Tools::noHtml` produces the encoded form `1',alert(...),'2` which decodes back to the working payload at render time. Step 2 - open any controller that uses WidgetVariante with the default `match` (or any third-party plugin form that does so). Core ships two views (`Core/XMLView/EditAgente.xml`, `Core/XMLView/ListAgente.xml`) but both override `match="idproducto"`, so they are not exposed in stock core. Any plugin form that uses `<widget type="variante" .../>` without an explicit `match` attribute opts into the vulnerable code path. Trigger the variant-picker modal: ```bash $ curl -s -b /tmp/fs-cookie2 "http://127.0.0.1:8081/EditAgente?code=1" \ | grep -oE 'widgetVarianteSelect[^<>]{1,200}' | head -3 ``` When the modal renders `match=referencia`, the row in the response contains: ```html <tr class="clickableRow" onclick="widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');"> ``` The browser HTML-decodes the attribute value before passing it to the script engine, yielding the actual JavaScript `widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');`. The `alert` fires the moment the attribute is parsed for execution (i.e., when the user clicks the row, or when an automation script triggers the click programmatically), and the host realm's session, cookies, and CSRF tokens are exposed to the payload. For `WidgetSubcuenta`, the payload trigger is identical: any controller with `<widget type="subcuenta" fieldname="codsubcuentaXxx"/>` (`Core/XMLView/EditProducto.xml`, `EditCuentaBanco.xml`, `EditFamilia.xml`, `EditImpuesto.xml`, `EditRetencion.xml` are the in-tree consumers) renders the modal with `widgetSubaccountSelect('id', '<HTML-decoded codsubcuenta>')`. A `codsubcuenta` row planted with one apostrophe and five bytes of payload escapes the JS string and runs in the host page. * **Stored XSS in any user's browser the moment they open a product or subaccount picker.** The execution context is the host page, with full access to the viewer's session, CSRF tokens, and the running application. From an admin viewer's perspective the payload achieves admin compromise (install plugins, change passwords); from a normal user's perspective it can be used to exfiltrate the user's data and pivot. * **Within-tenant escalation primitive.** `EditProducto` is a routinely granted role permission. A salesperson, warehouse user, or a plugin-supplied controller without `admin` rights can plant a payload that fires in admin's browser the next time admin opens any sales document and clicks the variant picker. * **Sister vulnerability to the `40bc701` / `8586b97` fix wave.** The maintainers already understand and have fixed the same anti-pattern in three sister classes; these two were missed and remain exploitable. CVSS reasoning: `AV:N`, `AC:L` (one DB or one form POST plant), `PR:H` (the planter must be authenticated and have either `EditProducto` or DB write or import-API access; with weaker roles the payload is also reachable), `UI:R` (the victim opens a form that renders the modal and triggers a click), `S:U` (the impact stays within the application), `C:L I:L A:N` (the viewer's session and CSRF token are exposed; integrity loss bounded by viewer's role). Score 4.8. Mirror the `40bc701` and `8586b97` fix exactly. In both `Core/Lib/Widget/WidgetVariante.php:321` and `Core/Lib/Widget/WidgetSubcuenta.php:296`, replace: ```php $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' ``` with the data-attribute pattern that the modal helpers now use: ```php $encMatch = htmlspecialchars( html_entity_decode((string)$match, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8' ); $items[] = '<tr class="clickableRow" data-match="' . $encMatch . '"' . ' onclick="widgetVarianteSelect(\'' . $this->id . '\', this.dataset.match);">' ``` (and the analogous change for `widgetSubaccountSelect`). The same approach should be applied to: * `WidgetSubcuenta::renderExerciseFilter` (`Core/Lib/Widget/WidgetSubcuenta.php:251-255`) where `$item->codejercicio` is interpolated into `<option value="...">`. Codes are short and predictable but the same escaping consideration applies for defence in depth. * `WidgetVariante::renderManufacturerFilter` (line 213) and `renderFamilyFilter` (line 197). Long term, the `BaseWidget::onclickHtml` and `inputHtml` builders (`Core/Lib/Widget/BaseWidget.php:163-167`, `234-239`, `273-283`) likewise concatenate `$this->value` into HTML attributes without context-aware escaping. Migrating them to use Twig (or at least `htmlspecialchars` with `ENT_QUOTES`) closes a class of bugs that today rely on every model's `test()` to be defensive. A regression test should plant a `Variante.referencia` of `1',alert(1),'2`, render the page through the live HTTP stack, and assert that no JavaScript dialog fires (e.g. via Playwright `page.on('dialog', ...)`).
Stored CSV formula injection in FacturaScripts (all versions through 2026.1) lets an authenticated low-privilege user plant spreadsheet formula payloads in ordinary text fields (customer/supplier/product names, contacts) that execute when an administrator opens a routine list export. Because Core/Lib/Export/CSVExport.php::writeData() wraps values without neutralising leading =,+,-,@,tab, or carriage-return characters, and Tools::noHtml() only strips HTML metacharacters, the payload reaches the CSV verbatim and Excel/LibreOffice run it (including DDE process spawning) in the admin's OS context. A live PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no active exploitation confirmed (not in CISA KEV).
Unauthenticated arbitrary file read in FacturaScripts (all versions through v2026.2) lets remote attackers retrieve protected documents by abusing the static file controllers Files.php and Myfiles.php, which authorize requests on the raw URL prefix rather than the resolved filesystem path. A request such as /Plugins/../MyFiles/Private/invoice.pdf passes the prefix allow-list yet resolves to a private file, leaking customer/supplier invoices, attachments, and .sql database backups. A detailed, reproducible exploit is publicly available in the GitHub Security Advisory; there is no vendor-released patch identified at time of analysis and no evidence of active exploitation.
Cross-resource SQL injection in the FacturaScripts REST API (all versions through 2026.1) lets a low-privileged, scoped ApiKey read or modify arbitrary database tables via the `filter` query parameter, enabling full admin account takeover. A single GET request with a parenthesized filter key leaks the admin's bcrypt password hash and `logkey` session token, which are then replayed as the `fsLogkey` cookie to reach admin-only endpoints like `/AdminPlugins`. A live end-to-end PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no public exploit identified as being used in active attacks (not in CISA KEV).
A vulnerability was detected in SourceCodester Simple and Nice Shopping Cart Script 1.0. This vulnerability affects unknown code of the file /admin/userproductdeletequery.php. Performing a manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Path traversal in DedeCMS 5.7.118's Album Publishing Feature allows remote attackers with administrative credentials to read or write files outside the intended extraction directory by manipulating the `filename` argument passed to the `ExtractFile` function in `include/zip.class.php`. A public proof-of-concept exploit has been released on GitHub, lowering the skill bar for exploitation, though no active exploitation has been confirmed in the CISA KEV catalog. The CVSS 4.0 score of 5.1 with PR:H reflects the high privilege requirement, which materially limits the exposed attack surface to authenticated admin-level sessions.
OAuth provider rebinding in Easy!Appointments prior to version 1.6.0 allows any authenticated backend user - including low-privilege secretary and provider roles - to silently hijack a peer provider's Google Calendar integration by supplying an arbitrary provider_id to the OAuth initiation endpoint. The attacker completes a legitimate Google OAuth flow with their own Google account, which the application then binds to the victim provider's database row without verifying ownership. From that point forward, every appointment on the victim's schedule syncs to the attacker's Google Calendar, leaking customer names and email addresses as attendee data. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Server-side request forgery in Easy!Appointments prior to 1.6.0 allows authenticated backend users - admins, providers, or secretaries - to probe internal network hosts by supplying arbitrary URLs to the CalDAV synchronization endpoint. The Guzzle HTTP client in `Caldav.php:60` forwards a REPORT request to the caller-supplied `caldav_url` without validating the scheme or destination host, enabling access to loopback, RFC1918, and link-local addresses on the deployment network. The SSRF is semi-blind, returning up to approximately 120 bytes of upstream response body through the exception path; no public exploit has been identified, exploitation requires an active backend account, and version 1.6.0 resolves the issue.
The reschedule endpoint in Easy!Appointments 1.5.2 and earlier exposes the complete customer database record to any party holding the 12-character appointment hash, with no authentication check and no field whitelisting on the ea_users row. These hashes are deliberately distributed to customers in reschedule emails, embedded in confirmation page URLs, and visible in operator calendar links, which means the effective attacker pool is anyone who has ever received or forwarded a booking email. The fix is available in version 1.6.0 per the GitHub security advisory; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Cross-site scripting in code-projects Online Job Portal 1.0 allows a remote, low-privileged attacker to inject malicious JavaScript via the /Admin/DetailJob.php endpoint, which executes in the browser of any user who views the affected page. The CVSS 4.0 vector (PR:L/UI:P) confirms that exploitation requires an authenticated session and passive victim interaction, constraining but not eliminating real-world risk. A public proof-of-concept has been disclosed on GitHub; no patch from the vendor has been identified at time of analysis.
Unrestricted file upload in code-projects Online Job Portal 1.0 exposes unauthenticated remote attackers to arbitrary file upload via the txtFile parameter in /JobSeekerInsert.php, enabling likely webshell deployment and subsequent server-side code execution. A public proof-of-concept exploit exists (no KEV listing), substantially lowering the exploitation barrier for any internet-exposed instance. The CVSS 4.0 impact metrics are conservatively rated Low across C/I/A, which understates the realistic post-exploitation potential of an unrestricted PHP file upload - successful webshell placement typically yields full OS command execution in the web server process context.
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/DeleteUser.php endpoint to unauthenticated remote database manipulation. An attacker can craft HTTP requests that inject arbitrary SQL, enabling data extraction, modification, or deletion from the underlying database. A public proof-of-concept exploit exists (GitHub: shihuizhang-dazhi/MY-CVE/issues/4), lowering the bar for exploitation; this vulnerability is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the Newsletters WordPress plugin before 4.15 lets remote attackers deserialize attacker-controlled data submitted through a public-facing form, then leverage a property-oriented gadget chain bundled inside the plugin itself to write arbitrary files and achieve remote code execution on the host. Publicly available exploit code exists (published via WPScan), though there is no public exploit identified as being used in active attacks and the flaw is not listed in CISA KEV. The self-contained gadget chain removes the usual dependency on third-party gadgets, making reliable exploitation notably more achievable than typical POI bugs.
Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list.
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/EditUser.php endpoint to remote database manipulation via the unsanitized UserId parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) classifies this as remotely exploitable with no authentication or interaction required, though the Admin path location raises questions about actual auth gating in practice. A public exploit exists (E:P confirmed in CVSS 4.0 and via GitHub issue), lowering the skill bar for exploitation considerably; this CVE is not currently listed in CISA KEV.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin panel endpoint /intrams/admin/add_judges.php to database manipulation via the unsanitized `fname` parameter. Authenticated remote attackers can craft malicious input to read, alter, or potentially enumerate backend database contents. A publicly available proof-of-concept exploit exists on GitHub, though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of 2.1 (Low), reflecting the authenticated access prerequisite and limited-scope CIA impact.
Privilege escalation in Kimai time-tracking software (<=2.57.0) allows authenticated TEAMLEAD users to create and modify global export templates that are intended to be administrator-only resources. The web controller routes `createExportTemplate` and `editExportTemplate` in `ExportController` inherit only the class-level `create_export` permission - granted to ROLE_TEAMLEAD - while the API endpoints and UI correctly enforce the stricter `create_export_template` permission restricted to ROLE_ADMIN and ROLE_SUPER_ADMIN. Because ExportTemplate entities have no per-user or per-team scoping, a TEAMLEAD can silently alter organization-wide export configurations affecting all users including administrators. No public exploit is confirmed at time of analysis, though a private PoC was submitted to the vendor and subsequently removed.
Improper authorization in Kimai's Team API endpoints allows an authenticated Teamlead to add users and activities to their team that fall outside their intended management scope, bypassing the access boundaries enforced by the frontend. Affected versions are Kimai <= 2.57.0 (composer package kimai/kimai). A proof-of-concept was reportedly created but withheld; no public exploit code is currently available and this vulnerability is not listed in CISA KEV. Once a Teamlead writes an out-of-scope team relation, downstream authorization logic may treat those relations as legitimate, silently expanding access to time entries, project visibility, and reporting for the affected users and activities.
Cross-site request forgery in Kimai's timesheet API allows an unauthenticated attacker to trigger unauthorized state changes against any logged-in victim by embedding malicious GET requests in attacker-controlled pages. Kimai versions up to and including 2.57.0 expose the `stop` and `restart` timesheet operations as HTTP GET routes, which browsers will follow automatically using the victim's active session cookie - no CSRF token is required. Impact is limited to timesheet data integrity and availability (corrupted time records, unauthorized entries, billing distortion), not system compromise; no public exploit is confirmed at time of analysis, and no active exploitation has been reported by CISA KEV.
Permission revocation bypass in Kimai's timesheet restart and duplicate workflows allows authenticated users to create new database-persisted time entries under projects they no longer have access to. Affecting Kimai up to and including version 2.57.0, the flaw exists because `TimesheetVoter.php` evaluates the `*_own_timesheet` ownership branch before team-based access checks, meaning a historical timesheet entry acts as a durable capability token that survives administrative revocation. No public exploit is available - a PoC was reportedly submitted to the project and then redacted - and this vulnerability is not listed in CISA KEV.
Improper object-level authorization in Kimai 2.56.0 allows any authenticated user holding the generic `create_activity` permission to inject Activity records into projects outside their authorized scope by directly invoking the preset-project creation routes with an arbitrary project ID. The controllers in `ActivityController.php` and `ProjectController.php` validate only the global capability (can the user create activities at all?) without performing a secondary check that the user also has edit rights on the specific target project. No public exploit exists at time of analysis, though a PoC was privately shared with the vendor and subsequently removed; the vendor has released a fix in version 2.57.0.
Broken object-level authorization in Kimai's Timesheet API (versions <= 2.56.0) allows any authenticated user with the default ROLE_USER permission to reassign their own timesheet entries to arbitrary project IDs in the database - including projects belonging to teams or customers they have no membership in. The root cause is an unconditional OR branch in the Symfony EntityType query_builder that matches any submitted project ID before team-ACL predicates are evaluated; the TimesheetVoter further compounds this by checking only timesheet ownership, never the destination project's access controls. A proof-of-concept was disclosed with the advisory (later redacted); no active exploitation has been confirmed via CISA KEV.
{id}` correctly enforces teamlead validation through `TimesheetVoter`, but the collection endpoint `GET /api/timesheets?user=<id>` omits this check entirely, creating an inconsistent authorization model (CWE-863) that allows horizontal privilege escalation within the application. A private proof-of-concept was confirmed during responsible disclosure but has not been made public; the vendor-released fix is Kimai 2.57.0.
Complete account takeover in FacturaScripts (<= 2026.2) lets an unauthenticated network attacker hijack any 2FA-enabled account, including admins, by brute-forcing the /login?action=two-factor-validation endpoint. The handler issues a full session cookie on a matching TOTP without verifying the password, requiring a CSRF token, or enforcing any rate limit, and an over-wide verification window keeps ~17 codes valid at once. Publicly available exploit code exists (a working Python PoC in the GitHub advisory GHSA-c67f-gmxw-mj93); no active exploitation has been reported in CISA KEV.
Path-traversal privilege escalation in Cockpit CMS Bucket file storage API (before 2.14.0) lets an authenticated low-privileged user bypass per-bucket isolation by supplying a '../' bucket name, granting cross-bucket read, upload, and delete over all files regardless of owner or role. The flaw stems from an incomplete sanitization regex that strips dangerous characters but preserves dot sequences, which Flysystem then normalizes down to the storage root. No public exploit is identified at time of analysis, though a proof-of-concept gist is referenced; the issue was reported by VulnCheck and a vendor patch is available.
Broken access control in Cockpit CMS's Bucket file storage API (/system/buckets/api) lets any authenticated user, regardless of assigned role, execute all bucket file operations (list, upload, delete, rename, create folder) against any named bucket - including admin-only buckets. VulnCheck reported the flaw and publicly available exploit code exists (proof-of-concept gist), but there is no evidence of active exploitation. With a CVSS 4.0 score of 8.7 and full confidentiality/integrity/availability impact on stored files, it enables privilege escalation of file-storage capabilities across tenant boundaries within the CMS.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_exam2.php` endpoint to remote unauthenticated database manipulation via the unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions, making this trivially exploitable over the network. A public exploit has been released on GitHub (no public exploit identified at time of analysis for KEV, but publicly available exploit code exists per POC data), and while the vulnerability is not listed in the CISA KEV catalog, the zero-friction attack path elevates real-world risk above what the moderate 5.5 CVSS score might suggest.
Cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 exposes users to script injection via the unvalidated `subject` parameter in `/subject.php`, exploitable remotely by unauthenticated attackers. A publicly available proof-of-concept exists on GitHub, confirming practical exploitability with minimal attacker skill. No CISA KEV listing is present; the CVSS 4.0 score of 5.3 reflects limited integrity impact constrained by required user interaction, though POC availability meaningfully elevates real-world risk above the raw score suggests.
Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.
Reflected cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `subject` parameter in `/forsubject.php`. A victim user must interact with a crafted URL for the payload to execute in their browser. A public proof-of-concept exploit is available on GitHub, increasing the likelihood of opportunistic exploitation against deployed instances.
Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.
Authorization bypass in ChurchCRM prior to version 7.4.0 exposes the full congregation member directory to any low-privileged authenticated user via the unprotected POST /CSVCreateFile.php endpoint. The endpoint streams a CSV containing complete PII for every Person and Family record in the database without performing a dedicated function-level authorization check, relying instead on a legacy coarse gate that any single non-admin permission flag satisfies. No public exploit has been identified at time of analysis, but the trivially low exploitation barrier - any valid low-privilege account - makes this a high-priority remediation for organizations managing sensitive congregation data.
Sensitive information exposure in the Smart Slider 3 WordPress plugin (all versions up to and including 3.5.1.37) allows authenticated Contributor-level users to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts belonging to any user on the site - including Administrators and Editors - via the unsecured 'keyword' Ajax parameter. The attack barrier is further lowered because the required nonce is automatically emitted on /wp-admin/post-new.php, a page accessible to any Contributor by default through the edit_posts capability, making nonce acquisition trivial. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis.
Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Server-side request forgery in NukeViet CMS before 4.6.00 lets a remote unauthenticated attacker coerce the server into issuing outbound HTTP requests to an arbitrary host by spoofing the X-Forwarded-Host and X-Forwarded-Proto headers, which flow unvalidated into the cURL URL built by server_info_update(). Because the __serverInfoUpdate=1 POST handler in includes/ini.php runs before authentication, no credentials are needed. The flaw is blind, HEAD-only and uses a fixed request path, so its practical value is internal host/port discovery and poisoning of the cached server_headers rather than data exfiltration; no public exploit beyond the advisory PoC is identified and it is not in CISA KEV.
Arbitrary file deletion in NukeViet CMS (versions before 4.6.00) allows an authenticated administrator to permanently delete any file within the web application root via a path-traversal payload in the comment Edit function. By padding the POST 'attach' parameter with exactly 26 filler characters followed by '../../<target>', an attacker survives the naive substr() prefix-stripping and stores a traversal path in the database; deleting the comment then removes the referenced file (e.g. config.php), forcing the site into the install wizard and causing a full outage. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c9xg-64p9-f2jj) includes a full working reproduction.
Stored cross-site scripting in the NukeViet CMS News module (versions before 4.6.00) lets any authenticated user with news-posting permission persist arbitrary JavaScript that runs in the browser of every visitor, including administrators. Two independent filter bypasses defeat the built-in anti-XSS routines in NukeViet\Core\Request: a Form Feed (\x0C) prefix slips event-handler attributes past the /^on/ check, and a decimal HTML-entity tab (	) smuggles a javascript: URI past the keyword filter. Publicly available exploit payloads exist in the vendor advisory; there is no evidence of active exploitation and no EPSS figure was supplied.
Stored cross-site scripting in NukeViet CMS 4.x through 4.5.08 lets a low-privileged authenticated member embed a JavaScript payload in their profile display name (first_name/last_name), which then executes when any visitor - including administrators - clicks the Reply/Answer link on that member's comment. The flaw stems from HTML-entity encoding being applied where JavaScript-string escaping is required, so the payload runs in the victim's session context and can drive admin session actions, credential phishing, and data exfiltration. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), though there is no public exploit identified as actively used in the wild.
Reflected cross-site scripting in the Comment module of NukeViet CMS (versions before 4.5.09) lets remote unauthenticated attackers execute arbitrary JavaScript in a victim's browser via a crafted URL. The status_comment parameter carries base64-encoded HTML that is decoded server-side and rendered unescaped, while a second flaw makes the checkss anti-forgery token static and site-wide, removing the only barrier to URL-based delivery. No public exploit identified at time of analysis, though the advisory documents a confirmed proof-of-concept credential-phishing overlay.
Remote code execution in ThemisNETPanel (vendor 4real) allows unauthenticated network attackers to fully compromise the underlying server by abusing a file-upload endpoint that lacks any authentication check. An attacker submits a base64-encoded PHP payload, writes it as an arbitrary PHP file, and executes it in the web application's context. Reported by CERT-PL with a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote OS command execution in Vitec Flamingo 4.12.2 lets unauthenticated attackers run arbitrary commands as root through the admin/ajax/gen_graphs.php graph-generation endpoint. The start, end, key, and format GET parameters are passed unsanitized into a PHP passthru() shell call, and because the web server runs with passwordless sudo the impact escalates to full root compromise. Publicly available exploit code exists (VulnCheck), though there is no CISA KEV listing, so this is a high-priority, easily weaponizable flaw.
Unauthenticated OS command injection in Vitec Flamingo 4.12.2 (IPTV distribution) lets remote attackers run arbitrary commands as root through the admin/ajax/ping.php endpoint. The flaw stems from a double-evaluation bug where a system wrapper re-uses the decoded, un-escaped host value in a second shell call executed via passwordless sudo. Publicly available exploit code exists (VulnCheck); no active exploitation is confirmed in CISA KEV at time of analysis.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the admin accept handler to database manipulation by low-privilege authenticated remote attackers via the `appid` POST parameter in `/SimpleOnlineLeave/admin/accept.php`. The CVSS 4.0 vector (PR:L, VC:L/VI:L/VA:L) indicates constrained but real impact against the vulnerable system's database, with confidentiality, integrity, and availability all partially compromised. A public exploit is available on GitHub and the E:P evidence tag in the CVSS 4.0 vector corroborates this - however, no CISA KEV listing exists, meaning active exploitation at scale is not confirmed at time of analysis.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the 'ID' parameter in /SimpleOnlineLeave/admin/deletemp.php. The CVSS 4.0 vector (PR:L) indicates low-privilege authenticated access is sufficient to trigger the flaw, and a public proof-of-concept exploit has been disclosed on GitHub. Impact is assessed as low across confidentiality, integrity, and availability, consistent with the CVSS 4.0 score of 2.1, though the underlying SQL injection primitive could theoretically be chained to extract or corrupt database content.
Local File Inclusion in the Select-Themes "Tonda" WordPress theme (all versions through 2.5) lets an authenticated attacker with low privileges coerce a PHP include/require statement into loading arbitrary local files on the server. Tracked as CVE-2026-57805 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating and enables disclosure of sensitive files such as wp-config.php, with potential escalation to code execution via log/session poisoning. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin (versions up to and including 5.11.1) lets an authenticated low-privileged attacker coerce the application into including arbitrary local PHP files, exposing sensitive files and potentially executing attacker-influenced code within the site context. Classified as CWE-98 (PHP Remote/Local File Inclusion) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 7.5 with high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and no active exploitation on record.
Local File Inclusion in the Select-Themes Struktur Core WordPress plugin (all versions up to and including 2.5.1) lets an authenticated low-privileged user coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive server-side content such as wp-config.php credentials. Reported by Patchstack and classified under CWE-98 (PHP Remote File Inclusion), the flaw carries a CVSS 3.1 score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Depending on server configuration, LFI of attacker-influenced content (e.g., poisoned logs or uploaded files) can escalate to PHP code execution.
Local File Inclusion in the Select-Themes "Struktur" WordPress theme (all versions up to and including 2.5.1) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive content such as wp-config.php credentials and, under the right conditions, escalating to code execution. Tracked as CVE-2026-57802 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS vector's PR:L indicates authentication is required and AC:H reflects non-trivial exploitation preconditions.
PHP Local File Inclusion in the Select-Themes SetSail WordPress theme (versions up to and including 2.1) allows an authenticated attacker to coerce the application into including local files via improper control of a filename in an include/require statement. Successful exploitation can disclose sensitive files (e.g., wp-config.php) and, depending on server conditions, escalate to code execution through log poisoning or PHP wrapper abuse. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.
Local File Inclusion in the Edge-Themes 'Overworld' WordPress theme (versions up to and including 1.5) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary server-side files, disclosing sensitive data such as wp-config.php credentials and potentially escalating to code execution via log/session poisoning. The flaw was reported by Patchstack and is classified as CWE-98 (PHP Remote File Inclusion). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.
Local file inclusion in the uxper Nuss WordPress theme (versions up to and including 1.3.6) lets an authenticated attacker with low-privilege access coerce the theme into including arbitrary PHP-parsable files from the server via improperly controlled include/require paths (CWE-98). Successful exploitation can disclose sensitive files and, depending on what can be included, lead to code execution, with high confidentiality, integrity, and availability impact per the CVSS 7.5 rating. No public exploit identified at time of analysis; the flaw was reported through Patchstack.
Local File Inclusion in the NewsPlus Shortcodes WordPress plugin (versions up to and including 4.2.0) allows an authenticated attacker to coerce the plugin into including arbitrary PHP-processable files from the server, enabling disclosure of sensitive files and potential code execution. The flaw stems from improper control of a filename passed to a PHP include/require statement (CWE-98). No public exploit was identified at the time of analysis, and it is not listed in CISA KEV; risk is moderated by high attack complexity and a required privilege level.
Local File Inclusion in the VLThemes Leedo WordPress theme (versions up to and including 3.0.0) allows authenticated attackers to include and execute arbitrary local files on the server via improper control of a filename passed to a PHP include/require statement. Although classified under PHP Remote File Inclusion (CWE-98), Patchstack characterizes the practical impact as Local File Inclusion, enabling disclosure of sensitive files and potential code execution from locally accessible content. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.
Local File Inclusion in the Kitchor WordPress theme by themelexus (versions up to and including 1.4.3) allows an authenticated attacker to coerce a PHP include/require statement into loading arbitrary local files from the server. Because the theme fails to constrain the filename passed to an include path (CWE-98), an attacker with at least low-level authenticated access can read sensitive files such as wp-config.php and, under the right conditions, escalate to PHP code execution via log poisoning or inclusion of attacker-influenced content. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 3.1 base score is 7.5.
Local file inclusion in the uxper Golo Framework WordPress plugin (versions up to and including 1.7.3) lets an authenticated attacker abuse an improperly validated include/require path to read arbitrary server-side files and potentially execute embedded PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N) indicates network-reachable exploitation requiring low-level authentication and elevated attack complexity, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in the Elated-Themes 'Flow' WordPress theme (all versions up to and including 1.8) lets an authenticated attacker abuse an improperly controlled include/require path to read local files and potentially execute PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but low-privilege, high-complexity flaw. No public exploit identified at time of analysis, and it is not listed in CISA KEV; disclosure comes from Patchstack.
Local file inclusion in the Mikado-Themes "Dor" WordPress theme (all versions through 2.4.1) lets an authenticated attacker with low privileges supply a crafted filename to a PHP include/require statement, causing the server to include and execute arbitrary local files. Patchstack attributes it to improper control of a filename passed to a PHP include path (CWE-98), enabling disclosure of sensitive files and potential code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (7.5) reflects the full-impact potential once the low-privilege prerequisite is met.
Local file inclusion in the ThemeMove Brook WordPress theme (versions up to and including 2.9.0) lets authenticated attackers coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive data such as wp-config.php credentials and potentially escalating to code execution. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.5, but exploitation is rated high-complexity (AC:H) and requires at least low-level authentication (PR:L). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the jwsthemes Aqua WordPress theme (versions up to and including 5.1.2) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive data and potentially achieving code execution. Reported by Patchstack under CWE-98, the flaw carries CVSS 7.5 but requires low-level privileges and high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the ThemeMove 'Billey' premium WordPress theme (versions up to and including 2.1.8) lets an authenticated attacker with low privileges control a filename used in a PHP include/require statement, exposing sensitive server-side files such as wp-config.php. Classified by Patchstack under CWE-98 (PHP Remote File Inclusion) but resolving to Local File Inclusion in practice, the flaw carries a CVSS 7.5 rating and no public exploit identified at time of analysis. Under specific conditions PHP file inclusion can escalate from information disclosure toward code execution via techniques such as log poisoning.
Local File Inclusion in the Edge-Themes "Aalto" WordPress theme (all versions up to and including 1.8) lets an authenticated attacker control a filename passed to a PHP include/require statement, exposing local files and potentially executing PHP. The flaw was reported by Patchstack and carries CVSS 7.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Despite the CWE-98 "Remote File Inclusion" classification, the described impact is Local File Inclusion.
PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attackers coerce the plugin into including attacker-influenced local file paths in an include/require statement, exposing sensitive files and potentially achieving code execution if a suitable includable file exists. All versions from an unspecified start through 2.5 are affected. No public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 3.1 base score is 8.1 (high) and the flaw is reachable without authentication.
Local File Inclusion (LFI) in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers to read arbitrary files on the server by manipulating the `page` parameter in `/admin/index.php`, leading to source code and sensitive file disclosure. The vulnerability stems from unsanitized user input passed directly to PHP's include/require statement (CWE-98), with a publicly available proof-of-concept exploit documented on Medium. No patch has been identified; CVSS 4.0 scores this 2.1, reflecting the limited impact scope and authenticated precondition.
Unrestricted file upload in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers with administrative access to upload arbitrary PHP files via the Book Image Upload feature at /admin/index.php?page=books, enabling remote code execution on the host server. A public exploit proof-of-concept has been disclosed on Medium under the title 'Critical Authenticated Remote Code Execution via Unrestricted File Upload,' confirming practical exploitability. While PR:H limits exposure to actors holding admin credentials, successful exploitation yields full server-side code execution, making this a high-impact finding within its threat model.
PHP object injection in the 'Database for Contact Form 7, WPforms, Elementor forms' WordPress plugin (all versions before 1.5.2) permits unauthenticated attackers to embed malicious serialized PHP objects via the entry-editor file-field path, which are instantiated server-side when an administrator views the stored form entry. This is an incomplete remediation of two prior CVEs (CVE-2025-7384 and CVE-2026-2599) - earlier patches hardened other deserialization paths within the same plugin while this specific code route was overlooked. A publicly available exploit exists; no active exploitation is confirmed by CISA KEV at time of analysis.
SQL injection in SourceCodester Online Book Store System 1.0 exposes the admin authentication panel to remote, unauthenticated exploitation via the Username parameter in admin/login.php. A publicly available proof-of-concept - explicitly titled 'SQL Injection Leading to Authentication Bypass' - demonstrates that an attacker can bypass admin login entirely without valid credentials. No active exploitation is confirmed by CISA KEV, but the combination of a publicly released exploit and a trivially low attack complexity significantly elevates real-world risk above what the base CVSS 4.0 score of 6.9 suggests.
SQL injection in itsourcecode Hospital Management System 1.0 exposes patient prescription data to remote authenticated attackers via the `delid` parameter in `/patviewprescription.php`. Low-privilege access is sufficient to exploit this CWE-89 flaw, enabling database read, write, and partial disruption. No public KEV listing exists, but a proof-of-concept exploit is publicly available on GitHub, materially lowering the barrier to exploitation beyond what the CVSS 4.0 score of 5.3 alone implies.
Code injection in DedeCMS 5.7.118 exposes high-privileged remote attackers to arbitrary PHP code execution via the Column Name parameter in the Column Management component of `/plus/search.php`. The exploit document on GitHub describes a cache file writing mechanism through which attacker-supplied input is persisted to disk and subsequently executed by the PHP runtime. A public proof-of-concept exists; no active exploitation is confirmed in the CISA KEV catalog.
Information disclosure in WuzhiCMS up to version 4.1.0 exposes sensitive server-side data through the Attachment API's `config/listimage` function, reachable at `/index.php?m=attachment&f=index&v=upload`. Remote unauthenticated attackers can exploit this endpoint without any privileges or user interaction, as confirmed by a publicly available proof-of-concept published via a GitHub issue report. The vendor has not responded to the disclosure, leaving no patch available and all deployments exposed.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter within /SimpleOnlineLeave/admin/dashboard.php to inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit is confirmed via a GitHub issue reference, elevating real-world risk above the moderate CVSS 4.0 base score of 5.3. The CVE is not currently listed in the CISA KEV catalog, indicating no confirmed widespread active exploitation, but the low attack complexity combined with an available POC makes this a credible near-term threat for any internet-exposed deployment.
Unrestricted file upload in AREA 17 Twill CMS (versions up to 3.6.0) allows authenticated admin users to upload arbitrary file types via the `qqfilename` parameter in the Media Library Insert Page, creating a direct path to remote code execution on the underlying server. A public proof-of-concept documenting the full exploitation chain from file upload to RCE has been published by Bytium. No vendor patch exists - the vendor was contacted during responsible disclosure and did not respond, leaving all installations on affected versions without an official remediation path.
Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.
SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.
SQL injection in SmartHomeAdatum's users.php Login component exposes the backend database to unauthenticated remote manipulation via a crafted Login argument. All commits up to cf495353d81b680675eb8d9aa14a318aa45ce12c of this PHP-based smart home application are affected, with no patch available and a vendor that did not respond to disclosure. No public exploit code or CISA KEV listing exists at time of analysis, though the CVSS 4.0 vector confirms low-complexity unauthenticated network exploitation.
SQL injection in AMTT Hotel Broadband Operation System 1.0 exposes the `manager/network/switch_status.php` endpoint to database manipulation via an unsanitized `ID` parameter, exploitable by authenticated remote attackers. A public proof-of-concept exploit exists (GitHub issue referenced in VulDB entry), though the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 2.0 reflects the high-privilege authentication barrier (PR:H) that significantly constrains real-world attack surface, limiting this primarily to insider threat or post-compromise escalation scenarios within hotel network management environments.
Reflected cross-site scripting in MantisBT's /admin/install.php (versions 2.28.3 and earlier) lets remote attackers inject HTML through six unescaped, user-supplied parameters echoed by print_test_result(). Although the page's Content-Security-Policy (script-src 'self') blocks inline JavaScript, the missing form-action directive permits credential-phishing form injection, <meta>-based open redirects, and CSS overlay attacks against the trusted admin origin. The advisory states no authentication is required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Full-read SSRF in Koel's podcast subscription feature allows any authenticated user to coerce the server into fetching internal HTTP endpoints - including cloud instance metadata services - and receive the full response. The vulnerability exists because PHP's `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` does not unwrap NAT64 (`64:ff9b::/96`) or 6to4 (`2002::/16`) IPv6 transition addresses, both of which deterministically embed a private IPv4 that the OS kernel routes internally. This affects all Koel deployments through v9.7.0 on NAT64 or dual-stack networks (the default for IPv6-only AWS and GCP subnets); a detailed proof-of-concept with verbatim server output is published in the advisory. No public exploit code is in KEV at time of analysis, but the PoC substantially lowers the exploitation barrier.
Server-side request forgery in Koel (self-hosted PHP music-streaming server, all releases up to and including 9.7.0) lets any authenticated low-privilege user coerce the server into requesting arbitrary internal or cloud-metadata endpoints. The flaw is an incomplete fix for CVE-2026-47260: the initial isSafeUrl() check was added to several podcast/radio fetchers, but per-redirect-hop re-validation was wired into only one path (EpisodePlayable), leaving every sibling fetcher bypassable via an attacker-controlled host that returns an HTTP 302 to an internal address, and all paths bypassable via DNS rebinding. A researcher mechanism PoC confirms exploitation; not listed in CISA KEV and no evidence of active exploitation.
{id}. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but it is not in CISA KEV and no active exploitation is identified.
Authenticated blind SSRF in Koel v9.6.0 allows any logged-in user to trigger server-side HTTP requests to private, loopback, and RFC1918 destinations by exploiting a missing SafeUrl validation guard on the Subsonic-compatible createPodcastChannel.view route. The main podcast API correctly rejects private URLs with a 422 error, but the Subsonic compatibility layer omits the same SafeUrl rule, and the attacker-supplied URL is fetched synchronously during channel creation via Poddle::fromUrl() - no separate step required. No public exploit identified at time of analysis per KEV status, but a fully documented public PoC with step-by-step curl commands is available in GHSA-w79m-f3jx-779v, validated against the official phanan/koel:9.6.0 Docker image.
MantisBT's REST and SOAP APIs fail to enforce the $g_set_status_threshold authorization gate, allowing any authenticated user holding the UPDATER role (the default update permission) to change an issue's workflow status to values that should require DEVELOPER-level access or higher. The vulnerability is confirmed patched in release 2.28.4 with no public exploit or KEV listing. Because UPDATER is the default role for ordinary authenticated contributors, this flaw is broadly reachable on any MantisBT instance where the API is accessible without further hardening of role assignments.
Authenticated remote code execution in MantisBT versions 1.3.0 through 2.28.3 allows an administrator to run arbitrary PHP as the web server user (www-data) via the 'Manage Configuration' page (adm_config_set.php). When a config value is stored with a non-string type, the ConfigParser/Tokenizer path calls eval() on attacker-controlled code guarded only by a 'return;' prefix; because PHP hoists class and function declarations at compile time regardless of the return, an attacker can plant a class that later hijacks the autoloader. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported privately by watchTowr and fixed in 2.28.4.
Privilege escalation to administrator in MantisBT 2.28.3 and earlier lets a low-privileged or self-registered user impersonate any account, including the administrator, through the SOAP API's flawed mci_check_login() function. Because the function accepts any valid cookie_string without checking that it belongs to the supplied username, an attacker who knows a target username (e.g. 'administrator') and possesses their own MANTIS_STRING_COOKIE can authenticate as that user without a password. With self-registration enabled by default ($g_allow_signup = ON), this is exploitable from zero prior access, granting full read/write and destructive control over all projects, issues, and user data. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the underlying bug is trivially reliable.
SQL injection in MantisBT 2.28.3 and earlier (fixed in 2.28.4) lets an administrator poison the history_order configuration value, which core/history_api.php concatenates unsanitized into an ORDER BY clause; the injected SQL then fires whenever any authenticated user views a bug that has history entries. This converts an administrator's config-write into database-wide data theft (password hashes, cookie_strings, API tokens, private issues) and, where the MySQL account holds the FILE privilege, remote code execution via INTO OUTFILE dropping a PHP webshell in the web root. No public exploit identified at time of analysis; reported by McCaulay Hudson of watchTowr and tracked as GitHub advisory GHSA-mw6p-33vw-46cc.
Authenticated arbitrary file write in the Grav CMS Form plugin (versions before 9.1.8) allows attackers to plant PHP webshells in the web root by abusing the process.save.filename parameter. The filename is checked for path traversal before Twig rendering but never re-validated afterward, so traversal sequences reconstructed during template evaluation bypass the guard. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the flaw was disclosed by VulnCheck via a coordinated GitHub security advisory.
Remote code execution in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 is achievable by authenticated API users holding the api.media.write permission via a double-extension file upload bypass. The HandlesMediaUploads::validateFileExtension() method uses PHP's pathinfo() to inspect only the final file extension, meaning a file named shell.php.jpg passes the dangerous-extension blocklist while retaining a .php segment that certain web server configurations will execute as PHP. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique is well-understood and exploitation is low-complexity once permission prerequisites are met.
Broken function-level authorization in Prospero Flow CRM before 5.5.3 lets any authenticated low-privileged user (e.g. the standard 'User'/'Usuario' role) read every bank account record belonging to their company via GET /api/bank-account. The API route is guarded only by auth:api with no permission gate — unlike the web equivalent, which enforces can('read bank') — so any valid bearer token returns sensitive banking data (IBAN, SWIFT/BIC, account identifiers). A vendor patch exists (5.5.3) and the fixing commit is public; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV.
Stored cross-site scripting in EasyAdminBundle (Symfony admin generator) versions 5.0.0 through 5.0.12 allows a lower-privileged user with access to a form using FileField or ImageField to upload a browser-executable .html or .svg file that EasyAdmin then links to inline, executing attacker-controlled JavaScript in a viewing administrator's authenticated session. Impact includes session/CSRF-token theft and privilege escalation; it is explicitly NOT remote code execution because filenames come from Symfony's guessExtension(). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available in 5.0.13.
Arbitrary file write in Anyquery Server Mode (versions < 0.4.5) allows unauthenticated remote attackers to write files to any path the process can access by abusing SQLite's native ATTACH DATABASE command exposed over the MySQL-compatible listener. Because the server blindly proxies SQL to the underlying SQLite engine, an attacker can create files such as cron jobs, PHP web shells, or SSH authorized_keys and escalate the file write into remote code execution or denial of service. A working step-by-step proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-xrcf-6jh3-ggvx); there is no CISA KEV entry and no confirmed in-the-wild exploitation at time of analysis.
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
{ $items = []; foreach ($this->variantes() as $item) { $match = $item->{$this->match}; $description = Tools::textBreak($item->description(), 300); ... $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' ... ``` `$this->match` defaults to `'referencia'` (`WidgetVariante::__construct`, line 42). `$item->referencia` was sanitised at write time by `Variante::test()` (`Core/Model/Variante.php:392`) which calls `Tools::noHtml($this->referencia)`. `Tools::noHtml` (`Core/Tools.php:499-504`) replaces `'`, `"`, `<`, `>` with `'`, `"`, `<`, `>`. The defender therefore expects that any apostrophe a user typed becomes `'` in the database, which renders inside the `onclick` attribute as `'` and cannot break out of the surrounding `'...'` JS string literal. `Core/Lib/Widget/WidgetSubcuenta.php:290-305` has the identical shape: ```php foreach ($this->subcuentas() as $item) { $match = $item->{$this->match}; ... $items[] = '<tr class="clickableRow" onclick="widgetSubaccountSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' . '<a href="' . $item->url() . '" target="_blank" onclick="event.stopPropagation();">' ... ``` `$this->match` defaults to `'codsubcuenta'`; the value is `Tools::noHtml`-encoded by `Subcuenta::test()` (`Core/Model/Subcuenta.php:213`). Per the HTML5 spec (and what every browser actually does), the value of an HTML attribute is processed by the **character reference state** of the tokenizer before any consumer sees it. By the time the `onclick` attribute value reaches the script engine, the bytes inside are the *decoded* string. Concretely, the HTML the browser receives is: ```html <tr onclick="widgetVarianteSelect('id', '1',alert(1),'2');"> ``` After the tokenizer decodes `'` to `'`, the JavaScript fragment passed to the script engine is: ```javascript widgetVarianteSelect('id', '1',alert(1),'2'); ``` `alert(1)` runs as a third positional argument that JavaScript happily evaluates while building the call. The `widgetVarianteSelect` function ends up being called with four arguments and the side-effect of `alert(1)` (or any payload) has already occurred. The recent `40bc701` AccountingModalHTML and `8586b97` SalesModalHTML / PurchasesModalHTML fix recognised this. Both replaced the `onclick="...('"+ value +"')"` pattern with: ```php $tbody .= '<tr ... data-subaccount="' . $code . '" onclick="$(...).modal(\'hide\');' . ' return newLineAction(this.dataset.subaccount);">' ``` Where `$code = static::html($subaccount->codsubcuenta)` and `static::html` is `htmlspecialchars(html_entity_decode($text, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')`. The HTML5 entity decode is deliberate: it normalises any double-encoded data so that the subsequent `htmlspecialchars` produces stable single-encoded output. The JavaScript then reads the value from `this.dataset.*`, which is the post-decoded attribute value, where the original quote is now literally inside a string property and cannot break out of any quote context. `WidgetSubcuenta` and `WidgetVariante` were not migrated to this pattern. `Variante::test()` (`Core/Model/Variante.php:389-401`) accepts up to 30 characters in `referencia`. The minimum payload is 13 bytes (`1',alert(1),'2`), comfortably under the limit. The `Tools::noHtml` pass during `test()` produces the stored form `1',alert(1),'2`, which is 22 bytes. Three plant primitives are practical: 1. **Direct create** via `EditProducto?action=save` with the attacker-controlled `referencia` field. Because `EditProducto` is exposed to any user with the `EditProducto` permission (which roles like *sales agent* and *warehouse manager* commonly carry), this is a within-tenant primitive: a low-privilege salesperson plants the payload, an admin opens any sales document and clicks the variant picker. 2. **DB write** by anyone with raw SQL access (DBA or shared-hosting admin). `INSERT INTO variantes (referencia, ...) VALUES ('1\',alert(1),\'2', ...)`. This is what I used for the live test; the plant is permanent until the row is deleted. 3. **Plugin / API import.** `ApiAttachedFiles` and the various import endpoints allow a low-privilege API key to land arbitrary `referencia` values that bypass the `EditProducto` `permissions->onlyOwnerData` filter. For `WidgetSubcuenta`, the `codsubcuenta` field is constrained to the exercise's `longsubcuenta` length (10 by default), and the regex-free `Tools::noHtml` pass turns one apostrophe into 5 bytes (`'`), so the post-noHtml string must equal the configured length exactly. A 5-byte payload (`1','` is 4) plus padding is workable for compact bypass payloads such as `'+x+'` (where `x` is a previously-loaded global). DB-write planting (primitive 2) bypasses the length check entirely. The fix wave centred on the `Lib/AjaxForms/*ModalHTML.php` files. Both audited widgets live in `Lib/Widget/` and look superficially safe to a reviewer because every value is `Tools::noHtml`-escaped at storage. The actual decoding step happens inside the browser, not the PHP code, so the defect is not visible in a `grep`-based review of the PHP source unless the reviewer specifically looks for `onclick="...('+ $field +')'` shapes that put a `Tools::noHtml`-escaped value in a JavaScript string position inside an HTML attribute. > **Live PoC verified 2026-05-01** against `http://127.0.0.1:8081/` running facturascripts at commit `24281ca`. A `Variante.referencia` value of `1',alert(1),'2` (planted via raw DB write below) renders inside `widgetVarianteSelect('0', '1',alert(1),'2');` in the modal grid; opening the variant-picker modal in any user's browser (low-priv or admin) fires `alert(1)` from the host page's realm. Setup: the admin session at `http://127.0.0.1:8081/` is at `/tmp/fs-cookie2`. Step 1 - plant the payload (any of the three primitives works). DB-write primitive: ```bash mysql -h127.0.0.1 -ufs -pfs facturascripts <<'SQL' INSERT INTO productos (referencia, descripcion, codimpuesto, sevende, secompra, bloqueado, nostock, publico, stockfis, ventasinstock, observaciones) VALUES ('XSSPRD', 'XSS via WidgetVariante', 'IVA21', 1, 1, 0, 1, 0, 0, 1, ''); INSERT INTO variantes (referencia, idproducto, precio, coste, margen, stockfis, codbarras) SELECT "1',alert('XSS-WidgetVariante'),'2", idproducto, 0, 0, 0, 0, '' FROM productos WHERE referencia='XSSPRD'; SQL ``` After the insert, `Variante::test()` did not run (the row was created via SQL), so the literal `'` survives. Even via the EditProducto UI primitive, the round trip through `Tools::noHtml` produces the encoded form `1',alert(...),'2` which decodes back to the working payload at render time. Step 2 - open any controller that uses WidgetVariante with the default `match` (or any third-party plugin form that does so). Core ships two views (`Core/XMLView/EditAgente.xml`, `Core/XMLView/ListAgente.xml`) but both override `match="idproducto"`, so they are not exposed in stock core. Any plugin form that uses `<widget type="variante" .../>` without an explicit `match` attribute opts into the vulnerable code path. Trigger the variant-picker modal: ```bash $ curl -s -b /tmp/fs-cookie2 "http://127.0.0.1:8081/EditAgente?code=1" \ | grep -oE 'widgetVarianteSelect[^<>]{1,200}' | head -3 ``` When the modal renders `match=referencia`, the row in the response contains: ```html <tr class="clickableRow" onclick="widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');"> ``` The browser HTML-decodes the attribute value before passing it to the script engine, yielding the actual JavaScript `widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');`. The `alert` fires the moment the attribute is parsed for execution (i.e., when the user clicks the row, or when an automation script triggers the click programmatically), and the host realm's session, cookies, and CSRF tokens are exposed to the payload. For `WidgetSubcuenta`, the payload trigger is identical: any controller with `<widget type="subcuenta" fieldname="codsubcuentaXxx"/>` (`Core/XMLView/EditProducto.xml`, `EditCuentaBanco.xml`, `EditFamilia.xml`, `EditImpuesto.xml`, `EditRetencion.xml` are the in-tree consumers) renders the modal with `widgetSubaccountSelect('id', '<HTML-decoded codsubcuenta>')`. A `codsubcuenta` row planted with one apostrophe and five bytes of payload escapes the JS string and runs in the host page. * **Stored XSS in any user's browser the moment they open a product or subaccount picker.** The execution context is the host page, with full access to the viewer's session, CSRF tokens, and the running application. From an admin viewer's perspective the payload achieves admin compromise (install plugins, change passwords); from a normal user's perspective it can be used to exfiltrate the user's data and pivot. * **Within-tenant escalation primitive.** `EditProducto` is a routinely granted role permission. A salesperson, warehouse user, or a plugin-supplied controller without `admin` rights can plant a payload that fires in admin's browser the next time admin opens any sales document and clicks the variant picker. * **Sister vulnerability to the `40bc701` / `8586b97` fix wave.** The maintainers already understand and have fixed the same anti-pattern in three sister classes; these two were missed and remain exploitable. CVSS reasoning: `AV:N`, `AC:L` (one DB or one form POST plant), `PR:H` (the planter must be authenticated and have either `EditProducto` or DB write or import-API access; with weaker roles the payload is also reachable), `UI:R` (the victim opens a form that renders the modal and triggers a click), `S:U` (the impact stays within the application), `C:L I:L A:N` (the viewer's session and CSRF token are exposed; integrity loss bounded by viewer's role). Score 4.8. Mirror the `40bc701` and `8586b97` fix exactly. In both `Core/Lib/Widget/WidgetVariante.php:321` and `Core/Lib/Widget/WidgetSubcuenta.php:296`, replace: ```php $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' ``` with the data-attribute pattern that the modal helpers now use: ```php $encMatch = htmlspecialchars( html_entity_decode((string)$match, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8' ); $items[] = '<tr class="clickableRow" data-match="' . $encMatch . '"' . ' onclick="widgetVarianteSelect(\'' . $this->id . '\', this.dataset.match);">' ``` (and the analogous change for `widgetSubaccountSelect`). The same approach should be applied to: * `WidgetSubcuenta::renderExerciseFilter` (`Core/Lib/Widget/WidgetSubcuenta.php:251-255`) where `$item->codejercicio` is interpolated into `<option value="...">`. Codes are short and predictable but the same escaping consideration applies for defence in depth. * `WidgetVariante::renderManufacturerFilter` (line 213) and `renderFamilyFilter` (line 197). Long term, the `BaseWidget::onclickHtml` and `inputHtml` builders (`Core/Lib/Widget/BaseWidget.php:163-167`, `234-239`, `273-283`) likewise concatenate `$this->value` into HTML attributes without context-aware escaping. Migrating them to use Twig (or at least `htmlspecialchars` with `ENT_QUOTES`) closes a class of bugs that today rely on every model's `test()` to be defensive. A regression test should plant a `Variante.referencia` of `1',alert(1),'2`, render the page through the live HTTP stack, and assert that no JavaScript dialog fires (e.g. via Playwright `page.on('dialog', ...)`).
Stored CSV formula injection in FacturaScripts (all versions through 2026.1) lets an authenticated low-privilege user plant spreadsheet formula payloads in ordinary text fields (customer/supplier/product names, contacts) that execute when an administrator opens a routine list export. Because Core/Lib/Export/CSVExport.php::writeData() wraps values without neutralising leading =,+,-,@,tab, or carriage-return characters, and Tools::noHtml() only strips HTML metacharacters, the payload reaches the CSV verbatim and Excel/LibreOffice run it (including DDE process spawning) in the admin's OS context. A live PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no active exploitation confirmed (not in CISA KEV).
Unauthenticated arbitrary file read in FacturaScripts (all versions through v2026.2) lets remote attackers retrieve protected documents by abusing the static file controllers Files.php and Myfiles.php, which authorize requests on the raw URL prefix rather than the resolved filesystem path. A request such as /Plugins/../MyFiles/Private/invoice.pdf passes the prefix allow-list yet resolves to a private file, leaking customer/supplier invoices, attachments, and .sql database backups. A detailed, reproducible exploit is publicly available in the GitHub Security Advisory; there is no vendor-released patch identified at time of analysis and no evidence of active exploitation.
Cross-resource SQL injection in the FacturaScripts REST API (all versions through 2026.1) lets a low-privileged, scoped ApiKey read or modify arbitrary database tables via the `filter` query parameter, enabling full admin account takeover. A single GET request with a parenthesized filter key leaks the admin's bcrypt password hash and `logkey` session token, which are then replayed as the `fsLogkey` cookie to reach admin-only endpoints like `/AdminPlugins`. A live end-to-end PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no public exploit identified as being used in active attacks (not in CISA KEV).
A vulnerability was detected in SourceCodester Simple and Nice Shopping Cart Script 1.0. This vulnerability affects unknown code of the file /admin/userproductdeletequery.php. Performing a manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Path traversal in DedeCMS 5.7.118's Album Publishing Feature allows remote attackers with administrative credentials to read or write files outside the intended extraction directory by manipulating the `filename` argument passed to the `ExtractFile` function in `include/zip.class.php`. A public proof-of-concept exploit has been released on GitHub, lowering the skill bar for exploitation, though no active exploitation has been confirmed in the CISA KEV catalog. The CVSS 4.0 score of 5.1 with PR:H reflects the high privilege requirement, which materially limits the exposed attack surface to authenticated admin-level sessions.
OAuth provider rebinding in Easy!Appointments prior to version 1.6.0 allows any authenticated backend user - including low-privilege secretary and provider roles - to silently hijack a peer provider's Google Calendar integration by supplying an arbitrary provider_id to the OAuth initiation endpoint. The attacker completes a legitimate Google OAuth flow with their own Google account, which the application then binds to the victim provider's database row without verifying ownership. From that point forward, every appointment on the victim's schedule syncs to the attacker's Google Calendar, leaking customer names and email addresses as attendee data. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Server-side request forgery in Easy!Appointments prior to 1.6.0 allows authenticated backend users - admins, providers, or secretaries - to probe internal network hosts by supplying arbitrary URLs to the CalDAV synchronization endpoint. The Guzzle HTTP client in `Caldav.php:60` forwards a REPORT request to the caller-supplied `caldav_url` without validating the scheme or destination host, enabling access to loopback, RFC1918, and link-local addresses on the deployment network. The SSRF is semi-blind, returning up to approximately 120 bytes of upstream response body through the exception path; no public exploit has been identified, exploitation requires an active backend account, and version 1.6.0 resolves the issue.
The reschedule endpoint in Easy!Appointments 1.5.2 and earlier exposes the complete customer database record to any party holding the 12-character appointment hash, with no authentication check and no field whitelisting on the ea_users row. These hashes are deliberately distributed to customers in reschedule emails, embedded in confirmation page URLs, and visible in operator calendar links, which means the effective attacker pool is anyone who has ever received or forwarded a booking email. The fix is available in version 1.6.0 per the GitHub security advisory; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Cross-site scripting in code-projects Online Job Portal 1.0 allows a remote, low-privileged attacker to inject malicious JavaScript via the /Admin/DetailJob.php endpoint, which executes in the browser of any user who views the affected page. The CVSS 4.0 vector (PR:L/UI:P) confirms that exploitation requires an authenticated session and passive victim interaction, constraining but not eliminating real-world risk. A public proof-of-concept has been disclosed on GitHub; no patch from the vendor has been identified at time of analysis.
Unrestricted file upload in code-projects Online Job Portal 1.0 exposes unauthenticated remote attackers to arbitrary file upload via the txtFile parameter in /JobSeekerInsert.php, enabling likely webshell deployment and subsequent server-side code execution. A public proof-of-concept exploit exists (no KEV listing), substantially lowering the exploitation barrier for any internet-exposed instance. The CVSS 4.0 impact metrics are conservatively rated Low across C/I/A, which understates the realistic post-exploitation potential of an unrestricted PHP file upload - successful webshell placement typically yields full OS command execution in the web server process context.
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/DeleteUser.php endpoint to unauthenticated remote database manipulation. An attacker can craft HTTP requests that inject arbitrary SQL, enabling data extraction, modification, or deletion from the underlying database. A public proof-of-concept exploit exists (GitHub: shihuizhang-dazhi/MY-CVE/issues/4), lowering the bar for exploitation; this vulnerability is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the Newsletters WordPress plugin before 4.15 lets remote attackers deserialize attacker-controlled data submitted through a public-facing form, then leverage a property-oriented gadget chain bundled inside the plugin itself to write arbitrary files and achieve remote code execution on the host. Publicly available exploit code exists (published via WPScan), though there is no public exploit identified as being used in active attacks and the flaw is not listed in CISA KEV. The self-contained gadget chain removes the usual dependency on third-party gadgets, making reliable exploitation notably more achievable than typical POI bugs.
Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list.
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/EditUser.php endpoint to remote database manipulation via the unsanitized UserId parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) classifies this as remotely exploitable with no authentication or interaction required, though the Admin path location raises questions about actual auth gating in practice. A public exploit exists (E:P confirmed in CVSS 4.0 and via GitHub issue), lowering the skill bar for exploitation considerably; this CVE is not currently listed in CISA KEV.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin panel endpoint /intrams/admin/add_judges.php to database manipulation via the unsanitized `fname` parameter. Authenticated remote attackers can craft malicious input to read, alter, or potentially enumerate backend database contents. A publicly available proof-of-concept exploit exists on GitHub, though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of 2.1 (Low), reflecting the authenticated access prerequisite and limited-scope CIA impact.
Privilege escalation in Kimai time-tracking software (<=2.57.0) allows authenticated TEAMLEAD users to create and modify global export templates that are intended to be administrator-only resources. The web controller routes `createExportTemplate` and `editExportTemplate` in `ExportController` inherit only the class-level `create_export` permission - granted to ROLE_TEAMLEAD - while the API endpoints and UI correctly enforce the stricter `create_export_template` permission restricted to ROLE_ADMIN and ROLE_SUPER_ADMIN. Because ExportTemplate entities have no per-user or per-team scoping, a TEAMLEAD can silently alter organization-wide export configurations affecting all users including administrators. No public exploit is confirmed at time of analysis, though a private PoC was submitted to the vendor and subsequently removed.
Improper authorization in Kimai's Team API endpoints allows an authenticated Teamlead to add users and activities to their team that fall outside their intended management scope, bypassing the access boundaries enforced by the frontend. Affected versions are Kimai <= 2.57.0 (composer package kimai/kimai). A proof-of-concept was reportedly created but withheld; no public exploit code is currently available and this vulnerability is not listed in CISA KEV. Once a Teamlead writes an out-of-scope team relation, downstream authorization logic may treat those relations as legitimate, silently expanding access to time entries, project visibility, and reporting for the affected users and activities.
Cross-site request forgery in Kimai's timesheet API allows an unauthenticated attacker to trigger unauthorized state changes against any logged-in victim by embedding malicious GET requests in attacker-controlled pages. Kimai versions up to and including 2.57.0 expose the `stop` and `restart` timesheet operations as HTTP GET routes, which browsers will follow automatically using the victim's active session cookie - no CSRF token is required. Impact is limited to timesheet data integrity and availability (corrupted time records, unauthorized entries, billing distortion), not system compromise; no public exploit is confirmed at time of analysis, and no active exploitation has been reported by CISA KEV.
Permission revocation bypass in Kimai's timesheet restart and duplicate workflows allows authenticated users to create new database-persisted time entries under projects they no longer have access to. Affecting Kimai up to and including version 2.57.0, the flaw exists because `TimesheetVoter.php` evaluates the `*_own_timesheet` ownership branch before team-based access checks, meaning a historical timesheet entry acts as a durable capability token that survives administrative revocation. No public exploit is available - a PoC was reportedly submitted to the project and then redacted - and this vulnerability is not listed in CISA KEV.
Improper object-level authorization in Kimai 2.56.0 allows any authenticated user holding the generic `create_activity` permission to inject Activity records into projects outside their authorized scope by directly invoking the preset-project creation routes with an arbitrary project ID. The controllers in `ActivityController.php` and `ProjectController.php` validate only the global capability (can the user create activities at all?) without performing a secondary check that the user also has edit rights on the specific target project. No public exploit exists at time of analysis, though a PoC was privately shared with the vendor and subsequently removed; the vendor has released a fix in version 2.57.0.
Broken object-level authorization in Kimai's Timesheet API (versions <= 2.56.0) allows any authenticated user with the default ROLE_USER permission to reassign their own timesheet entries to arbitrary project IDs in the database - including projects belonging to teams or customers they have no membership in. The root cause is an unconditional OR branch in the Symfony EntityType query_builder that matches any submitted project ID before team-ACL predicates are evaluated; the TimesheetVoter further compounds this by checking only timesheet ownership, never the destination project's access controls. A proof-of-concept was disclosed with the advisory (later redacted); no active exploitation has been confirmed via CISA KEV.
{id}` correctly enforces teamlead validation through `TimesheetVoter`, but the collection endpoint `GET /api/timesheets?user=<id>` omits this check entirely, creating an inconsistent authorization model (CWE-863) that allows horizontal privilege escalation within the application. A private proof-of-concept was confirmed during responsible disclosure but has not been made public; the vendor-released fix is Kimai 2.57.0.
Complete account takeover in FacturaScripts (<= 2026.2) lets an unauthenticated network attacker hijack any 2FA-enabled account, including admins, by brute-forcing the /login?action=two-factor-validation endpoint. The handler issues a full session cookie on a matching TOTP without verifying the password, requiring a CSRF token, or enforcing any rate limit, and an over-wide verification window keeps ~17 codes valid at once. Publicly available exploit code exists (a working Python PoC in the GitHub advisory GHSA-c67f-gmxw-mj93); no active exploitation has been reported in CISA KEV.
Path-traversal privilege escalation in Cockpit CMS Bucket file storage API (before 2.14.0) lets an authenticated low-privileged user bypass per-bucket isolation by supplying a '../' bucket name, granting cross-bucket read, upload, and delete over all files regardless of owner or role. The flaw stems from an incomplete sanitization regex that strips dangerous characters but preserves dot sequences, which Flysystem then normalizes down to the storage root. No public exploit is identified at time of analysis, though a proof-of-concept gist is referenced; the issue was reported by VulnCheck and a vendor patch is available.
Broken access control in Cockpit CMS's Bucket file storage API (/system/buckets/api) lets any authenticated user, regardless of assigned role, execute all bucket file operations (list, upload, delete, rename, create folder) against any named bucket - including admin-only buckets. VulnCheck reported the flaw and publicly available exploit code exists (proof-of-concept gist), but there is no evidence of active exploitation. With a CVSS 4.0 score of 8.7 and full confidentiality/integrity/availability impact on stored files, it enables privilege escalation of file-storage capabilities across tenant boundaries within the CMS.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_exam2.php` endpoint to remote unauthenticated database manipulation via the unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions, making this trivially exploitable over the network. A public exploit has been released on GitHub (no public exploit identified at time of analysis for KEV, but publicly available exploit code exists per POC data), and while the vulnerability is not listed in the CISA KEV catalog, the zero-friction attack path elevates real-world risk above what the moderate 5.5 CVSS score might suggest.
Cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 exposes users to script injection via the unvalidated `subject` parameter in `/subject.php`, exploitable remotely by unauthenticated attackers. A publicly available proof-of-concept exists on GitHub, confirming practical exploitability with minimal attacker skill. No CISA KEV listing is present; the CVSS 4.0 score of 5.3 reflects limited integrity impact constrained by required user interaction, though POC availability meaningfully elevates real-world risk above the raw score suggests.
Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.
Reflected cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `subject` parameter in `/forsubject.php`. A victim user must interact with a crafted URL for the payload to execute in their browser. A public proof-of-concept exploit is available on GitHub, increasing the likelihood of opportunistic exploitation against deployed instances.
Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.
Authorization bypass in ChurchCRM prior to version 7.4.0 exposes the full congregation member directory to any low-privileged authenticated user via the unprotected POST /CSVCreateFile.php endpoint. The endpoint streams a CSV containing complete PII for every Person and Family record in the database without performing a dedicated function-level authorization check, relying instead on a legacy coarse gate that any single non-admin permission flag satisfies. No public exploit has been identified at time of analysis, but the trivially low exploitation barrier - any valid low-privilege account - makes this a high-priority remediation for organizations managing sensitive congregation data.
Sensitive information exposure in the Smart Slider 3 WordPress plugin (all versions up to and including 3.5.1.37) allows authenticated Contributor-level users to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts belonging to any user on the site - including Administrators and Editors - via the unsecured 'keyword' Ajax parameter. The attack barrier is further lowered because the required nonce is automatically emitted on /wp-admin/post-new.php, a page accessible to any Contributor by default through the edit_posts capability, making nonce acquisition trivial. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis.
Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Server-side request forgery in NukeViet CMS before 4.6.00 lets a remote unauthenticated attacker coerce the server into issuing outbound HTTP requests to an arbitrary host by spoofing the X-Forwarded-Host and X-Forwarded-Proto headers, which flow unvalidated into the cURL URL built by server_info_update(). Because the __serverInfoUpdate=1 POST handler in includes/ini.php runs before authentication, no credentials are needed. The flaw is blind, HEAD-only and uses a fixed request path, so its practical value is internal host/port discovery and poisoning of the cached server_headers rather than data exfiltration; no public exploit beyond the advisory PoC is identified and it is not in CISA KEV.
Arbitrary file deletion in NukeViet CMS (versions before 4.6.00) allows an authenticated administrator to permanently delete any file within the web application root via a path-traversal payload in the comment Edit function. By padding the POST 'attach' parameter with exactly 26 filler characters followed by '../../<target>', an attacker survives the naive substr() prefix-stripping and stores a traversal path in the database; deleting the comment then removes the referenced file (e.g. config.php), forcing the site into the install wizard and causing a full outage. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c9xg-64p9-f2jj) includes a full working reproduction.
Stored cross-site scripting in the NukeViet CMS News module (versions before 4.6.00) lets any authenticated user with news-posting permission persist arbitrary JavaScript that runs in the browser of every visitor, including administrators. Two independent filter bypasses defeat the built-in anti-XSS routines in NukeViet\Core\Request: a Form Feed (\x0C) prefix slips event-handler attributes past the /^on/ check, and a decimal HTML-entity tab (	) smuggles a javascript: URI past the keyword filter. Publicly available exploit payloads exist in the vendor advisory; there is no evidence of active exploitation and no EPSS figure was supplied.
Stored cross-site scripting in NukeViet CMS 4.x through 4.5.08 lets a low-privileged authenticated member embed a JavaScript payload in their profile display name (first_name/last_name), which then executes when any visitor - including administrators - clicks the Reply/Answer link on that member's comment. The flaw stems from HTML-entity encoding being applied where JavaScript-string escaping is required, so the payload runs in the victim's session context and can drive admin session actions, credential phishing, and data exfiltration. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), though there is no public exploit identified as actively used in the wild.
Reflected cross-site scripting in the Comment module of NukeViet CMS (versions before 4.5.09) lets remote unauthenticated attackers execute arbitrary JavaScript in a victim's browser via a crafted URL. The status_comment parameter carries base64-encoded HTML that is decoded server-side and rendered unescaped, while a second flaw makes the checkss anti-forgery token static and site-wide, removing the only barrier to URL-based delivery. No public exploit identified at time of analysis, though the advisory documents a confirmed proof-of-concept credential-phishing overlay.
Remote code execution in ThemisNETPanel (vendor 4real) allows unauthenticated network attackers to fully compromise the underlying server by abusing a file-upload endpoint that lacks any authentication check. An attacker submits a base64-encoded PHP payload, writes it as an arbitrary PHP file, and executes it in the web application's context. Reported by CERT-PL with a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote OS command execution in Vitec Flamingo 4.12.2 lets unauthenticated attackers run arbitrary commands as root through the admin/ajax/gen_graphs.php graph-generation endpoint. The start, end, key, and format GET parameters are passed unsanitized into a PHP passthru() shell call, and because the web server runs with passwordless sudo the impact escalates to full root compromise. Publicly available exploit code exists (VulnCheck), though there is no CISA KEV listing, so this is a high-priority, easily weaponizable flaw.
Unauthenticated OS command injection in Vitec Flamingo 4.12.2 (IPTV distribution) lets remote attackers run arbitrary commands as root through the admin/ajax/ping.php endpoint. The flaw stems from a double-evaluation bug where a system wrapper re-uses the decoded, un-escaped host value in a second shell call executed via passwordless sudo. Publicly available exploit code exists (VulnCheck); no active exploitation is confirmed in CISA KEV at time of analysis.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the admin accept handler to database manipulation by low-privilege authenticated remote attackers via the `appid` POST parameter in `/SimpleOnlineLeave/admin/accept.php`. The CVSS 4.0 vector (PR:L, VC:L/VI:L/VA:L) indicates constrained but real impact against the vulnerable system's database, with confidentiality, integrity, and availability all partially compromised. A public exploit is available on GitHub and the E:P evidence tag in the CVSS 4.0 vector corroborates this - however, no CISA KEV listing exists, meaning active exploitation at scale is not confirmed at time of analysis.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the 'ID' parameter in /SimpleOnlineLeave/admin/deletemp.php. The CVSS 4.0 vector (PR:L) indicates low-privilege authenticated access is sufficient to trigger the flaw, and a public proof-of-concept exploit has been disclosed on GitHub. Impact is assessed as low across confidentiality, integrity, and availability, consistent with the CVSS 4.0 score of 2.1, though the underlying SQL injection primitive could theoretically be chained to extract or corrupt database content.
Local File Inclusion in the Select-Themes "Tonda" WordPress theme (all versions through 2.5) lets an authenticated attacker with low privileges coerce a PHP include/require statement into loading arbitrary local files on the server. Tracked as CVE-2026-57805 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating and enables disclosure of sensitive files such as wp-config.php, with potential escalation to code execution via log/session poisoning. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin (versions up to and including 5.11.1) lets an authenticated low-privileged attacker coerce the application into including arbitrary local PHP files, exposing sensitive files and potentially executing attacker-influenced code within the site context. Classified as CWE-98 (PHP Remote/Local File Inclusion) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 7.5 with high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and no active exploitation on record.
Local File Inclusion in the Select-Themes Struktur Core WordPress plugin (all versions up to and including 2.5.1) lets an authenticated low-privileged user coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive server-side content such as wp-config.php credentials. Reported by Patchstack and classified under CWE-98 (PHP Remote File Inclusion), the flaw carries a CVSS 3.1 score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Depending on server configuration, LFI of attacker-influenced content (e.g., poisoned logs or uploaded files) can escalate to PHP code execution.
Local File Inclusion in the Select-Themes "Struktur" WordPress theme (all versions up to and including 2.5.1) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive content such as wp-config.php credentials and, under the right conditions, escalating to code execution. Tracked as CVE-2026-57802 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS vector's PR:L indicates authentication is required and AC:H reflects non-trivial exploitation preconditions.
PHP Local File Inclusion in the Select-Themes SetSail WordPress theme (versions up to and including 2.1) allows an authenticated attacker to coerce the application into including local files via improper control of a filename in an include/require statement. Successful exploitation can disclose sensitive files (e.g., wp-config.php) and, depending on server conditions, escalate to code execution through log poisoning or PHP wrapper abuse. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.
Local File Inclusion in the Edge-Themes 'Overworld' WordPress theme (versions up to and including 1.5) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary server-side files, disclosing sensitive data such as wp-config.php credentials and potentially escalating to code execution via log/session poisoning. The flaw was reported by Patchstack and is classified as CWE-98 (PHP Remote File Inclusion). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.
Local file inclusion in the uxper Nuss WordPress theme (versions up to and including 1.3.6) lets an authenticated attacker with low-privilege access coerce the theme into including arbitrary PHP-parsable files from the server via improperly controlled include/require paths (CWE-98). Successful exploitation can disclose sensitive files and, depending on what can be included, lead to code execution, with high confidentiality, integrity, and availability impact per the CVSS 7.5 rating. No public exploit identified at time of analysis; the flaw was reported through Patchstack.
Local File Inclusion in the NewsPlus Shortcodes WordPress plugin (versions up to and including 4.2.0) allows an authenticated attacker to coerce the plugin into including arbitrary PHP-processable files from the server, enabling disclosure of sensitive files and potential code execution. The flaw stems from improper control of a filename passed to a PHP include/require statement (CWE-98). No public exploit was identified at the time of analysis, and it is not listed in CISA KEV; risk is moderated by high attack complexity and a required privilege level.
Local File Inclusion in the VLThemes Leedo WordPress theme (versions up to and including 3.0.0) allows authenticated attackers to include and execute arbitrary local files on the server via improper control of a filename passed to a PHP include/require statement. Although classified under PHP Remote File Inclusion (CWE-98), Patchstack characterizes the practical impact as Local File Inclusion, enabling disclosure of sensitive files and potential code execution from locally accessible content. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.
Local File Inclusion in the Kitchor WordPress theme by themelexus (versions up to and including 1.4.3) allows an authenticated attacker to coerce a PHP include/require statement into loading arbitrary local files from the server. Because the theme fails to constrain the filename passed to an include path (CWE-98), an attacker with at least low-level authenticated access can read sensitive files such as wp-config.php and, under the right conditions, escalate to PHP code execution via log poisoning or inclusion of attacker-influenced content. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 3.1 base score is 7.5.
Local file inclusion in the uxper Golo Framework WordPress plugin (versions up to and including 1.7.3) lets an authenticated attacker abuse an improperly validated include/require path to read arbitrary server-side files and potentially execute embedded PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N) indicates network-reachable exploitation requiring low-level authentication and elevated attack complexity, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in the Elated-Themes 'Flow' WordPress theme (all versions up to and including 1.8) lets an authenticated attacker abuse an improperly controlled include/require path to read local files and potentially execute PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but low-privilege, high-complexity flaw. No public exploit identified at time of analysis, and it is not listed in CISA KEV; disclosure comes from Patchstack.
Local file inclusion in the Mikado-Themes "Dor" WordPress theme (all versions through 2.4.1) lets an authenticated attacker with low privileges supply a crafted filename to a PHP include/require statement, causing the server to include and execute arbitrary local files. Patchstack attributes it to improper control of a filename passed to a PHP include path (CWE-98), enabling disclosure of sensitive files and potential code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (7.5) reflects the full-impact potential once the low-privilege prerequisite is met.
Local file inclusion in the ThemeMove Brook WordPress theme (versions up to and including 2.9.0) lets authenticated attackers coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive data such as wp-config.php credentials and potentially escalating to code execution. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.5, but exploitation is rated high-complexity (AC:H) and requires at least low-level authentication (PR:L). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the jwsthemes Aqua WordPress theme (versions up to and including 5.1.2) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive data and potentially achieving code execution. Reported by Patchstack under CWE-98, the flaw carries CVSS 7.5 but requires low-level privileges and high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the ThemeMove 'Billey' premium WordPress theme (versions up to and including 2.1.8) lets an authenticated attacker with low privileges control a filename used in a PHP include/require statement, exposing sensitive server-side files such as wp-config.php. Classified by Patchstack under CWE-98 (PHP Remote File Inclusion) but resolving to Local File Inclusion in practice, the flaw carries a CVSS 7.5 rating and no public exploit identified at time of analysis. Under specific conditions PHP file inclusion can escalate from information disclosure toward code execution via techniques such as log poisoning.
Local File Inclusion in the Edge-Themes "Aalto" WordPress theme (all versions up to and including 1.8) lets an authenticated attacker control a filename passed to a PHP include/require statement, exposing local files and potentially executing PHP. The flaw was reported by Patchstack and carries CVSS 7.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Despite the CWE-98 "Remote File Inclusion" classification, the described impact is Local File Inclusion.
PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attackers coerce the plugin into including attacker-influenced local file paths in an include/require statement, exposing sensitive files and potentially achieving code execution if a suitable includable file exists. All versions from an unspecified start through 2.5 are affected. No public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 3.1 base score is 8.1 (high) and the flaw is reachable without authentication.
Local File Inclusion (LFI) in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers to read arbitrary files on the server by manipulating the `page` parameter in `/admin/index.php`, leading to source code and sensitive file disclosure. The vulnerability stems from unsanitized user input passed directly to PHP's include/require statement (CWE-98), with a publicly available proof-of-concept exploit documented on Medium. No patch has been identified; CVSS 4.0 scores this 2.1, reflecting the limited impact scope and authenticated precondition.
Unrestricted file upload in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers with administrative access to upload arbitrary PHP files via the Book Image Upload feature at /admin/index.php?page=books, enabling remote code execution on the host server. A public exploit proof-of-concept has been disclosed on Medium under the title 'Critical Authenticated Remote Code Execution via Unrestricted File Upload,' confirming practical exploitability. While PR:H limits exposure to actors holding admin credentials, successful exploitation yields full server-side code execution, making this a high-impact finding within its threat model.
PHP object injection in the 'Database for Contact Form 7, WPforms, Elementor forms' WordPress plugin (all versions before 1.5.2) permits unauthenticated attackers to embed malicious serialized PHP objects via the entry-editor file-field path, which are instantiated server-side when an administrator views the stored form entry. This is an incomplete remediation of two prior CVEs (CVE-2025-7384 and CVE-2026-2599) - earlier patches hardened other deserialization paths within the same plugin while this specific code route was overlooked. A publicly available exploit exists; no active exploitation is confirmed by CISA KEV at time of analysis.
SQL injection in SourceCodester Online Book Store System 1.0 exposes the admin authentication panel to remote, unauthenticated exploitation via the Username parameter in admin/login.php. A publicly available proof-of-concept - explicitly titled 'SQL Injection Leading to Authentication Bypass' - demonstrates that an attacker can bypass admin login entirely without valid credentials. No active exploitation is confirmed by CISA KEV, but the combination of a publicly released exploit and a trivially low attack complexity significantly elevates real-world risk above what the base CVSS 4.0 score of 6.9 suggests.
SQL injection in itsourcecode Hospital Management System 1.0 exposes patient prescription data to remote authenticated attackers via the `delid` parameter in `/patviewprescription.php`. Low-privilege access is sufficient to exploit this CWE-89 flaw, enabling database read, write, and partial disruption. No public KEV listing exists, but a proof-of-concept exploit is publicly available on GitHub, materially lowering the barrier to exploitation beyond what the CVSS 4.0 score of 5.3 alone implies.
Code injection in DedeCMS 5.7.118 exposes high-privileged remote attackers to arbitrary PHP code execution via the Column Name parameter in the Column Management component of `/plus/search.php`. The exploit document on GitHub describes a cache file writing mechanism through which attacker-supplied input is persisted to disk and subsequently executed by the PHP runtime. A public proof-of-concept exists; no active exploitation is confirmed in the CISA KEV catalog.
Information disclosure in WuzhiCMS up to version 4.1.0 exposes sensitive server-side data through the Attachment API's `config/listimage` function, reachable at `/index.php?m=attachment&f=index&v=upload`. Remote unauthenticated attackers can exploit this endpoint without any privileges or user interaction, as confirmed by a publicly available proof-of-concept published via a GitHub issue report. The vendor has not responded to the disclosure, leaving no patch available and all deployments exposed.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter within /SimpleOnlineLeave/admin/dashboard.php to inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit is confirmed via a GitHub issue reference, elevating real-world risk above the moderate CVSS 4.0 base score of 5.3. The CVE is not currently listed in the CISA KEV catalog, indicating no confirmed widespread active exploitation, but the low attack complexity combined with an available POC makes this a credible near-term threat for any internet-exposed deployment.
Unrestricted file upload in AREA 17 Twill CMS (versions up to 3.6.0) allows authenticated admin users to upload arbitrary file types via the `qqfilename` parameter in the Media Library Insert Page, creating a direct path to remote code execution on the underlying server. A public proof-of-concept documenting the full exploitation chain from file upload to RCE has been published by Bytium. No vendor patch exists - the vendor was contacted during responsible disclosure and did not respond, leaving all installations on affected versions without an official remediation path.
Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.
SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.
SQL injection in SmartHomeAdatum's users.php Login component exposes the backend database to unauthenticated remote manipulation via a crafted Login argument. All commits up to cf495353d81b680675eb8d9aa14a318aa45ce12c of this PHP-based smart home application are affected, with no patch available and a vendor that did not respond to disclosure. No public exploit code or CISA KEV listing exists at time of analysis, though the CVSS 4.0 vector confirms low-complexity unauthenticated network exploitation.
SQL injection in AMTT Hotel Broadband Operation System 1.0 exposes the `manager/network/switch_status.php` endpoint to database manipulation via an unsanitized `ID` parameter, exploitable by authenticated remote attackers. A public proof-of-concept exploit exists (GitHub issue referenced in VulDB entry), though the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 2.0 reflects the high-privilege authentication barrier (PR:H) that significantly constrains real-world attack surface, limiting this primarily to insider threat or post-compromise escalation scenarios within hotel network management environments.