PHP

Uncontrolled PCRE backtracking in Symfony's JsonPath component allows denial of service when attacker-influenced JSONPath expressions containing match() or search() filters are evaluated server-side. Affected applications that pass user-supplied JSONPath queries to JsonCrawler::find() can be made to execute catastrophically backtracking patterns such as '(a+)+$', pinning a CPU core for several seconds per request; a small number of concurrent requests can exhaust the entire PHP worker pool. The vulnerability is compounded by error suppression (@preg_match) that silences PCRE backtrack-limit exceptions, producing no log trace of the attack. No public exploit code and no CISA KEV listing are identified at time of analysis, but the advisory itself provides a working proof-of-concept pattern.

{id}/pin endpoint, where the server returns a 403 Forbidden response but the targeted record is already persistently modified. A publicly available exploit exists; this vulnerability is not confirmed actively exploited per CISA KEV, and impact is constrained to unauthorized data integrity modification without confidentiality or availability consequences.

Unauthenticated remote root access on SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 is achievable by submitting a hardcoded credential to recovery endpoints (mgmt.php, npcmd.php) in the web management interface. Attackers can then enable filtered SSH/Telnet services to obtain persistent root-level shell access. CVSS is 9.8 with publicly available exploit code, though no public exploit identified at time of analysis in CISA KEV.

Remote code execution in Responsive FileManager 9.14.0 enables authenticated attackers to run arbitrary code on the underlying server by abusing the force_download.php component. The CWE-98 classification points to improper control of PHP file inclusion, and while no public exploit is identified at time of analysis, the high CVSS of 8.0 reflects full confidentiality, integrity, and availability impact once a target user interacts with the attacker-supplied input.

Unauthenticated account takeover in phpMyFAQ before 4.1.3 allows remote attackers to forcibly reset any user's password by sending a PUT request to the /api/index.php/user/password/update endpoint with a valid username and email pair. The endpoint also leaks valid credentials through response code differentials (200 vs 409), enabling username/email enumeration before the reset. No public exploit identified at time of analysis, though a detailed PoC is published in the GHSA advisory.

Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.

Stored cross-site scripting in the a3 Lazy Load WordPress plugin (all versions through 2.7.6) allows authenticated Contributor-level users to inject persistent JavaScript into posts via a deliberately crafted <video> tag. Two compounding flaws drive the vulnerability: a regex bug in the _filter_videos() method that mishandles HTML attribute quoting, and unescaped output in the admin/views/form-data.php template. When any user - including a site administrator - views an affected post, the injected event-handler attributes (autofocus, onfocus) execute in the viewer's browser, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Arbitrary file upload leading to remote code execution affects the GutenBee – Gutenberg Blocks WordPress plugin in all versions through 2.20.1, enabling authenticated users with Author role or higher to upload PHP files disguised with double extensions such as shell.json.php. The flaw stems from a permissive strpos() substring check in gutenbee_file_and_ext_json that allows attackers to bypass WordPress filetype validation and execute arbitrary PHP on the server. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV.

Remote code execution in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress (versions up to and including 2.7.2) allows authenticated users with author-level privileges to execute arbitrary PHP code on the server by abusing the 'callback_raw' or 'callback' shortcode attributes processed by the filter_content function. The flaw stems from passing attacker-controlled input directly to call_user_func() guarded only by is_callable(), which still permits dangerous PHP built-ins like system, shell_exec, exec, passthru, and assert. No public exploit identified at time of analysis, but Wordfence has published a detailed advisory and the shortcode sink is trivially reachable for any author-level account.

Stored cross-site scripting in the Login No Captcha reCAPTCHA WordPress plugin (versions up to and including 1.8.0) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in an administrator's browser session. The flaw, reported by Wordfence, stems from unsanitized handling of the PHP_SELF superglobal during failed logins via non-standard endpoints such as xmlrpc.php, with no public exploit identified at time of analysis and no CISA KEV listing.

Authorization bypass in FOX - Currency Switcher Professional for WooCommerce (all versions through 1.4.6) allows authenticated attackers with Subscriber-level access to impersonate higher-privileged roles - such as wholesale customers or administrators - to obtain discounted or otherwise role-restricted product pricing. The flaw stems from the plugin's fixed user-role pricing engine blindly trusting a client-supplied HTTP request parameter over the server-side session object when resolving a user's role for price calculation. No public exploit is identified at time of analysis, and real-world impact is bounded by a non-default configuration requirement, keeping the CVSS base score at 4.3.

An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows attackers to execute arbitrary code via uploading a crafted image file.

Broken access control in Pimcore's CustomReports bundle (composer package pimcore/pimcore, versions ≤ 12.3.5) lets an authenticated low-privileged backend user who holds only the generic `reports` permission read the full configuration of custom reports they were never granted access to. The report detail endpoint (`getAction`) validates only coarse `reports`/`reports_config` permissions, whereas the listing endpoint enforces per-report sharing rules through `loadForGivenUser()`; consequently a report hidden from a user's visible list can still be retrieved directly by name. A working proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-jwcc-gv4m-93x6), so publicly available exploit code exists, but there is no public evidence of active exploitation.

WordExportBundle in Pimcore CMS enforces only feature-level permission (`word_export`) at export initiation but performs no object-level authorization check against the target document element, constituting a broken object-level authorization (BOLA) flaw. Authenticated low-privileged backend users holding the `word_export` permission can supply arbitrary `type/id` parameters to `wordExportAction()` to export full content - including titles, descriptions, and body - from pages, snippets, emails, or objects they are explicitly denied `view` access to. A publicly available proof-of-concept script is included in the GitHub security advisory GHSA-332x-r494-54fq confirming practical exploitability; the vulnerability is not currently listed in CISA KEV.

Unbounded recursion in Symfony's YAML component (`symfony/yaml`) crashes PHP worker processes when parsing attacker-controlled documents containing deeply nested mappings or sequences. Both the block-level parser (`Parser::parseBlock()`) and inline parsers (`Inline::parseSequence()`, `Inline::parseMapping()`) recurse without a depth ceiling, allowing a single crafted YAML document to exhaust the PHP call stack and kill the worker. All applications that pass untrusted input to `Yaml::parse()` or `Yaml::parseFile()` across symfony/yaml 5.4.x through 7.x are affected; no public exploit is identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Unauthenticated PHP object deserialization affects Symfony's Monolog Bridge through the development-time `server:log` console command, which by default binds a TCP listener to 0.0.0.0:9911 and runs `unserialize(base64_decode())` on every received frame with no class allowlist, authentication, or integrity check. Any host that can reach port 9911 on a machine running `server:log` can submit attacker-controlled serialized payloads, producing at minimum an unauthenticated denial of service (a non-array value triggers a fatal type error) and potentially object injection or full remote code execution where usable gadget chains exist in the target's autoloaded classes. Affected versions are symfony/symfony and symfony/monolog-bridge below 5.4.52, 6.x below 6.4.40, and 7.x below 7.4.12; there is no public exploit identified at time of analysis and no CVSS, EPSS, or CISA KEV data is available.

Stored XSS in Symfony's WebProfiler `CodeExtension::fileExcerpt()` allows JavaScript execution in a developer's browser when the profiler renders non-PHP files containing attacker-controlled content. Affected are symfony/symfony 6.4.24-6.4.39, 7.2.9-7.4.11, and 8.0.0-8.0.11, along with symfony/twig-bridge 6.4.24-6.4.39. The attack requires a separate write primitive to any file under the project root - log poisoning via `var/log/dev.log` is the canonical vector - after which exploitation is reliable and requires only developer interaction with the profiler. No public exploit has been identified at time of analysis, and the vulnerability is scoped to development environments only.

Unauthenticated SQL injection in Pi.Alert (a WiFi/LAN intruder detection and web-service monitoring tool by leiweibau) lets remote attackers manipulate backend database queries through the public devices.php endpoint. The flaw affects builds from 2024-06-29 up to the 2026-05-07 fix, and the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms it is trivially reachable over the network with no authentication or user interaction, while the high-confidentiality / no-integrity / no-availability impact (VC:H/VI:N/VA:N) indicates the primary risk is database disclosure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided in the source data.

Two-factor authentication bypass via TOTP secret disclosure affects FileRise self-hosted file manager before 3.12.0, where the /api/totp_setup.php endpoint can be reached from the intermediate 'pending_login_user' session state that exists after a correct password but before the TOTP check. For accounts that already have TOTP enabled, the endpoint decrypts and returns the existing TOTP secret inside the enrollment QR PNG rather than refusing, so an attacker who already holds the victim's password can extract the seed, compute a valid one-time code, and complete login without the victim's authenticator. No public exploit has been identified at time of analysis and no EPSS score is provided, but the issue fully defeats the second authentication factor.

{path}` endpoint. The WebDAV controller never attaches an authentication plugin, and `Tree::move()` deletes the source asset before resolving the current user or checking any per-asset permission, so even an unauthenticated request that errors out later still destroys the source file. A working proof-of-concept request is published in the GitHub Security Advisory (GHSA-wc7j-g8wx-m2qx); there is no CISA KEV listing and no EPSS score in the provided data, so this is not confirmed as actively exploited.

Open redirect in WeGIA before version 3.7.3 enables authenticated attackers to weaponize the trusted WeGIA domain for phishing, credential harvesting, and malware distribution by manipulating the unvalidated `nextPage` parameter at the `/WeGIA/controle/control.php` endpoint. Affected deployments include any WeGIA instance running versions prior to 3.7.3 where the control endpoint is accessible to low-privileged authenticated users. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the social engineering abuse potential against users who trust the institution's domain is the primary real-world risk.

Unsalted SHA-256 password hashing in WeGIA exposes all stored credentials to rainbow table attacks in versions prior to 3.7.3. Both the login flow (html/login.php) and the password-change flow (controle/FuncionarioControle.php) use PHP's hash() with SHA-256 and no per-user salt, meaning identical passwords always produce identical digests and a single precomputed table can compromise the entire credential database at once. No public exploit has been identified at time of analysis and no KEV listing exists, but exploitability is high once hash data is obtained - the attack requires only standard rainbow table tooling and no cryptographic skill.

Stored cross-site scripting in creatorsofcode's simplephp admin panel allows authenticated low-privileged users to inject persistent malicious scripts via the /admin/config-module.php configuration endpoint. When an administrator or privileged user subsequently views the affected page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. A proof-of-concept exists per SSVC intelligence; this CVE is not currently listed in CISA KEV.

Authentication bypass via SQL injection in OpenRapid RapidCMS v1.3.1 allows unauthenticated remote attackers to manipulate the application's authentication logic by injecting crafted SQL payloads into the `name` cookie parameter processed by the `/template/default/menu.php` component. The CVSS 6.5 (AV:N/AC:L/PR:N/UI:N) score reflects trivial remote exploitability with no prior authentication required, though the confidentiality and integrity impacts are rated Low and availability is unaffected. A public researcher writeup is linked in references, suggesting exploit techniques are documented, but no confirmed active exploitation (CISA KEV) has been recorded and EPSS sits at 0.03% (11th percentile), indicating low observed exploitation activity at time of analysis.

PHP object injection in Pimcore (packages pimcore/pimcore and admin-ui-classic-bundle) up to and including version 12.3.6 arises from six code paths calling unserialize() without the allowed_classes restriction on values read from database columns and filesystem files. An attacker who can already write to one of those sources - for example through SQL injection into the tmp_store, sites, or custom_layouts tables, or a file write to the WebDAV delete log - can plant a serialized PHP gadget chain that executes arbitrary code with web-server privileges once the data is deserialized. No public exploit identified at time of analysis (the vendor advisory documents only a conceptual PoC procedure), the CVE is not in CISA KEV, and EPSS is not provided; the issue is fixed in 12.3.7 and rated CVSS 8.0, with the High attack-complexity reflecting its dependence on a separate write primitive and a working gadget chain.

Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows network-based attackers to execute arbitrary PHP code via the commonobject.class.php component. The CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) vector indicates no authentication or user interaction is required, though impact metrics are rated Low across CIA. No public exploit identified at time of analysis, and EPSS scoring is very low at 0.06% (18th percentile) despite the unauthenticated network attack surface.

Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha stems from unsafe use of PHP's call_user_func_array() within the cron job class, enabling attackers to execute arbitrary PHP code on the application server. The vulnerability carries CVSS 7.3 with CWE-94 (Code Injection) classification, and while no public exploit is identified at time of analysis, a security researcher writeup referenced from NVD discusses a five-year history of related dol_eval issues in Dolibarr suggesting recurring weaknesses in this code area. EPSS probability is very low at 0.06% and SSVC reports no observed exploitation, but the issue is rated automatable with partial technical impact.

Code injection in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows a remote, unauthenticated attacker to execute attacker-controlled PHP through the htdocs/core/actions_addupdatedelete.inc.php request handler (CWE-94). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates a low-effort, network-reachable, no-authentication attack, though all impact metrics are rated Low (C:L/I:L/A:L), suggesting the executable surface is constrained rather than full system takeover. There is no public exploit code confirmed in the provided data and the issue is not in CISA KEV (no observed exploitation per SSVC), but a referenced research write-up and a GitHub Security Advisory exist, and SSVC rates the flaw as automatable.

Cross-Site Request Forgery in Jason2605 AdminPanel 4.0 exposes the delete.php endpoint to forged requests, allowing an unauthenticated remote attacker to perform unauthorized deletion operations by tricking an authenticated administrator into triggering the request. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-reachable with no required attacker privileges, though victim interaction is mandatory. A publicly available proof-of-concept exists per SSVC classification, though no active exploitation (CISA KEV) has been confirmed at time of analysis.

Local File Inclusion in the SeedProd Pro WordPress plugin (all versions before 6.19.5) lets an authenticated, low-privileged user coerce a PHP include/require statement into loading attacker-influenced local files, leading to disclosure of sensitive server-side files and potential code execution if a controllable file (e.g. an uploaded payload or log) can be included. The flaw, reported by Patchstack and classified CWE-98, carries a CVSS 3.1 base score of 7.5 with high attack complexity. There is no public exploit identified at time of analysis, and CISA SSVC rates exploitation as 'none', indicating this is currently a patch-and-move-on item rather than an emergency.

SQL injection in the saveDashboardLayout function of dash_layout.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-access platforms (all versions up to and including 2.20.0) lets a low-privileged remote attacker manipulate a SQL INSERT statement to read the entire backend database and write rows into a non-critical table. The flaw, reported by CERT@VDE (VDE-2026-044, EUVD-2026-32133), yields total loss of confidentiality and partial loss of integrity but no availability impact. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis, so this is a serious data-exposure bug rather than a mass-exploitation threat.

SQL injection in the saveDashboardLayout function of dash.php affects the mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual industrial remote-maintenance platforms in versions up to and including 2.20.0. Because user-supplied input is improperly neutralized inside a SQL INSERT statement, a remote attacker can read the entire backend database and write rows into a non-critical table, yielding full loss of confidentiality and partial loss of integrity. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%, 11th percentile).

SQL injection in the UpdateParam function of admin.mbnetj.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-maintenance portals (versions up to and including 2.20.0) lets a high-privileged remote attacker tamper with a SQL UPDATE command, reading the entire database and modifying values in a non-critical table. The flaw was reported by CERT@VDE (advisory VDE-2026-044) and carries CVSS 4.0 base 7.0. There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as 'none' - indicating low immediate real-world urgency despite the high impact ceiling.

SQL injection in the UpdateParam function of view.html.php affects MB connect line remote-access portals (mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual) in versions up to and including 2.20.0, letting an attacker inject into a SQL UPDATE statement to read the entire backend database and alter values in a non-critical table. The CVSS 4.0 vector (PR:H) indicates a high-privileged account is required, even though the advisory text labels the flaw 'unauthenticated' - a discrepancy defenders should resolve with the vendor. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC rates exploitation as 'none'.

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run arbitrary PHP on the server. Because the plugin registers its 'wpcode' custom post type without a dedicated capability_type, WordPress falls back to standard post capabilities, so any author can create and publish PHP snippet posts via the XML-RPC wp.newPost method, which are later passed to eval() when rendered through the [wpcode] shortcode. EPSS is modest at 0.44% (63rd percentile) and there is no public exploit identified at time of analysis, but the low privilege bar and full CIA impact make this a high-priority patch for any multi-author site.

Remote code execution in the affiliate-toolkit WordPress plugin ("Multi-Network Affiliate & Amazon Product Display") affects versions up to and including 3.8.5, letting authenticated users with Editor-level access or higher run arbitrary PHP on the host. The flaw stems from the bundled BladeOne template engine's runString() method, which compiles attacker-supplied template content into PHP and executes it through eval() with no sanitization or sandboxing. There is no public exploit identified at time of analysis and EPSS sits at a low 0.24%, but the technical impact is total because a successful injection yields full server-side code execution.

SQL injection in MB connect line's mbCONNECT24, mymbCONNECT24, and myREX24V2 remote-maintenance portals (all versions up to and including 2.20.0) lets an unauthenticated remote attacker inject crafted SQL through the _mb24confi_getTagAlarm function in mb24alarm.php, resulting in a total loss of database confidentiality. The CVSS 4.0 base score of 8.7 reflects network reach with no authentication or user interaction (AV:N/AC:L/PR:N/UI:N), but impact is scoped to confidentiality only (VC:H, VI:N, VA:N) - an attacker can read data but cannot directly alter or disrupt the system through this flaw. No public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), indicating no observed broad exploitation activity despite the high base score.

SQL injection in MB connect line's mbCONNECT24 remote-maintenance platform (and the related myREX24V2, mymbCONNECT24 and myREX24V2.virtual products through version 2.20.0) lets unauthenticated remote attackers read arbitrary database contents. The flaw lives in the _mb24confi_getTagAlarm function of dataapi.php, where attacker-controlled input is concatenated into a SQL SELECT statement, yielding a total loss of confidentiality. There is no public exploit identified at time of analysis, the EPSS probability is very low (0.05%), and the issue is not on CISA KEV; it was reported by CERT@VDE (advisory VDE-2026-044).

Reflected Cross-Site Scripting in the Gutenverse plugin for WordPress (all versions through 3.4.6) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious search URL. The vulnerability arises from the plugin's search-result-title block outputting the raw search query string directly into page HTML without sanitization. Exploitation requires user interaction (victim must click a crafted link) and the gutenverse/search-result-title block must be present on the site's search results template. No public exploit code has been identified at time of analysis, and CISA KEV confirmation of active exploitation is absent.

Local File Inclusion in the Query Shortcode plugin for WordPress (all versions through 0.2.1) lets authenticated users with contributor-level access or higher coerce the shortcode handler into including and executing arbitrary .php files already present on the server. Because included files are run by the PHP interpreter, this can leak sensitive data, bypass access controls, and escalate to full remote code execution where an attacker can also place a .php file (e.g. via an upload feature). EPSS rates near-term exploitation probability very low (0.07%, 21st percentile) and there is no public exploit identified at time of analysis.

Cross-Site Request Forgery in the Search Simple Fields WordPress plugin (versions ≤ 0.2) enables unauthenticated remote attackers to modify plugin configuration by tricking an authenticated site administrator into clicking a crafted link. The root cause is absent or incorrect nonce validation in the `search_simple_fields_options()` function within `functions_admin.php`, allowing forged HTTP requests to alter settings such as post types, custom fields, media fields, and the custom media function name. No active exploitation is confirmed (no CISA KEV listing, EPSS at 0.01%, SSVC exploitation status: none), making this a low-urgency but straightforward finding on affected WordPress installations.

Stored Cross-Site Scripting in the Single Mailchimp WordPress plugin (all versions through 1.4) allows authenticated attackers with contributor-level access to inject persistent JavaScript into WordPress pages via unsanitized shortcode attributes. The six affected attributes - autocomplete, label, placeholder, btn_text, success_msg, and error_msg - are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php without sanitization or output escaping. No public exploit code exists and EPSS places exploitation probability at 0.03% (9th percentile), indicating low real-world exploitation pressure at this time.

Weak password recovery in QianFox FoxCMS versions 1.2.0 through 1.2.6 exposes the admin panel's account recovery flow to abuse by authenticated administrators via a remotely accessible network vector. Publicly available exploit code exists (CVSS E:P), though the requirement for high privileges (PR:H) substantially constrains real-world impact, corroborated by an EPSS score of just 0.03% (11th percentile) and no CISA KEV listing. The vendor was notified via a GitHub issue report but has not responded, leaving all affected versions unpatched at time of analysis.

Uncontrolled resource consumption in the Simply Schedule Appointments WordPress plugin (all versions ≤ 1.6.11.5) enables unauthenticated remote attackers to exhaust PHP-FPM or mod_php worker processes, effectively rendering the WordPress site unavailable to legitimate users. The attack surface is a publicly accessible REST endpoint (/wp-json/ssa/v1/async) that directly passes a caller-controlled delay parameter into PHP's native sleep() function with no rate limiting or input sanitization. No public exploit code has been identified at time of analysis and EPSS is very low (0.05%, 15th percentile), suggesting limited opportunistic interest so far, though the trivially low attack complexity means any actor can attempt this with no tooling.

Upload filename allowlist bypass in the @hapi/content npm header parser (versions < 6.0.2) lets remote attackers smuggle malicious parameters past upstream validation. The library's Content.disposition() retained the last occurrence of a duplicated parameter while Content.type() retained the first occurrence of charset/boundary, so when a WAF, reverse proxy, or security filter resolves the same duplicate the opposite way, the two layers disagree on values such as the upload filename. No public exploit code or active exploitation has been identified; the GitHub Security Advisory (GHSA-36hh-x5p5-jgc8) documents the exact smuggling header but no CVSS score or EPSS data is provided.

SQL injection in Pimcore's admin-ui-classic-bundle (versions <= 2.3.5) allows an authenticated user holding only the translations-view permission to read arbitrary database contents by injecting into the translation grid's date filter. The user-controlled 'property' field of the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) expression at the POST /admin/translation/translations endpoint, behind only a trivially bypassable str_replace('--','') filter. A working proof-of-concept and publicly available exploit code exist; the reporter notes it can be chained with an unsafe-unserialize flaw (GM-249) to reach remote code execution. No EPSS score or CISA KEV listing was supplied.

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config permission inject arbitrary SQL through the custom-report column-config endpoint, which concatenates user-supplied 'sql', 'from', and 'where' fields directly into a query executed via Doctrine's fetchAssociative(). Because the controller returns raw database error messages in its JSON response, attackers can perform error-based extraction (e.g. EXTRACTVALUE) to read credentials and arbitrary tables, and can bypass the keyword denylist using inline /**/ comments to reach UPDATE/INSERT/DELETE - compromising confidentiality and integrity. Publicly available exploit code exists (a full PoC is published in the GitHub advisory); no CISA KEV listing or EPSS score is present in the provided data.

Arbitrary file creation outside the intended temporary directory affects the tmp npm package in all versions prior to 0.2.6, where attacker-controlled data flowing into the prefix, postfix, or dir options can break out of the temp base path. Because the library composes paths with path.join() and never validates that the result stays within the configured tmpDir, traversal sequences (../) or absolute paths let a caller write files to arbitrary locations with the process's privileges. Publicly available exploit code exists in the GitHub advisory (GHSA-ph9p-34f9-6g65); there is no evidence of active exploitation (not in CISA KEV) and no EPSS score was provided.

SQL injection in itsourcecode Courier Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized 's' parameter in /parcel_list.php. A proof-of-concept exploit is publicly available on GitHub, meaningfully lowering the barrier to exploitation despite the low CVSS 4.0 score of 2.1. No vendor patch has been identified at time of analysis, leaving deployments reliant on compensating controls.

Pre-authentication path traversal in Kirby CMS versions 5.3.0 through 5.4.0 lets remote attackers manipulate the user ID used during account lookup to escape the site/accounts directory, enabling inclusion of arbitrary PHP files named index.php (such as plugin entrypoints) and probing for the existence of arbitrary server directories. The flaw is reachable through the unauthenticated authentication API and affects all Kirby sites on these versions regardless of configuration. The vendor rates it high (CVSS 8.8); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQL injection in itsourcecode Courier Management System 1.0 lets remote attackers manipulate the 'ID' parameter of /manage_user.php to inject arbitrary SQL into backend database queries. Per the CVSS vector (PR:N) no authentication is required, and publicly available exploit code exists, though the flaw is not listed in CISA KEV and carries only low (C:L/I:L/A:L) per-impact ratings.

Missing authorization in SourceCodester eDoc Doctor Appointment System 1.0 exposes the /admin/delete-session.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to delete arbitrary appointment sessions without any credential or privilege. The CVSS 4.0 vector confirms network-accessible, zero-complexity exploitation with no authentication required (PR:N), though impact is bounded to low integrity and availability degradation with no confidentiality loss. A publicly available exploit script (poc.sh) on GitHub confirms practical exploitability, though the vulnerability is not currently listed in CISA KEV.

Information exposure via verbose SQL error messages in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables authenticated remote attackers to harvest internal database details by manipulating the /index.php SQL Handler endpoint. The application returns raw SQL error output rather than sanitized application-level messages, leaking schema structure, table names, or query internals. A public proof-of-concept exploit is available on GitHub; this CVE is not listed in the CISA KEV catalog, and the CVSS 4.0 score of 2.1 reflects the low-severity, confidentiality-only impact.

SQL injection in code-projects Project Management System 1.0 allows remote unauthenticated attackers to manipulate database queries through the login handler (chk.php). The flaw stems from unsanitized input being passed into a SQL statement, enabling authentication-context query tampering and data disclosure. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and no active exploitation is confirmed.

OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped exec() call inside the Juniper router integration plugin, enabling arbitrary shell command execution on the host. The flaw lives in the _log() function of src/juniper_plugin/fastnetmon_juniper.php, where the $msg argument (built from argv[1]-argv[3]: attack IP, direction, power) is concatenated directly into a shell command. Although rated CVSS 9.8, practical exploitation is gated: FastNetMon's C++ core currently feeds IPs through inet_ntoa(), which only yields safe dotted-decimal strings, so injection requires the script to be driven directly or by a third-party orchestrator. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQL injection in Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate database queries through the social_linked parameter in /admin/adminHome.php. The vulnerability has publicly available exploit code and a CVSS score of 7.3, indicating high severity with the ability to impact confidentiality, integrity, and availability of the application.

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 enables remote unauthenticated attackers to manipulate database queries through the ID parameter in /admin/patients/manage_history.php. Public exploit code exists (GitHub), though not listed in CISA KEV. The vulnerability carries moderate risk with CVSS 7.3 reflecting potential for data theft and manipulation of patient records.

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows remote attackers to compromise patient data without authentication via manipulated ID parameter in /classes/Master.php?f=save_patient_history. The vulnerability has publicly available exploit code (GitHub) and enables unauthorized database access with potential to read, modify, or delete patient records. CVSS 7.3 indicates moderate severity with no exploitation prerequisites.

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows authenticated attackers to extract, modify, or delete database records via the ID parameter in /admin/patients/view_history.php. The vulnerability requires low-privilege authenticated access (PR:L) but has low attack complexity (AC:L) and can be exploited remotely. Publicly available exploit code exists on GitHub (referenced in VulDB entry), enabling immediate weaponization by threat actors. EPSS data not available, and the vulnerability is not currently listed in CISA KEV, indicating exploitation may be limited or targeted rather than widespread. The CVSS 6.3 (Medium) rating reflects partial impact across confidentiality, integrity, and availability (C:L/I:L/A:L).

Remote code injection in vps-inventory-monitoring allows authenticated attackers to execute arbitrary PHP code through the VpsTest console command. The vulnerability exists in the eval() function within VpsTest.php, exploitable by manipulating the 'vf' parameter with low attack complexity. Publicly available exploit code exists (GitHub POC published), and the maintainer has not responded to early disclosure attempts. CVSS 6.3 reflects moderate impact across confidentiality, integrity, and availability, with EPSS data unavailable but risk elevated by confirmed POC and unresponsive vendor.

Unauthenticated SQL injection in YesWiki's Bazar form-import path allows any remote visitor to inject arbitrary SQL into an INSERT statement and exfiltrate the entire database, including yeswiki_users.password hashes. Affects YesWiki 4.6.1, 4.6.2, and the doryphore-dev branch prior to 4.6.4. Publicly available exploit code exists (a working Python PoC is published in the GHSA advisory), though no public exploit identified in CISA KEV at time of analysis.

Cross-Site Request Forgery in the Widget Context WordPress plugin (all versions ≤ 1.3.3) allows unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table by forging a POST request to /wp-admin/widgets.php. The root cause is missing or incorrect nonce validation in the save_widget_context_settings function, confirmed by Wordfence and corroborated by source code references at WidgetContext.php lines 91, 282, and 311. Exploitation requires social engineering a logged-in administrator into clicking an attacker-controlled link; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Arbitrary PHP code execution in Twig templating engine versions 3.15.0 through 3.25.x allows attackers who control template source to inject raw PHP into the compiled template via the `_self.(<string>)` dynamic-attribute macro-reference path, fully bypassing the SandboxExtension. The flaw executes injected code at template-load time, before any SecurityPolicy check runs, rendering even a globally-enabled empty allowlist sandbox ineffective. No public exploit identified at time of analysis, but the vendor advisory describes the bypass mechanism in enough detail that PoC development is straightforward.

{% do %} tag is permitted. No public exploit identified at time of analysis, but the issue was responsibly disclosed with vendor-confirmed root cause and an upstream patch.

Twig's sandbox security policy is bypassed via the `column` filter when processing arrays of PHP objects, allowing an untrusted template author to read any public or magic property of any object reachable in the render context - completely circumventing the `SecurityPolicy`'s `allowedProperties` restrictions. All twig/twig versions prior to 3.26.0 are affected when sandbox mode is active and untrusted authors have `column` in their `allowedFilters`. This is a structural variant of CVE-2024-51755 that the prior ArrayAccess-focused fix left uncovered; no public exploit has been identified at time of analysis, and the fix is confirmed in Twig 3.26.0.

{% use %}` tags to break out of compiled cache file string literals and execute arbitrary PHP code. The flaw bypasses the Twig sandbox entirely because `SecurityPolicy` unconditionally permits `{% use %}` regardless of `allowedTags` configuration. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-7p85-w9px-jpjp) discloses the full exploitation primitive.

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator's browser into triggering a core CMS upgrade to an attacker-chosen version. The dashboard's do_update() controller emits a CSRF token in the rendered POST form but never calls $this->token->validate('do_update'), leaving the update workflow effectively unauthenticated against forged cross-origin requests. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Remote code execution in Concrete CMS 9.5.0 and earlier is achievable through a CSRF flaw in the /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID> endpoint, which fails to validate anti-CSRF tokens. An attacker who controls a marketplace package matching an item ID already installed on the victim site can overwrite package PHP files and trigger the upgrade() method via a single navigation by a privileged admin, resulting in code execution as the web server user. No public exploit identified at time of analysis, though the vendor (Concrete CMS security team) has acknowledged and rated the issue at CVSS 4.0 7.5.

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator with canInstallPackages permission into installing an attacker-controlled package, resulting in remote code execution as the web server user. The flaw resides in the install_package() method of the dashboard's extend/install.php controller, which lacks CSRF token validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege escalation in Concrete CMS 9.5.0 and earlier allows authenticated users with access to the bulk user assignment dashboard to add arbitrary accounts to the Administrators group and remove existing admins, effectively hijacking site control. The flaw stems from missing authorization checks in bulk_user_assignment.php and was disclosed with a vendor-assigned CVSS v4.0 score of 7.5. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Stored cross-site scripting in Concrete CMS 9.5.0 and earlier allows a high-privileged admin to inject arbitrary HTML/JavaScript into the OAuth authorize template via the integration name field. The flaw arises because the integration name is wrapped in <strong> tags by PHP string interpolation before being passed to the t() translation helper, causing the resulting raw HTML to be rendered when end users view the OAuth consent screen. No public exploit identified at time of analysis, but a rogue or compromised admin could potentially harvest OAuth login submissions from victims.

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce authenticated administrators into downloading arbitrary marketplace packages to the server's DIR_PACKAGES directory by luring them to a crafted page that triggers the unprotected /dashboard/extend/install/download/<remoteId> GET endpoint. The vendor assigned CVSS 4.0 of 7.5 reflecting high impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Unauthorized file download in Concrete CMS 9.5.0 and below exposes permission-restricted files via a broken authorization check in the file download controller. The submit_password() method in download_file.php processes file access without enforcing the view_file permission gate, producing two exploitable paths: any unauthenticated network actor can retrieve files that carry no password protection, and any actor who possesses a file's password can retrieve that file regardless of whether their account holds view_file permission. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Command injection in KnpLabs Snappy PHP library (versions <= 1.7.0) allows attackers to execute arbitrary OS commands as the PHP process when the wkhtmltopdf/wkhtmltoimage binary path passed to the constructor is influenced by attacker-controlled input. An inverted is_executable() check renders the intended escapeshellarg() protection dead code, so the binary path string is concatenated raw into the shell command. A proof-of-concept is published in the GHSA advisory; no public exploit identified in the wild and the vulnerability is not in CISA KEV at time of analysis.

Server-Side Request Forgery (SSRF) and local file read in KnpLabs Snappy (composer package knplabs/knp-snappy <= 1.6.0) allows remote attackers to exfiltrate sensitive server files by injecting a file:// URI into the xsl-style-sheet PDF generation option. When applications pass unsanitized user input directly to the Snappy library's generate() method, wkhtmltopdf processes attacker-controlled URIs including file:// scheme paths, enabling reads of files such as /etc/passwd. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV, but the attack pattern is straightforward and exploitability is high in vulnerable deployments where PHP runs as root outside a container.

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator into triggering arbitrary package upgrades by luring them to a malicious page that issues a single GET to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() handler only checks the canInstallPackages() permission and omits CSRF token validation on this state-changing route, so a cross-site navigation is sufficient to invoke upgradeCoreData() and the package controller's upgrade() routine. No public exploit identified at time of analysis and no CISA KEV listing; EPSS not provided.

Remote code execution in Concrete CMS versions 5.0 through 9.5.0 allows a high-privileged administrator to bypass the platform's `_fromCIF` deserialization guard by submitting malicious payloads through the REST API instead of standard form POST requests. The flaw resides in the ExpressEntryList block controller (CWE-502) and stores a serialized PHP gadget in the `filterFields` database column, which is unmarshalled when another administrator subsequently views or edits the block, leading to full server takeover. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Authenticated remote code execution in Concrete CMS 9.5.0 and earlier allows an administrator with composer form editing privileges to chain a path traversal flaw in the ptComposerFormLayoutSetControlCustomTemplate field with the platform's permissive file uploader to execute arbitrary PHP on the server. The vendor scored this 9.4 (CVSS v4.0) reflecting high confidentiality, integrity, and availability impact across both the vulnerable component and downstream subsequent systems. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Missing TLS certificate verification in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept and tamper with outbound HTTPS traffic from the mobile (RouteMate) login flow, exposing API keys and session-bearing data. The flaw stems from rm/incs/mobile_login.inc.php disabling CURLOPT_SSL_VERIFYPEER and omitting CURLOPT_SSL_VERIFYHOST. No public exploit identified at time of analysis, and the issue is one of 88 security fixes shipped in the v3.44.2 release.

Man-in-the-middle interception of authentication traffic in Open ISES Tickets before 3.44.2 is possible because the application's login flow in incs/login.inc.php disables TLS certificate verification on outbound HTTPS requests. Network-positioned attackers can present forged certificates to capture or modify API keys and session-bearing data exchanged during login. No public exploit identified at time of analysis, though the fix is bundled into a broader critical security release that also addresses 69 XSS and 19 SQL injection issues.

Man-in-the-middle exposure in Open ISES Tickets before 3.44.2 stems from the shared helper functions in incs/functions.inc.php disabling TLS certificate verification (CURLOPT_SSL_VERIFYPEER=false) on outbound HTTPS calls, letting network-positioned attackers intercept or modify traffic carrying API keys and session data. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the vendor's v3.44.2 release notes describe it as a critical security update that also bundles fixes for 88 other issues including XSS and SQL injection.

TLS certificate verification bypass in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept HTTPS traffic between the application server and Google Maps Directions API during incident report generation. The flaw stems from ajax/reports.php explicitly setting CURLOPT_SSL_VERIFYPEER to false without configuring CURLOPT_SSL_VERIFYHOST, exposing Google API keys and any session-bearing data carried in outbound requests. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but a vendor patch is available in v3.44.2.

Open ISES Tickets exposes a hardcoded Google Maps API key committed directly to its public GitHub source repository in tables.php, affecting all versions before 3.44.2. Any party with read access to the repository - effectively the entire internet - can extract the key and authenticate to Google Maps Platform as the application owner, generating API usage billed against the victim's Google Cloud project. No public exploit has been identified at time of analysis, but the SSVC framework rates this as automatable with partial technical impact, and the v3.44.2 release notes confirm the key is one of five hardcoded secrets removed in a batch of 88 security fixes.

Hardcoded Google Maps API key exposure in Open ISES Tickets before v3.44.2 enables any party with read access to the public GitHub repository to extract a valid API credential from settings.inc.php and issue arbitrary Google Maps Platform requests billed against the victim organization's Google Cloud project. All versions from the initial release up to (but not including) 3.44.2 are affected per CPE cpe:2.3:a:open_ises:tickets:*:*:*:*:*:*:*:*. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation requires only the ability to read a publicly hosted source file - effectively zero technical barrier for any motivated actor.

Open ISES Tickets before v3.44.2 exposes a hardcoded WhitePages reverse-phone API key committed directly into the public source file wp1.php, making it trivially accessible to any actor who can read the repository. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) reflects that no authentication or special conditions are required - extraction is as simple as reading a publicly hosted source file. Impact is bounded to third-party API abuse: an attacker can use the stolen key to make WhitePages lookups billed to or rate-capped against the legitimate owner's account. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV, though the passive nature of the exposure means any observer of the repository may already possess the key.

Credential exposure in Open ISES Tickets versions prior to 3.44.2 allows remote attackers to obtain valid MySQL database connection parameters (host, username, password, database name) hardcoded in import_mdb.php and committed to the public source repository. Any attacker who can read the public GitHub source can extract these credentials and attempt to authenticate against deployed installations that retained the default values, with no public exploit identified at time of analysis.

Hardcoded MySQL credentials in Open ISES Tickets before 3.44.2 expose database username, password, and database name through a public-facing loader.php utility that was committed to the source repository. Any user able to read the source tree on GitHub or fetch the file from a deployed installation can connect to the backing database if reachable, leading to full read/write access. No public exploit identified at time of analysis, but the credentials are trivially recoverable from the source tree.

SQL injection in Open ISES Tickets before 3.44.2 lets authenticated users tamper with backend database queries through the ajax/statistics.php endpoint by injecting payloads into the tick_id and f_tick_id POST parameters. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with lower integrity impact, and while no public exploit is identified at time of analysis, this flaw is one of 19 SQL injection issues bundled into a single critical security release that the vendor urges all users to install immediately.

SQL injection in Open ISES Tickets before 3.44.2 lets authenticated users tamper with the incidents summary report query via the tick_id POST parameter in ajax/reports.php, enabling arbitrary read, modification, or destruction of database contents. The v3.44.2 release notes confirm the fix was part of a broader security overhaul addressing 19 SQL injection flaws and 69 XSS issues. No public exploit identified at time of analysis, and SSVC classifies exploitation status as 'none' with partial technical impact.

SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate database queries via the unsanitized `id` GET parameter in `ajax/mobile_main.php`. The flaw permits arbitrary read, modification, or destruction of database contents, and is part of a broader batch of 19 SQL injection fixes shipped in v3.44.2. No public exploit identified at time of analysis, but the vendor explicitly classifies v3.44.2 as a 'Critical Security Update' urging immediate upgrade.