Skip to main content

PHP

24703 CVEs product

Monthly

CVE-2026-52847 CRITICAL PATCH Act Now

Reflected cross-site scripting in MantisBT's /admin/install.php (versions 2.28.3 and earlier) lets remote attackers inject HTML through six unescaped, user-supplied parameters echoed by print_test_result(). Although the page's Content-Security-Policy (script-src 'self') blocks inline JavaScript, the missing form-action directive permits credential-phishing form injection, <meta>-based open redirects, and CSS overlay attacks against the trusted admin origin. The advisory states no authentication is required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Open Redirect PHP XSS
NVD GitHub
CVE-2026-54494 MEDIUM PATCH This Month

Full-read SSRF in Koel's podcast subscription feature allows any authenticated user to coerce the server into fetching internal HTTP endpoints - including cloud instance metadata services - and receive the full response. The vulnerability exists because PHP's `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` does not unwrap NAT64 (`64:ff9b::/96`) or 6to4 (`2002::/16`) IPv6 transition addresses, both of which deterministically embed a private IPv4 that the OS kernel routes internally. This affects all Koel deployments through v9.7.0 on NAT64 or dual-stack networks (the default for IPv6-only AWS and GCP subnets); a detailed proof-of-concept with verbatim server output is published in the advisory. No public exploit code is in KEV at time of analysis, but the PoC substantially lowers the exploitation barrier.

Microsoft SSRF PHP
NVD GitHub
CVE-2026-54491 HIGH PATCH GHSA This Week

Server-side request forgery in Koel (self-hosted PHP music-streaming server, all releases up to and including 9.7.0) lets any authenticated low-privilege user coerce the server into requesting arbitrary internal or cloud-metadata endpoints. The flaw is an incomplete fix for CVE-2026-47260: the initial isSafeUrl() check was added to several podcast/radio fetchers, but per-redirect-hop re-validation was wired into only one path (EpisodePlayable), leaving every sibling fetcher bypassable via an attacker-controlled host that returns an HTTP 302 to an internal address, and all paths bypassable via DNS rebinding. A researcher mechanism PoC confirms exploitation; not listed in CISA KEV and no evidence of active exploitation.

Microsoft SSRF PHP
NVD GitHub
CVSS 3.1
7.1
CVE-2026-54493 HIGH PATCH GHSA This Week

{id}. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but it is not in CISA KEV and no active exploitation is identified.

Docker SSRF PHP
NVD GitHub
CVSS 3.1
7.7
CVE-2026-54492 MEDIUM PATCH GHSA This Month

Authenticated blind SSRF in Koel v9.6.0 allows any logged-in user to trigger server-side HTTP requests to private, loopback, and RFC1918 destinations by exploiting a missing SafeUrl validation guard on the Subsonic-compatible createPodcastChannel.view route. The main podcast API correctly rejects private URLs with a 422 error, but the Subsonic compatibility layer omits the same SafeUrl rule, and the attacker-supplied URL is fetched synchronously during channel creation via Poddle::fromUrl() - no separate step required. No public exploit identified at time of analysis per KEV status, but a fully documented public PoC with step-by-step curl commands is available in GHSA-w79m-f3jx-779v, validated against the official phanan/koel:9.6.0 Docker image.

Docker SSRF PHP
NVD GitHub
CVSS 3.1
4.3
CVE-2026-49280 MEDIUM PATCH GHSA This Month

MantisBT's REST and SOAP APIs fail to enforce the $g_set_status_threshold authorization gate, allowing any authenticated user holding the UPDATER role (the default update permission) to change an issue's workflow status to values that should require DEVELOPER-level access or higher. The vulnerability is confirmed patched in release 2.28.4 with no public exploit or KEV listing. Because UPDATER is the default role for ordinary authenticated contributors, this flaw is broadly reachable on any MantisBT instance where the API is accessible without further hardening of role assignments.

Authentication Bypass PHP
NVD GitHub
CVE-2026-49273 HIGH PATCH GHSA This Week

Authenticated remote code execution in MantisBT versions 1.3.0 through 2.28.3 allows an administrator to run arbitrary PHP as the web server user (www-data) via the 'Manage Configuration' page (adm_config_set.php). When a config value is stored with a non-string type, the ConfigParser/Tokenizer path calls eval() on attacker-controlled code guarded only by a 'return;' prefix; because PHP hoists class and function declarations at compile time regardless of the return, an attacker can plant a class that later hijacks the autoloader. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported privately by watchTowr and fixed in 2.28.4.

PHP RCE Code Injection
NVD GitHub
CVE-2026-47156 CRITICAL PATCH GHSA Act Now

Privilege escalation to administrator in MantisBT 2.28.3 and earlier lets a low-privileged or self-registered user impersonate any account, including the administrator, through the SOAP API's flawed mci_check_login() function. Because the function accepts any valid cookie_string without checking that it belongs to the supplied username, an attacker who knows a target username (e.g. 'administrator') and possesses their own MANTIS_STRING_COOKIE can authenticate as that user without a password. With self-registration enabled by default ($g_allow_signup = ON), this is exploitable from zero prior access, granting full read/write and destructive control over all projects, issues, and user data. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the underlying bug is trivially reliable.

Authentication Bypass PHP
NVD GitHub
CVE-2026-47142 HIGH PATCH GHSA This Week

SQL injection in MantisBT 2.28.3 and earlier (fixed in 2.28.4) lets an administrator poison the history_order configuration value, which core/history_api.php concatenates unsanitized into an ORDER BY clause; the injected SQL then fires whenever any authenticated user views a bug that has history entries. This converts an administrator's config-write into database-wide data theft (password hashes, cookie_strings, API tokens, private issues) and, where the MySQL account holds the FILE privilege, remote code execution via INTO OUTFILE dropping a PHP webshell in the web root. No public exploit identified at time of analysis; reported by McCaulay Hudson of watchTowr and tracked as GitHub advisory GHSA-mw6p-33vw-46cc.

SQLi PHP Information Disclosure
NVD GitHub
CVE-2026-61873 HIGH PATCH This Week

Authenticated arbitrary file write in the Grav CMS Form plugin (versions before 9.1.8) allows attackers to plant PHP webshells in the web root by abusing the process.save.filename parameter. The filename is checked for path traversal before Twig rendering but never re-validated afterward, so traversal sequences reconstructed during template evaluation bypass the guard. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the flaw was disclosed by VulnCheck via a coordinated GitHub security advisory.

PHP Path Traversal Grav
NVD GitHub VulDB
CVSS 4.0
7.2
CVE-2026-61457 MEDIUM PATCH This Month

Remote code execution in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 is achievable by authenticated API users holding the api.media.write permission via a double-extension file upload bypass. The HandlesMediaUploads::validateFileExtension() method uses PHP's pathinfo() to inspect only the final file extension, meaning a file named shell.php.jpg passes the dangerous-extension blocklist while retaining a .php segment that certain web server configurations will execute as PHP. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique is well-understood and exploitation is low-complexity once permission prerequisites are met.

File Upload PHP RCE Grav
NVD GitHub VulDB
CVSS 4.0
5.3
CVE-2026-59235 HIGH PATCH This Week

Broken function-level authorization in Prospero Flow CRM before 5.5.3 lets any authenticated low-privileged user (e.g. the standard 'User'/'Usuario' role) read every bank account record belonging to their company via GET /api/bank-account. The API route is guarded only by auth:api with no permission gate — unlike the web equivalent, which enforces can('read bank') — so any valid bearer token returns sensitive banking data (IBAN, SWIFT/BIC, account identifiers). A vendor patch exists (5.5.3) and the fixing commit is public; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV.

Authentication Bypass PHP Prospero Flow Crm
NVD GitHub
CVSS 4.0
8.7
CVE-2026-54087 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in EasyAdminBundle (Symfony admin generator) versions 5.0.0 through 5.0.12 allows a lower-privileged user with access to a form using FileField or ImageField to upload a browser-executable .html or .svg file that EasyAdmin then links to inline, executing attacker-controlled JavaScript in a viewing administrator's authenticated session. Impact includes session/CSRF-token theft and privilege escalation; it is explicitly NOT remote code execution because filenames come from Symfony's guessExtension(). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available in 5.0.13.

XSS Privilege Escalation PHP CSRF RCE
NVD GitHub
CVSS 3.1
7.6
CVE-2026-50006 Go CRITICAL GHSA Act Now

Arbitrary file write in Anyquery Server Mode (versions < 0.4.5) allows unauthenticated remote attackers to write files to any path the process can access by abusing SQLite's native ATTACH DATABASE command exposed over the MySQL-compatible listener. Because the server blindly proxies SQL to the underlying SQLite engine, an attacker can create files such as cron jobs, PHP web shells, or SSH authorized_keys and escalate the file write into remote code execution or denial of service. A working step-by-step proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-xrcf-6jh3-ggvx); there is no CISA KEV entry and no confirmed in-the-wild exploitation at time of analysis.

RCE Denial Of Service Path Traversal PHP
NVD GitHub
CVSS 3.1
9.1
CVE-2026-15715 LOW POC Monitor

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-45710 PHP LOW GHSA Monitor

{ $items = []; foreach ($this->variantes() as $item) { $match = $item->{$this->match}; $description = Tools::textBreak($item->description(), 300); ... $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' ... ``` `$this->match` defaults to `'referencia'` (`WidgetVariante::__construct`, line 42). `$item->referencia` was sanitised at write time by `Variante::test()` (`Core/Model/Variante.php:392`) which calls `Tools::noHtml($this->referencia)`. `Tools::noHtml` (`Core/Tools.php:499-504`) replaces `'`, `"`, `<`, `>` with `&#39;`, `&quot;`, `&lt;`, `&gt;`. The defender therefore expects that any apostrophe a user typed becomes `&#39;` in the database, which renders inside the `onclick` attribute as `&#39;` and cannot break out of the surrounding `'...'` JS string literal. `Core/Lib/Widget/WidgetSubcuenta.php:290-305` has the identical shape: ```php foreach ($this->subcuentas() as $item) { $match = $item->{$this->match}; ... $items[] = '<tr class="clickableRow" onclick="widgetSubaccountSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' . '<a href="' . $item->url() . '" target="_blank" onclick="event.stopPropagation();">' ... ``` `$this->match` defaults to `'codsubcuenta'`; the value is `Tools::noHtml`-encoded by `Subcuenta::test()` (`Core/Model/Subcuenta.php:213`). Per the HTML5 spec (and what every browser actually does), the value of an HTML attribute is processed by the **character reference state** of the tokenizer before any consumer sees it. By the time the `onclick` attribute value reaches the script engine, the bytes inside are the *decoded* string. Concretely, the HTML the browser receives is: ```html <tr onclick="widgetVarianteSelect('id', '1&#39;,alert(1),&#39;2');"> ``` After the tokenizer decodes `&#39;` to `'`, the JavaScript fragment passed to the script engine is: ```javascript widgetVarianteSelect('id', '1',alert(1),'2'); ``` `alert(1)` runs as a third positional argument that JavaScript happily evaluates while building the call. The `widgetVarianteSelect` function ends up being called with four arguments and the side-effect of `alert(1)` (or any payload) has already occurred. The recent `40bc701` AccountingModalHTML and `8586b97` SalesModalHTML / PurchasesModalHTML fix recognised this. Both replaced the `onclick="...('"+ value +"')"` pattern with: ```php $tbody .= '<tr ... data-subaccount="' . $code . '" onclick="$(...).modal(\'hide\');' . ' return newLineAction(this.dataset.subaccount);">' ``` Where `$code = static::html($subaccount->codsubcuenta)` and `static::html` is `htmlspecialchars(html_entity_decode($text, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')`. The HTML5 entity decode is deliberate: it normalises any double-encoded data so that the subsequent `htmlspecialchars` produces stable single-encoded output. The JavaScript then reads the value from `this.dataset.*`, which is the post-decoded attribute value, where the original quote is now literally inside a string property and cannot break out of any quote context. `WidgetSubcuenta` and `WidgetVariante` were not migrated to this pattern. `Variante::test()` (`Core/Model/Variante.php:389-401`) accepts up to 30 characters in `referencia`. The minimum payload is 13 bytes (`1',alert(1),'2`), comfortably under the limit. The `Tools::noHtml` pass during `test()` produces the stored form `1&#39;,alert(1),&#39;2`, which is 22 bytes. Three plant primitives are practical: 1. **Direct create** via `EditProducto?action=save` with the attacker-controlled `referencia` field. Because `EditProducto` is exposed to any user with the `EditProducto` permission (which roles like *sales agent* and *warehouse manager* commonly carry), this is a within-tenant primitive: a low-privilege salesperson plants the payload, an admin opens any sales document and clicks the variant picker. 2. **DB write** by anyone with raw SQL access (DBA or shared-hosting admin). `INSERT INTO variantes (referencia, ...) VALUES ('1\',alert(1),\'2', ...)`. This is what I used for the live test; the plant is permanent until the row is deleted. 3. **Plugin / API import.** `ApiAttachedFiles` and the various import endpoints allow a low-privilege API key to land arbitrary `referencia` values that bypass the `EditProducto` `permissions->onlyOwnerData` filter. For `WidgetSubcuenta`, the `codsubcuenta` field is constrained to the exercise's `longsubcuenta` length (10 by default), and the regex-free `Tools::noHtml` pass turns one apostrophe into 5 bytes (`&#39;`), so the post-noHtml string must equal the configured length exactly. A 5-byte payload (`1','` is 4) plus padding is workable for compact bypass payloads such as `'+x+'` (where `x` is a previously-loaded global). DB-write planting (primitive 2) bypasses the length check entirely. The fix wave centred on the `Lib/AjaxForms/*ModalHTML.php` files. Both audited widgets live in `Lib/Widget/` and look superficially safe to a reviewer because every value is `Tools::noHtml`-escaped at storage. The actual decoding step happens inside the browser, not the PHP code, so the defect is not visible in a `grep`-based review of the PHP source unless the reviewer specifically looks for `onclick="...('+ $field +')'` shapes that put a `Tools::noHtml`-escaped value in a JavaScript string position inside an HTML attribute. > **Live PoC verified 2026-05-01** against `http://127.0.0.1:8081/` running facturascripts at commit `24281ca`. A `Variante.referencia` value of `1',alert(1),'2` (planted via raw DB write below) renders inside `widgetVarianteSelect('0', '1&#39;,alert(1),&#39;2');` in the modal grid; opening the variant-picker modal in any user's browser (low-priv or admin) fires `alert(1)` from the host page's realm. Setup: the admin session at `http://127.0.0.1:8081/` is at `/tmp/fs-cookie2`. Step 1 - plant the payload (any of the three primitives works). DB-write primitive: ```bash mysql -h127.0.0.1 -ufs -pfs facturascripts <<'SQL' INSERT INTO productos (referencia, descripcion, codimpuesto, sevende, secompra, bloqueado, nostock, publico, stockfis, ventasinstock, observaciones) VALUES ('XSSPRD', 'XSS via WidgetVariante', 'IVA21', 1, 1, 0, 1, 0, 0, 1, ''); INSERT INTO variantes (referencia, idproducto, precio, coste, margen, stockfis, codbarras) SELECT "1',alert('XSS-WidgetVariante'),'2", idproducto, 0, 0, 0, 0, '' FROM productos WHERE referencia='XSSPRD'; SQL ``` After the insert, `Variante::test()` did not run (the row was created via SQL), so the literal `'` survives. Even via the EditProducto UI primitive, the round trip through `Tools::noHtml` produces the encoded form `1&#39;,alert(...),&#39;2` which decodes back to the working payload at render time. Step 2 - open any controller that uses WidgetVariante with the default `match` (or any third-party plugin form that does so). Core ships two views (`Core/XMLView/EditAgente.xml`, `Core/XMLView/ListAgente.xml`) but both override `match="idproducto"`, so they are not exposed in stock core. Any plugin form that uses `<widget type="variante" .../>` without an explicit `match` attribute opts into the vulnerable code path. Trigger the variant-picker modal: ```bash $ curl -s -b /tmp/fs-cookie2 "http://127.0.0.1:8081/EditAgente?code=1" \ | grep -oE 'widgetVarianteSelect[^<>]{1,200}' | head -3 ``` When the modal renders `match=referencia`, the row in the response contains: ```html <tr class="clickableRow" onclick="widgetVarianteSelect('0', '1&#39;,alert(&#39;XSS-WidgetVariante&#39;),&#39;2');"> ``` The browser HTML-decodes the attribute value before passing it to the script engine, yielding the actual JavaScript `widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');`. The `alert` fires the moment the attribute is parsed for execution (i.e., when the user clicks the row, or when an automation script triggers the click programmatically), and the host realm's session, cookies, and CSRF tokens are exposed to the payload. For `WidgetSubcuenta`, the payload trigger is identical: any controller with `<widget type="subcuenta" fieldname="codsubcuentaXxx"/>` (`Core/XMLView/EditProducto.xml`, `EditCuentaBanco.xml`, `EditFamilia.xml`, `EditImpuesto.xml`, `EditRetencion.xml` are the in-tree consumers) renders the modal with `widgetSubaccountSelect('id', '<HTML-decoded codsubcuenta>')`. A `codsubcuenta` row planted with one apostrophe and five bytes of payload escapes the JS string and runs in the host page. * **Stored XSS in any user's browser the moment they open a product or subaccount picker.** The execution context is the host page, with full access to the viewer's session, CSRF tokens, and the running application. From an admin viewer's perspective the payload achieves admin compromise (install plugins, change passwords); from a normal user's perspective it can be used to exfiltrate the user's data and pivot. * **Within-tenant escalation primitive.** `EditProducto` is a routinely granted role permission. A salesperson, warehouse user, or a plugin-supplied controller without `admin` rights can plant a payload that fires in admin's browser the next time admin opens any sales document and clicks the variant picker. * **Sister vulnerability to the `40bc701` / `8586b97` fix wave.** The maintainers already understand and have fixed the same anti-pattern in three sister classes; these two were missed and remain exploitable. CVSS reasoning: `AV:N`, `AC:L` (one DB or one form POST plant), `PR:H` (the planter must be authenticated and have either `EditProducto` or DB write or import-API access; with weaker roles the payload is also reachable), `UI:R` (the victim opens a form that renders the modal and triggers a click), `S:U` (the impact stays within the application), `C:L I:L A:N` (the viewer's session and CSRF token are exposed; integrity loss bounded by viewer's role). Score 4.8. Mirror the `40bc701` and `8586b97` fix exactly. In both `Core/Lib/Widget/WidgetVariante.php:321` and `Core/Lib/Widget/WidgetSubcuenta.php:296`, replace: ```php $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' ``` with the data-attribute pattern that the modal helpers now use: ```php $encMatch = htmlspecialchars( html_entity_decode((string)$match, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8' ); $items[] = '<tr class="clickableRow" data-match="' . $encMatch . '"' . ' onclick="widgetVarianteSelect(\'' . $this->id . '\', this.dataset.match);">' ``` (and the analogous change for `widgetSubaccountSelect`). The same approach should be applied to: * `WidgetSubcuenta::renderExerciseFilter` (`Core/Lib/Widget/WidgetSubcuenta.php:251-255`) where `$item->codejercicio` is interpolated into `<option value="...">`. Codes are short and predictable but the same escaping consideration applies for defence in depth. * `WidgetVariante::renderManufacturerFilter` (line 213) and `renderFamilyFilter` (line 197). Long term, the `BaseWidget::onclickHtml` and `inputHtml` builders (`Core/Lib/Widget/BaseWidget.php:163-167`, `234-239`, `273-283`) likewise concatenate `$this->value` into HTML attributes without context-aware escaping. Migrating them to use Twig (or at least `htmlspecialchars` with `ENT_QUOTES`) closes a class of bugs that today rely on every model's `test()` to be defensive. A regression test should plant a `Variante.referencia` of `1',alert(1),'2`, render the page through the live HTTP stack, and assert that no JavaScript dialog fires (e.g. via Playwright `page.on('dialog', ...)`).

PHP CSRF XSS
NVD GitHub
CVSS 3.1
3.5
CVE-2026-45263 PHP HIGH GHSA This Week

Stored CSV formula injection in FacturaScripts (all versions through 2026.1) lets an authenticated low-privilege user plant spreadsheet formula payloads in ordinary text fields (customer/supplier/product names, contacts) that execute when an administrator opens a routine list export. Because Core/Lib/Export/CSVExport.php::writeData() wraps values without neutralising leading =,+,-,@,tab, or carriage-return characters, and Tools::noHtml() only strips HTML metacharacters, the payload reaches the CSV verbatim and Excel/LibreOffice run it (including DDE process spawning) in the admin's OS context. A live PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no active exploitation confirmed (not in CISA KEV).

PHP CSRF Microsoft Canonical RCE
NVD GitHub
CVSS 3.1
8.0
CVE-2026-45693 PHP HIGH GHSA This Week

Unauthenticated arbitrary file read in FacturaScripts (all versions through v2026.2) lets remote attackers retrieve protected documents by abusing the static file controllers Files.php and Myfiles.php, which authorize requests on the raw URL prefix rather than the resolved filesystem path. A request such as /Plugins/../MyFiles/Private/invoice.pdf passes the prefix allow-list yet resolves to a private file, leaking customer/supplier invoices, attachments, and .sql database backups. A detailed, reproducible exploit is publicly available in the GitHub Security Advisory; there is no vendor-released patch identified at time of analysis and no evidence of active exploitation.

Apache PHP Canonical Path Traversal RCE
NVD GitHub
CVSS 3.1
7.5
CVE-2026-45262 PHP CRITICAL GHSA Act Now

Cross-resource SQL injection in the FacturaScripts REST API (all versions through 2026.1) lets a low-privileged, scoped ApiKey read or modify arbitrary database tables via the `filter` query parameter, enabling full admin account takeover. A single GET request with a parenthesized filter key leaks the admin's bcrypt password hash and `logkey` session token, which are then replayed as the `fsLogkey` cookie to reach admin-only endpoints like `/AdminPlugins`. A live end-to-end PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no public exploit identified as being used in active attacks (not in CISA KEV).

Oracle SQLi PHP CSRF RCE
NVD GitHub
CVSS 3.1
9.9
CVE-2026-15703 MEDIUM POC This Month

A vulnerability was detected in SourceCodester Simple and Nice Shopping Cart Script 1.0. This vulnerability affects unknown code of the file /admin/userproductdeletequery.php. Performing a manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15700 LOW POC Monitor

Path traversal in DedeCMS 5.7.118's Album Publishing Feature allows remote attackers with administrative credentials to read or write files outside the intended extraction directory by manipulating the `filename` argument passed to the `ExtractFile` function in `include/zip.class.php`. A public proof-of-concept exploit has been released on GitHub, lowering the skill bar for exploitation, though no active exploitation has been confirmed in the CISA KEV catalog. The CVSS 4.0 score of 5.1 with PR:H reflects the high privilege requirement, which materially limits the exposed attack surface to authenticated admin-level sessions.

Path Traversal PHP Dedecms
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.4%
CVE-2026-52841 LOW PATCH Monitor

OAuth provider rebinding in Easy!Appointments prior to version 1.6.0 allows any authenticated backend user - including low-privilege secretary and provider roles - to silently hijack a peer provider's Google Calendar integration by supplying an arbitrary provider_id to the OAuth initiation endpoint. The attacker completes a legitimate Google OAuth flow with their own Google account, which the application then binds to the victim provider's database row without verifying ownership. From that point forward, every appointment on the victim's schedule syncs to the attacker's Google Calendar, leaking customer names and email addresses as attendee data. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Google Authentication Bypass PHP Easyappointments
NVD GitHub
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-52840 LOW PATCH Monitor

Server-side request forgery in Easy!Appointments prior to 1.6.0 allows authenticated backend users - admins, providers, or secretaries - to probe internal network hosts by supplying arbitrary URLs to the CalDAV synchronization endpoint. The Guzzle HTTP client in `Caldav.php:60` forwards a REPORT request to the caller-supplied `caldav_url` without validating the scheme or destination host, enabling access to loopback, RFC1918, and link-local addresses on the deployment network. The SSRF is semi-blind, returning up to approximately 120 bytes of upstream response body through the exception path; no public exploit has been identified, exploitation requires an active backend account, and version 1.6.0 resolves the issue.

SSRF PHP Easyappointments
NVD GitHub
CVSS 3.1
2.7
EPSS
0.2%
CVE-2026-52837 MEDIUM PATCH This Month

The reschedule endpoint in Easy!Appointments 1.5.2 and earlier exposes the complete customer database record to any party holding the 12-character appointment hash, with no authentication check and no field whitelisting on the ea_users row. These hashes are deliberately distributed to customers in reschedule emails, embedded in confirmation page URLs, and visible in operator calendar links, which means the effective attacker pool is anyone who has ever received or forwarded a booking email. The fix is available in version 1.6.0 per the GitHub security advisory; no public exploit code and no CISA KEV listing have been identified at time of analysis.

PHP Information Disclosure Easyappointments
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-15678 LOW POC Monitor

Cross-site scripting in code-projects Online Job Portal 1.0 allows a remote, low-privileged attacker to inject malicious JavaScript via the /Admin/DetailJob.php endpoint, which executes in the browser of any user who views the affected page. The CVSS 4.0 vector (PR:L/UI:P) confirms that exploitation requires an authenticated session and passive victim interaction, constraining but not eliminating real-world risk. A public proof-of-concept has been disclosed on GitHub; no patch from the vendor has been identified at time of analysis.

PHP XSS Online Job Portal
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-15677 MEDIUM POC This Month

Unrestricted file upload in code-projects Online Job Portal 1.0 exposes unauthenticated remote attackers to arbitrary file upload via the txtFile parameter in /JobSeekerInsert.php, enabling likely webshell deployment and subsequent server-side code execution. A public proof-of-concept exploit exists (no KEV listing), substantially lowering the exploitation barrier for any internet-exposed instance. The CVSS 4.0 impact metrics are conservatively rated Low across C/I/A, which understates the realistic post-exploitation potential of an unrestricted PHP file upload - successful webshell placement typically yields full OS command execution in the web server process context.

PHP File Upload Online Job Portal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15676 MEDIUM POC This Month

SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/DeleteUser.php endpoint to unauthenticated remote database manipulation. An attacker can craft HTTP requests that inject arbitrary SQL, enabling data extraction, modification, or deletion from the underlying database. A public proof-of-concept exploit exists (GitHub: shihuizhang-dazhi/MY-CVE/issues/4), lowering the bar for exploitation; this vulnerability is not currently listed in CISA KEV.

SQLi PHP Online Job Portal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-12583 HIGH POC PATCH This Week

Unauthenticated PHP object injection in the Newsletters WordPress plugin before 4.15 lets remote attackers deserialize attacker-controlled data submitted through a public-facing form, then leverage a property-oriented gadget chain bundled inside the plugin itself to write arbitrary files and achieve remote code execution on the host. Publicly available exploit code exists (published via WPScan), though there is no public exploit identified as being used in active attacks and the flaw is not listed in CISA KEV. The self-contained gadget chain removes the usual dependency on third-party gadgets, making reliable exploitation notably more achievable than typical POI bugs.

PHP WordPress Deserialization Newsletters
NVD WPScan
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-11563 CRITICAL POC Act Now

Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list.

PHP CSRF WordPress Word Count And Social Shares
NVD WPScan
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-15675 MEDIUM POC This Month

SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/EditUser.php endpoint to remote database manipulation via the unsanitized UserId parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) classifies this as remotely exploitable with no authentication or interaction required, though the Admin path location raises questions about actual auth gating in practice. A public exploit exists (E:P confirmed in CVSS 4.0 and via GitHub issue), lowering the skill bar for exploitation considerably; this CVE is not currently listed in CISA KEV.

SQLi PHP Online Job Portal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15672 LOW POC Monitor

SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin panel endpoint /intrams/admin/add_judges.php to database manipulation via the unsanitized `fname` parameter. Authenticated remote attackers can craft malicious input to read, alter, or potentially enumerate backend database contents. A publicly available proof-of-concept exploit exists on GitHub, though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of 2.1 (Low), reflecting the authenticated access prerequisite and limited-scope CIA impact.

SQLi PHP Electronic Judging System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-52828 PHP MEDIUM PATCH GHSA This Month

Privilege escalation in Kimai time-tracking software (<=2.57.0) allows authenticated TEAMLEAD users to create and modify global export templates that are intended to be administrator-only resources. The web controller routes `createExportTemplate` and `editExportTemplate` in `ExportController` inherit only the class-level `create_export` permission - granted to ROLE_TEAMLEAD - while the API endpoints and UI correctly enforce the stricter `create_export_template` permission restricted to ROLE_ADMIN and ROLE_SUPER_ADMIN. Because ExportTemplate entities have no per-user or per-team scoping, a TEAMLEAD can silently alter organization-wide export configurations affecting all users including administrators. No public exploit is confirmed at time of analysis, though a private PoC was submitted to the vendor and subsequently removed.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52825 PHP MEDIUM PATCH GHSA This Month

Improper authorization in Kimai's Team API endpoints allows an authenticated Teamlead to add users and activities to their team that fall outside their intended management scope, bypassing the access boundaries enforced by the frontend. Affected versions are Kimai <= 2.57.0 (composer package kimai/kimai). A proof-of-concept was reportedly created but withheld; no public exploit code is currently available and this vulnerability is not listed in CISA KEV. Once a Teamlead writes an out-of-scope team relation, downstream authorization logic may treat those relations as legitimate, silently expanding access to time entries, project visibility, and reporting for the affected users and activities.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52823 PHP MEDIUM PATCH GHSA This Month

Cross-site request forgery in Kimai's timesheet API allows an unauthenticated attacker to trigger unauthorized state changes against any logged-in victim by embedding malicious GET requests in attacker-controlled pages. Kimai versions up to and including 2.57.0 expose the `stop` and `restart` timesheet operations as HTTP GET routes, which browsers will follow automatically using the victim's active session cookie - no CSRF token is required. Impact is limited to timesheet data integrity and availability (corrupted time records, unauthorized entries, billing distortion), not system compromise; no public exploit is confirmed at time of analysis, and no active exploitation has been reported by CISA KEV.

PHP CSRF
NVD GitHub
CVE-2026-52822 PHP MEDIUM PATCH GHSA This Month

Permission revocation bypass in Kimai's timesheet restart and duplicate workflows allows authenticated users to create new database-persisted time entries under projects they no longer have access to. Affecting Kimai up to and including version 2.57.0, the flaw exists because `TimesheetVoter.php` evaluates the `*_own_timesheet` ownership branch before team-based access checks, meaning a historical timesheet entry acts as a durable capability token that survives administrative revocation. No public exploit is available - a PoC was reportedly submitted to the project and then redacted - and this vulnerability is not listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52821 PHP MEDIUM PATCH GHSA This Month

Improper object-level authorization in Kimai 2.56.0 allows any authenticated user holding the generic `create_activity` permission to inject Activity records into projects outside their authorized scope by directly invoking the preset-project creation routes with an arbitrary project ID. The controllers in `ActivityController.php` and `ProjectController.php` validate only the global capability (can the user create activities at all?) without performing a secondary check that the user also has edit rights on the specific target project. No public exploit exists at time of analysis, though a PoC was privately shared with the vendor and subsequently removed; the vendor has released a fix in version 2.57.0.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52820 PHP MEDIUM PATCH GHSA This Month

Broken object-level authorization in Kimai's Timesheet API (versions <= 2.56.0) allows any authenticated user with the default ROLE_USER permission to reassign their own timesheet entries to arbitrary project IDs in the database - including projects belonging to teams or customers they have no membership in. The root cause is an unconditional OR branch in the Symfony EntityType query_builder that matches any submitted project ID before team-ACL predicates are evaluated; the TimesheetVoter further compounds this by checking only timesheet ownership, never the destination project's access controls. A proof-of-concept was disclosed with the advisory (later redacted); no active exploitation has been confirmed via CISA KEV.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52819 PHP MEDIUM PATCH GHSA This Month

{id}` correctly enforces teamlead validation through `TimesheetVoter`, but the collection endpoint `GET /api/timesheets?user=<id>` omits this check entirely, creating an inconsistent authorization model (CWE-863) that allows horizontal privilege escalation within the application. A private proof-of-concept was confirmed during responsible disclosure but has not been made public; the vendor-released fix is Kimai 2.57.0.

PHP Authentication Bypass
NVD GitHub
CVE-2026-47677 PHP CRITICAL POC PATCH GHSA Act Now

Complete account takeover in FacturaScripts (<= 2026.2) lets an unauthenticated network attacker hijack any 2FA-enabled account, including admins, by brute-forcing the /login?action=two-factor-validation endpoint. The handler issues a full session cookie on a matching TOTP without verifying the password, requiring a CSRF token, or enforcing any rate limit, and an over-wide verification window keeps ~17 codes valid at once. Publicly available exploit code exists (a working Python PoC in the GitHub advisory GHSA-c67f-gmxw-mj93); no active exploitation has been reported in CISA KEV.

PHP Python Authentication Bypass CSRF
NVD GitHub
CVE-2026-57856 HIGH PATCH This Week

Path-traversal privilege escalation in Cockpit CMS Bucket file storage API (before 2.14.0) lets an authenticated low-privileged user bypass per-bucket isolation by supplying a '../' bucket name, granting cross-bucket read, upload, and delete over all files regardless of owner or role. The flaw stems from an incomplete sanitization regex that strips dangerous characters but preserves dot sequences, which Flysystem then normalizes down to the storage root. No public exploit is identified at time of analysis, though a proof-of-concept gist is referenced; the issue was reported by VulnCheck and a vendor patch is available.

PHP Path Traversal Cockpit Cms
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-57855 HIGH PATCH This Week

Broken access control in Cockpit CMS's Bucket file storage API (/system/buckets/api) lets any authenticated user, regardless of assigned role, execute all bucket file operations (list, upload, delete, rename, create folder) against any named bucket - including admin-only buckets. VulnCheck reported the flaw and publicly available exploit code exists (proof-of-concept gist), but there is no evidence of active exploitation. With a CVSS 4.0 score of 8.7 and full confidentiality/integrity/availability impact on stored files, it enables privilege escalation of file-storage capabilities across tenant boundaries within the CMS.

PHP Authentication Bypass Cockpit Cms
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-15597 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_exam2.php` endpoint to remote unauthenticated database manipulation via the unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions, making this trivially exploitable over the network. A public exploit has been released on GitHub (no public exploit identified at time of analysis for KEV, but publicly available exploit code exists per POC data), and while the vulnerability is not listed in the CISA KEV catalog, the zero-friction attack path elevates real-world risk above what the moderate 5.5 CVSS score might suggest.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15596 LOW POC Monitor

Cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 exposes users to script injection via the unvalidated `subject` parameter in `/subject.php`, exploitable remotely by unauthenticated attackers. A publicly available proof-of-concept exists on GitHub, confirming practical exploitability with minimal attacker skill. No CISA KEV listing is present; the CVSS 4.0 score of 5.3 reflects limited integrity impact constrained by required user interaction, though POC availability meaningfully elevates real-world risk above the raw score suggests.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-58411 HIGH This Week

Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.

PHP Privilege Escalation XSS Crm
NVD GitHub
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-15595 LOW POC Monitor

Reflected cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `subject` parameter in `/forsubject.php`. A victim user must interact with a crafted URL for the payload to execute in their browser. A public proof-of-concept exploit is available on GitHub, increasing the likelihood of opportunistic exploitation against deployed instances.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-58409 CRITICAL Act Now

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.

PHP File Upload RCE Crm
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-58408 MEDIUM This Month

Authorization bypass in ChurchCRM prior to version 7.4.0 exposes the full congregation member directory to any low-privileged authenticated user via the unprotected POST /CSVCreateFile.php endpoint. The endpoint streams a CSV containing complete PII for every Person and Family record in the database without performing a dedicated function-level authorization check, relying instead on a legacy coarse gate that any single non-admin permission flag satisfies. No public exploit has been identified at time of analysis, but the trivially low exploitation barrier - any valid low-privilege account - makes this a high-priority remediation for organizations managing sensitive congregation data.

PHP Authentication Bypass Crm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12385 MEDIUM This Month

Sensitive information exposure in the Smart Slider 3 WordPress plugin (all versions up to and including 3.5.1.37) allows authenticated Contributor-level users to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts belonging to any user on the site - including Administrators and Editors - via the unsecured 'keyword' Ajax parameter. The attack barrier is further lowered because the required nonce is automatically emitted on /wp-admin/post-new.php, a page accessible to any Contributor by default through the edit_posts capability, making nonce acquisition trivial. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis.

PHP Information Disclosure WordPress Smart Slider 3
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-49972 HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE File Upload Apache +1
NVD GitHub
CVSS 4.0
7.7
EPSS
0.8%
CVE-2026-55372 PHP HIGH POC PATCH GHSA This Week

Server-side request forgery in NukeViet CMS before 4.6.00 lets a remote unauthenticated attacker coerce the server into issuing outbound HTTP requests to an arbitrary host by spoofing the X-Forwarded-Host and X-Forwarded-Proto headers, which flow unvalidated into the cURL URL built by server_info_update(). Because the __serverInfoUpdate=1 POST handler in includes/ini.php runs before authentication, no credentials are needed. The flaw is blind, HEAD-only and uses a fixed request path, so its practical value is internal host/port discovery and poisoning of the cached server_headers rather than data exfiltration; no public exploit beyond the advisory PoC is identified and it is not in CISA KEV.

Canonical PHP SSRF
NVD GitHub
CVSS 3.1
7.2
CVE-2026-54065 PHP HIGH PATCH GHSA This Week

Arbitrary file deletion in NukeViet CMS (versions before 4.6.00) allows an authenticated administrator to permanently delete any file within the web application root via a path-traversal payload in the comment Edit function. By padding the POST 'attach' parameter with exactly 26 filler characters followed by '../../<target>', an attacker survives the naive substr() prefix-stripping and stores a traversal path in the database; deleting the comment then removes the referenced file (e.g. config.php), forcing the site into the install wizard and causing a full outage. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c9xg-64p9-f2jj) includes a full working reproduction.

PHP Path Traversal
NVD GitHub
CVSS 3.1
8.7
CVE-2026-54064 PHP HIGH POC PATCH GHSA This Week

Stored cross-site scripting in the NukeViet CMS News module (versions before 4.6.00) lets any authenticated user with news-posting permission persist arbitrary JavaScript that runs in the browser of every visitor, including administrators. Two independent filter bypasses defeat the built-in anti-XSS routines in NukeViet\Core\Request: a Form Feed (\x0C) prefix slips event-handler attributes past the /^on/ check, and a decimal HTML-entity tab (&#9;) smuggles a javascript: URI past the keyword filter. Publicly available exploit payloads exist in the vendor advisory; there is no evidence of active exploitation and no EPSS figure was supplied.

PHP Privilege Escalation XSS
NVD GitHub
CVSS 3.1
8.7
CVE-2026-49259 PHP HIGH POC PATCH GHSA This Week

Stored cross-site scripting in NukeViet CMS 4.x through 4.5.08 lets a low-privileged authenticated member embed a JavaScript payload in their profile display name (first_name/last_name), which then executes when any visitor - including administrators - clicks the Reply/Answer link on that member's comment. The flaw stems from HTML-entity encoding being applied where JavaScript-string escaping is required, so the payload runs in the victim's session context and can drive admin session actions, credential phishing, and data exfiltration. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), though there is no public exploit identified as actively used in the wild.

PHP Privilege Escalation XSS
NVD GitHub
CVSS 3.1
8.7
CVE-2026-48118 PHP HIGH PATCH GHSA This Week

Reflected cross-site scripting in the Comment module of NukeViet CMS (versions before 4.5.09) lets remote unauthenticated attackers execute arbitrary JavaScript in a victim's browser via a crafted URL. The status_comment parameter carries base64-encoded HTML that is decoded server-side and rendered unescaped, while a second flaw makes the checkss anti-forgery token static and site-wide, removing the only barrier to URL-based delivery. No public exploit identified at time of analysis, though the advisory documents a confirmed proof-of-concept credential-phishing overlay.

PHP XSS
NVD GitHub
CVSS 3.1
8.2
CVE-2026-6847 CRITICAL Act Now

Remote code execution in ThemisNETPanel (vendor 4real) allows unauthenticated network attackers to fully compromise the underlying server by abusing a file-upload endpoint that lacks any authentication check. An attacker submits a base64-encoded PHP payload, writes it as an arbitrary PHP file, and executes it in the web application's context. Reported by CERT-PL with a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass File Upload RCE PHP Themisnetpanel
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-61498 CRITICAL POC Act Now

Remote OS command execution in Vitec Flamingo 4.12.2 lets unauthenticated attackers run arbitrary commands as root through the admin/ajax/gen_graphs.php graph-generation endpoint. The start, end, key, and format GET parameters are passed unsanitized into a PHP passthru() shell call, and because the web server runs with passwordless sudo the impact escalates to full root compromise. Publicly available exploit code exists (VulnCheck), though there is no CISA KEV listing, so this is a high-priority, easily weaponizable flaw.

Command Injection PHP Flamingo
NVD
CVSS 4.0
9.3
EPSS
2.2%
CVE-2026-60121 CRITICAL POC Act Now

Unauthenticated OS command injection in Vitec Flamingo 4.12.2 (IPTV distribution) lets remote attackers run arbitrary commands as root through the admin/ajax/ping.php endpoint. The flaw stems from a double-evaluation bug where a system wrapper re-uses the decoded, un-escaped host value in a second shell call executed via passwordless sudo. Publicly available exploit code exists (VulnCheck); no active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection PHP Flamingo
NVD
CVSS 4.0
9.3
EPSS
1.4%
CVE-2026-15559 LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the admin accept handler to database manipulation by low-privilege authenticated remote attackers via the `appid` POST parameter in `/SimpleOnlineLeave/admin/accept.php`. The CVSS 4.0 vector (PR:L, VC:L/VI:L/VA:L) indicates constrained but real impact against the vulnerable system's database, with confidentiality, integrity, and availability all partially compromised. A public exploit is available on GitHub and the E:P evidence tag in the CVSS 4.0 vector corroborates this - however, no CISA KEV listing exists, meaning active exploitation at scale is not confirmed at time of analysis.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15558 LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the 'ID' parameter in /SimpleOnlineLeave/admin/deletemp.php. The CVSS 4.0 vector (PR:L) indicates low-privilege authenticated access is sufficient to trigger the flaw, and a public proof-of-concept exploit has been disclosed on GitHub. Impact is assessed as low across confidentiality, integrity, and availability, consistent with the CVSS 4.0 score of 2.1, though the underlying SQL injection primitive could theoretically be chained to extract or corrupt database content.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-57805 HIGH This Week

Local File Inclusion in the Select-Themes "Tonda" WordPress theme (all versions through 2.5) lets an authenticated attacker with low privileges coerce a PHP include/require statement into loading arbitrary local files on the server. Tracked as CVE-2026-57805 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating and enables disclosure of sensitive files such as wp-config.php, with potential escalation to code execution via log/session poisoning. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure LFI PHP Tonda
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57804 HIGH This Week

Local File Inclusion in the CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin (versions up to and including 5.11.1) lets an authenticated low-privileged attacker coerce the application into including arbitrary local PHP files, exposing sensitive files and potentially executing attacker-influenced code within the site context. Classified as CWE-98 (PHP Remote/Local File Inclusion) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 7.5 with high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and no active exploitation on record.

Information Disclosure LFI PHP Thegem Theme Elements For Elementor
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57803 HIGH This Week

Local File Inclusion in the Select-Themes Struktur Core WordPress plugin (all versions up to and including 2.5.1) lets an authenticated low-privileged user coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive server-side content such as wp-config.php credentials. Reported by Patchstack and classified under CWE-98 (PHP Remote File Inclusion), the flaw carries a CVSS 3.1 score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Depending on server configuration, LFI of attacker-influenced content (e.g., poisoned logs or uploaded files) can escalate to PHP code execution.

Information Disclosure LFI PHP Struktur Core
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57802 HIGH This Week

Local File Inclusion in the Select-Themes "Struktur" WordPress theme (all versions up to and including 2.5.1) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive content such as wp-config.php credentials and, under the right conditions, escalating to code execution. Tracked as CVE-2026-57802 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS vector's PR:L indicates authentication is required and AC:H reflects non-trivial exploitation preconditions.

Information Disclosure LFI PHP Struktur
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57801 HIGH This Week

PHP Local File Inclusion in the Select-Themes SetSail WordPress theme (versions up to and including 2.1) allows an authenticated attacker to coerce the application into including local files via improper control of a filename in an include/require statement. Successful exploitation can disclose sensitive files (e.g., wp-config.php) and, depending on server conditions, escalate to code execution through log poisoning or PHP wrapper abuse. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure LFI PHP Setsail
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57800 HIGH This Week

Local File Inclusion in the Edge-Themes 'Overworld' WordPress theme (versions up to and including 1.5) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary server-side files, disclosing sensitive data such as wp-config.php credentials and potentially escalating to code execution via log/session poisoning. The flaw was reported by Patchstack and is classified as CWE-98 (PHP Remote File Inclusion). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.

Information Disclosure LFI PHP Overworld
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57799 HIGH This Week

Local file inclusion in the uxper Nuss WordPress theme (versions up to and including 1.3.6) lets an authenticated attacker with low-privilege access coerce the theme into including arbitrary PHP-parsable files from the server via improperly controlled include/require paths (CWE-98). Successful exploitation can disclose sensitive files and, depending on what can be included, lead to code execution, with high confidentiality, integrity, and availability impact per the CVSS 7.5 rating. No public exploit identified at time of analysis; the flaw was reported through Patchstack.

Information Disclosure LFI PHP Nuss
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57798 HIGH This Week

Local File Inclusion in the NewsPlus Shortcodes WordPress plugin (versions up to and including 4.2.0) allows an authenticated attacker to coerce the plugin into including arbitrary PHP-processable files from the server, enabling disclosure of sensitive files and potential code execution. The flaw stems from improper control of a filename passed to a PHP include/require statement (CWE-98). No public exploit was identified at the time of analysis, and it is not listed in CISA KEV; risk is moderated by high attack complexity and a required privilege level.

Information Disclosure LFI PHP Newsplus Shortcodes
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57796 HIGH This Week

Local File Inclusion in the VLThemes Leedo WordPress theme (versions up to and including 3.0.0) allows authenticated attackers to include and execute arbitrary local files on the server via improper control of a filename passed to a PHP include/require statement. Although classified under PHP Remote File Inclusion (CWE-98), Patchstack characterizes the practical impact as Local File Inclusion, enabling disclosure of sensitive files and potential code execution from locally accessible content. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.

Information Disclosure LFI PHP Leedo
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57795 HIGH This Week

Local File Inclusion in the Kitchor WordPress theme by themelexus (versions up to and including 1.4.3) allows an authenticated attacker to coerce a PHP include/require statement into loading arbitrary local files from the server. Because the theme fails to constrain the filename passed to an include path (CWE-98), an attacker with at least low-level authenticated access can read sensitive files such as wp-config.php and, under the right conditions, escalate to PHP code execution via log poisoning or inclusion of attacker-influenced content. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 3.1 base score is 7.5.

Information Disclosure LFI PHP Kitchor
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57794 HIGH This Week

Local file inclusion in the uxper Golo Framework WordPress plugin (versions up to and including 1.7.3) lets an authenticated attacker abuse an improperly validated include/require path to read arbitrary server-side files and potentially execute embedded PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N) indicates network-reachable exploitation requiring low-level authentication and elevated attack complexity, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure LFI PHP Golo Framework
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57793 HIGH This Week

Local File Inclusion in the Elated-Themes 'Flow' WordPress theme (all versions up to and including 1.8) lets an authenticated attacker abuse an improperly controlled include/require path to read local files and potentially execute PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but low-privilege, high-complexity flaw. No public exploit identified at time of analysis, and it is not listed in CISA KEV; disclosure comes from Patchstack.

Information Disclosure LFI PHP Flow
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57792 HIGH This Week

Local file inclusion in the Mikado-Themes "Dor" WordPress theme (all versions through 2.4.1) lets an authenticated attacker with low privileges supply a crafted filename to a PHP include/require statement, causing the server to include and execute arbitrary local files. Patchstack attributes it to improper control of a filename passed to a PHP include path (CWE-98), enabling disclosure of sensitive files and potential code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (7.5) reflects the full-impact potential once the low-privilege prerequisite is met.

Information Disclosure LFI PHP D R
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57791 HIGH This Week

Local file inclusion in the ThemeMove Brook WordPress theme (versions up to and including 2.9.0) lets authenticated attackers coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive data such as wp-config.php credentials and potentially escalating to code execution. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.5, but exploitation is rated high-complexity (AC:H) and requires at least low-level authentication (PR:L). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure LFI PHP Brook
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57789 HIGH This Week

Local File Inclusion in the jwsthemes Aqua WordPress theme (versions up to and including 5.1.2) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive data and potentially achieving code execution. Reported by Patchstack under CWE-98, the flaw carries CVSS 7.5 but requires low-level privileges and high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure LFI PHP Aqua
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57790 HIGH This Week

Local File Inclusion in the ThemeMove 'Billey' premium WordPress theme (versions up to and including 2.1.8) lets an authenticated attacker with low privileges control a filename used in a PHP include/require statement, exposing sensitive server-side files such as wp-config.php. Classified by Patchstack under CWE-98 (PHP Remote File Inclusion) but resolving to Local File Inclusion in practice, the flaw carries a CVSS 7.5 rating and no public exploit identified at time of analysis. Under specific conditions PHP file inclusion can escalate from information disclosure toward code execution via techniques such as log poisoning.

Information Disclosure LFI PHP Billey
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57788 HIGH This Week

Local File Inclusion in the Edge-Themes "Aalto" WordPress theme (all versions up to and including 1.8) lets an authenticated attacker control a filename passed to a PHP include/require statement, exposing local files and potentially executing PHP. The flaw was reported by Patchstack and carries CVSS 7.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Despite the CWE-98 "Remote File Inclusion" classification, the described impact is Local File Inclusion.

Information Disclosure LFI PHP Aalto
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57743 HIGH This Week

PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attackers coerce the plugin into including attacker-influenced local file paths in an include/require statement, exposing sensitive files and potentially achieving code execution if a suitable includable file exists. All versions from an unspecified start through 2.5 are affected. No public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 3.1 base score is 8.1 (high) and the flaw is reachable without authentication.

Information Disclosure LFI PHP Rt Theme 18 Extensions
NVD VulDB
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-15540 LOW POC Monitor

Local File Inclusion (LFI) in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers to read arbitrary files on the server by manipulating the `page` parameter in `/admin/index.php`, leading to source code and sensitive file disclosure. The vulnerability stems from unsanitized user input passed directly to PHP's include/require statement (CWE-98), with a publicly available proof-of-concept exploit documented on Medium. No patch has been identified; CVSS 4.0 scores this 2.1, reflecting the limited impact scope and authenticated precondition.

Information Disclosure LFI PHP Online Book Store System
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15539 LOW POC Monitor

Unrestricted file upload in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers with administrative access to upload arbitrary PHP files via the Book Image Upload feature at /admin/index.php?page=books, enabling remote code execution on the host server. A public exploit proof-of-concept has been disclosed on Medium under the title 'Critical Authenticated Remote Code Execution via Unrestricted File Upload,' confirming practical exploitability. While PR:H limits exposure to actors holding admin credentials, successful exploitation yields full server-side code execution, making this a high-impact finding within its threat model.

PHP File Upload Online Book Store System
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-12081 MEDIUM POC PATCH This Month

PHP object injection in the 'Database for Contact Form 7, WPforms, Elementor forms' WordPress plugin (all versions before 1.5.2) permits unauthenticated attackers to embed malicious serialized PHP objects via the entry-editor file-field path, which are instantiated server-side when an administrator views the stored form entry. This is an incomplete remediation of two prior CVEs (CVE-2025-7384 and CVE-2026-2599) - earlier patches hardened other deserialization paths within the same plugin while this specific code route was overlooked. A publicly available exploit exists; no active exploitation is confirmed by CISA KEV at time of analysis.

PHP Deserialization WordPress Database For Contact Form 7 Wpforms Elementor Forms
NVD WPScan
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-15537 MEDIUM POC This Month

SQL injection in SourceCodester Online Book Store System 1.0 exposes the admin authentication panel to remote, unauthenticated exploitation via the Username parameter in admin/login.php. A publicly available proof-of-concept - explicitly titled 'SQL Injection Leading to Authentication Bypass' - demonstrates that an attacker can bypass admin login entirely without valid credentials. No active exploitation is confirmed by CISA KEV, but the combination of a publicly released exploit and a trivially low attack complexity significantly elevates real-world risk above what the base CVSS 4.0 score of 6.9 suggests.

SQLi PHP Online Book Store System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15536 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient prescription data to remote authenticated attackers via the `delid` parameter in `/patviewprescription.php`. Low-privilege access is sufficient to exploit this CWE-89 flaw, enabling database read, write, and partial disruption. No public KEV listing exists, but a proof-of-concept exploit is publicly available on GitHub, materially lowering the barrier to exploitation beyond what the CVSS 4.0 score of 5.3 alone implies.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15533 LOW POC Monitor

Code injection in DedeCMS 5.7.118 exposes high-privileged remote attackers to arbitrary PHP code execution via the Column Name parameter in the Column Management component of `/plus/search.php`. The exploit document on GitHub describes a cache file writing mechanism through which attacker-supplied input is persisted to disk and subsequently executed by the PHP runtime. A public proof-of-concept exists; no active exploitation is confirmed in the CISA KEV catalog.

Code Injection PHP RCE Dedecms
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-15530 MEDIUM POC This Month

Information disclosure in WuzhiCMS up to version 4.1.0 exposes sensitive server-side data through the Attachment API's `config/listimage` function, reachable at `/index.php?m=attachment&f=index&v=upload`. Remote unauthenticated attackers can exploit this endpoint without any privileges or user interaction, as confirmed by a publicly available proof-of-concept published via a GitHub issue report. The vendor has not responded to the disclosure, leaving no patch available and all deployments exposed.

PHP Information Disclosure Wuzhicms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15523 LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter within /SimpleOnlineLeave/admin/dashboard.php to inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit is confirmed via a GitHub issue reference, elevating real-world risk above the moderate CVSS 4.0 base score of 5.3. The CVE is not currently listed in the CISA KEV catalog, indicating no confirmed widespread active exploitation, but the low attack complexity combined with an available POC makes this a credible near-term threat for any internet-exposed deployment.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15518 LOW POC Monitor

Unrestricted file upload in AREA 17 Twill CMS (versions up to 3.6.0) allows authenticated admin users to upload arbitrary file types via the `qqfilename` parameter in the Media Library Insert Page, creating a direct path to remote code execution on the underlying server. A public proof-of-concept documenting the full exploitation chain from file upload to RCE has been published by Bytium. No vendor patch exists - the vendor was contacted during responsible disclosure and did not respond, leaving all installations on affected versions without an official remediation path.

PHP File Upload Twill Cms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-15516 LOW POC PATCH Monitor

Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.

Authentication Bypass PHP Maccms Pro
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-15502 MEDIUM This Month

SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.

SQLi PHP Antaris
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-15498 MEDIUM This Month

SQL injection in SmartHomeAdatum's users.php Login component exposes the backend database to unauthenticated remote manipulation via a crafted Login argument. All commits up to cf495353d81b680675eb8d9aa14a318aa45ce12c of this PHP-based smart home application are affected, with no patch available and a vendor that did not respond to disclosure. No public exploit code or CISA KEV listing exists at time of analysis, though the CVSS 4.0 vector confirms low-complexity unauthenticated network exploitation.

SQLi PHP Smarthomeadatum
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-15494 LOW POC Monitor

SQL injection in AMTT Hotel Broadband Operation System 1.0 exposes the `manager/network/switch_status.php` endpoint to database manipulation via an unsanitized `ID` parameter, exploitable by authenticated remote attackers. A public proof-of-concept exploit exists (GitHub issue referenced in VulDB entry), though the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 2.0 reflects the high-privilege authentication barrier (PR:H) that significantly constrains real-world attack surface, limiting this primarily to insider threat or post-compromise escalation scenarios within hotel network management environments.

SQLi PHP Hotel Broadband Operation System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CRITICAL PATCH Act Now

Reflected cross-site scripting in MantisBT's /admin/install.php (versions 2.28.3 and earlier) lets remote attackers inject HTML through six unescaped, user-supplied parameters echoed by print_test_result(). Although the page's Content-Security-Policy (script-src 'self') blocks inline JavaScript, the missing form-action directive permits credential-phishing form injection, <meta>-based open redirects, and CSS overlay attacks against the trusted admin origin. The advisory states no authentication is required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Open Redirect PHP XSS
NVD GitHub
MEDIUM PATCH This Month

Full-read SSRF in Koel's podcast subscription feature allows any authenticated user to coerce the server into fetching internal HTTP endpoints - including cloud instance metadata services - and receive the full response. The vulnerability exists because PHP's `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` does not unwrap NAT64 (`64:ff9b::/96`) or 6to4 (`2002::/16`) IPv6 transition addresses, both of which deterministically embed a private IPv4 that the OS kernel routes internally. This affects all Koel deployments through v9.7.0 on NAT64 or dual-stack networks (the default for IPv6-only AWS and GCP subnets); a detailed proof-of-concept with verbatim server output is published in the advisory. No public exploit code is in KEV at time of analysis, but the PoC substantially lowers the exploitation barrier.

Microsoft SSRF PHP
NVD GitHub
CVSS 7.1
HIGH PATCH This Week

Server-side request forgery in Koel (self-hosted PHP music-streaming server, all releases up to and including 9.7.0) lets any authenticated low-privilege user coerce the server into requesting arbitrary internal or cloud-metadata endpoints. The flaw is an incomplete fix for CVE-2026-47260: the initial isSafeUrl() check was added to several podcast/radio fetchers, but per-redirect-hop re-validation was wired into only one path (EpisodePlayable), leaving every sibling fetcher bypassable via an attacker-controlled host that returns an HTTP 302 to an internal address, and all paths bypassable via DNS rebinding. A researcher mechanism PoC confirms exploitation; not listed in CISA KEV and no evidence of active exploitation.

Microsoft SSRF PHP
NVD GitHub
CVSS 7.7
HIGH PATCH This Week

{id}. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but it is not in CISA KEV and no active exploitation is identified.

Docker SSRF PHP
NVD GitHub
CVSS 4.3
MEDIUM PATCH This Month

Authenticated blind SSRF in Koel v9.6.0 allows any logged-in user to trigger server-side HTTP requests to private, loopback, and RFC1918 destinations by exploiting a missing SafeUrl validation guard on the Subsonic-compatible createPodcastChannel.view route. The main podcast API correctly rejects private URLs with a 422 error, but the Subsonic compatibility layer omits the same SafeUrl rule, and the attacker-supplied URL is fetched synchronously during channel creation via Poddle::fromUrl() - no separate step required. No public exploit identified at time of analysis per KEV status, but a fully documented public PoC with step-by-step curl commands is available in GHSA-w79m-f3jx-779v, validated against the official phanan/koel:9.6.0 Docker image.

Docker SSRF PHP
NVD GitHub
MEDIUM PATCH This Month

MantisBT's REST and SOAP APIs fail to enforce the $g_set_status_threshold authorization gate, allowing any authenticated user holding the UPDATER role (the default update permission) to change an issue's workflow status to values that should require DEVELOPER-level access or higher. The vulnerability is confirmed patched in release 2.28.4 with no public exploit or KEV listing. Because UPDATER is the default role for ordinary authenticated contributors, this flaw is broadly reachable on any MantisBT instance where the API is accessible without further hardening of role assignments.

Authentication Bypass PHP
NVD GitHub
HIGH PATCH This Week

Authenticated remote code execution in MantisBT versions 1.3.0 through 2.28.3 allows an administrator to run arbitrary PHP as the web server user (www-data) via the 'Manage Configuration' page (adm_config_set.php). When a config value is stored with a non-string type, the ConfigParser/Tokenizer path calls eval() on attacker-controlled code guarded only by a 'return;' prefix; because PHP hoists class and function declarations at compile time regardless of the return, an attacker can plant a class that later hijacks the autoloader. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported privately by watchTowr and fixed in 2.28.4.

PHP RCE Code Injection
NVD GitHub
CRITICAL PATCH Act Now

Privilege escalation to administrator in MantisBT 2.28.3 and earlier lets a low-privileged or self-registered user impersonate any account, including the administrator, through the SOAP API's flawed mci_check_login() function. Because the function accepts any valid cookie_string without checking that it belongs to the supplied username, an attacker who knows a target username (e.g. 'administrator') and possesses their own MANTIS_STRING_COOKIE can authenticate as that user without a password. With self-registration enabled by default ($g_allow_signup = ON), this is exploitable from zero prior access, granting full read/write and destructive control over all projects, issues, and user data. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the underlying bug is trivially reliable.

Authentication Bypass PHP
NVD GitHub
HIGH PATCH This Week

SQL injection in MantisBT 2.28.3 and earlier (fixed in 2.28.4) lets an administrator poison the history_order configuration value, which core/history_api.php concatenates unsanitized into an ORDER BY clause; the injected SQL then fires whenever any authenticated user views a bug that has history entries. This converts an administrator's config-write into database-wide data theft (password hashes, cookie_strings, API tokens, private issues) and, where the MySQL account holds the FILE privilege, remote code execution via INTO OUTFILE dropping a PHP webshell in the web root. No public exploit identified at time of analysis; reported by McCaulay Hudson of watchTowr and tracked as GitHub advisory GHSA-mw6p-33vw-46cc.

SQLi PHP Information Disclosure
NVD GitHub
CVSS 7.2
HIGH PATCH This Week

Authenticated arbitrary file write in the Grav CMS Form plugin (versions before 9.1.8) allows attackers to plant PHP webshells in the web root by abusing the process.save.filename parameter. The filename is checked for path traversal before Twig rendering but never re-validated afterward, so traversal sequences reconstructed during template evaluation bypass the guard. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the flaw was disclosed by VulnCheck via a coordinated GitHub security advisory.

PHP Path Traversal Grav
NVD GitHub VulDB
CVSS 5.3
MEDIUM PATCH This Month

Remote code execution in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 is achievable by authenticated API users holding the api.media.write permission via a double-extension file upload bypass. The HandlesMediaUploads::validateFileExtension() method uses PHP's pathinfo() to inspect only the final file extension, meaning a file named shell.php.jpg passes the dangerous-extension blocklist while retaining a .php segment that certain web server configurations will execute as PHP. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique is well-understood and exploitation is low-complexity once permission prerequisites are met.

File Upload PHP RCE +1
NVD GitHub VulDB
CVSS 8.7
HIGH PATCH This Week

Broken function-level authorization in Prospero Flow CRM before 5.5.3 lets any authenticated low-privileged user (e.g. the standard 'User'/'Usuario' role) read every bank account record belonging to their company via GET /api/bank-account. The API route is guarded only by auth:api with no permission gate — unlike the web equivalent, which enforces can('read bank') — so any valid bearer token returns sensitive banking data (IBAN, SWIFT/BIC, account identifiers). A vendor patch exists (5.5.3) and the fixing commit is public; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV.

Authentication Bypass PHP Prospero Flow Crm
NVD GitHub
CVSS 7.6
HIGH PATCH This Week

Stored cross-site scripting in EasyAdminBundle (Symfony admin generator) versions 5.0.0 through 5.0.12 allows a lower-privileged user with access to a form using FileField or ImageField to upload a browser-executable .html or .svg file that EasyAdmin then links to inline, executing attacker-controlled JavaScript in a viewing administrator's authenticated session. Impact includes session/CSRF-token theft and privilege escalation; it is explicitly NOT remote code execution because filenames come from Symfony's guessExtension(). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available in 5.0.13.

XSS Privilege Escalation PHP +2
NVD GitHub
CVSS 9.1
CRITICAL Act Now

Arbitrary file write in Anyquery Server Mode (versions < 0.4.5) allows unauthenticated remote attackers to write files to any path the process can access by abusing SQLite's native ATTACH DATABASE command exposed over the MySQL-compatible listener. Because the server blindly proxies SQL to the underlying SQLite engine, an attacker can create files such as cron jobs, PHP web shells, or SSH authorized_keys and escalate the file write into remote code execution or denial of service. A working step-by-step proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-xrcf-6jh3-ggvx); there is no CISA KEV entry and no confirmed in-the-wild exploitation at time of analysis.

RCE Denial Of Service Path Traversal +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 3.5
LOW Monitor

{ $items = []; foreach ($this->variantes() as $item) { $match = $item->{$this->match}; $description = Tools::textBreak($item->description(), 300); ... $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' ... ``` `$this->match` defaults to `'referencia'` (`WidgetVariante::__construct`, line 42). `$item->referencia` was sanitised at write time by `Variante::test()` (`Core/Model/Variante.php:392`) which calls `Tools::noHtml($this->referencia)`. `Tools::noHtml` (`Core/Tools.php:499-504`) replaces `'`, `"`, `<`, `>` with `&#39;`, `&quot;`, `&lt;`, `&gt;`. The defender therefore expects that any apostrophe a user typed becomes `&#39;` in the database, which renders inside the `onclick` attribute as `&#39;` and cannot break out of the surrounding `'...'` JS string literal. `Core/Lib/Widget/WidgetSubcuenta.php:290-305` has the identical shape: ```php foreach ($this->subcuentas() as $item) { $match = $item->{$this->match}; ... $items[] = '<tr class="clickableRow" onclick="widgetSubaccountSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' . '<a href="' . $item->url() . '" target="_blank" onclick="event.stopPropagation();">' ... ``` `$this->match` defaults to `'codsubcuenta'`; the value is `Tools::noHtml`-encoded by `Subcuenta::test()` (`Core/Model/Subcuenta.php:213`). Per the HTML5 spec (and what every browser actually does), the value of an HTML attribute is processed by the **character reference state** of the tokenizer before any consumer sees it. By the time the `onclick` attribute value reaches the script engine, the bytes inside are the *decoded* string. Concretely, the HTML the browser receives is: ```html <tr onclick="widgetVarianteSelect('id', '1&#39;,alert(1),&#39;2');"> ``` After the tokenizer decodes `&#39;` to `'`, the JavaScript fragment passed to the script engine is: ```javascript widgetVarianteSelect('id', '1',alert(1),'2'); ``` `alert(1)` runs as a third positional argument that JavaScript happily evaluates while building the call. The `widgetVarianteSelect` function ends up being called with four arguments and the side-effect of `alert(1)` (or any payload) has already occurred. The recent `40bc701` AccountingModalHTML and `8586b97` SalesModalHTML / PurchasesModalHTML fix recognised this. Both replaced the `onclick="...('"+ value +"')"` pattern with: ```php $tbody .= '<tr ... data-subaccount="' . $code . '" onclick="$(...).modal(\'hide\');' . ' return newLineAction(this.dataset.subaccount);">' ``` Where `$code = static::html($subaccount->codsubcuenta)` and `static::html` is `htmlspecialchars(html_entity_decode($text, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')`. The HTML5 entity decode is deliberate: it normalises any double-encoded data so that the subsequent `htmlspecialchars` produces stable single-encoded output. The JavaScript then reads the value from `this.dataset.*`, which is the post-decoded attribute value, where the original quote is now literally inside a string property and cannot break out of any quote context. `WidgetSubcuenta` and `WidgetVariante` were not migrated to this pattern. `Variante::test()` (`Core/Model/Variante.php:389-401`) accepts up to 30 characters in `referencia`. The minimum payload is 13 bytes (`1',alert(1),'2`), comfortably under the limit. The `Tools::noHtml` pass during `test()` produces the stored form `1&#39;,alert(1),&#39;2`, which is 22 bytes. Three plant primitives are practical: 1. **Direct create** via `EditProducto?action=save` with the attacker-controlled `referencia` field. Because `EditProducto` is exposed to any user with the `EditProducto` permission (which roles like *sales agent* and *warehouse manager* commonly carry), this is a within-tenant primitive: a low-privilege salesperson plants the payload, an admin opens any sales document and clicks the variant picker. 2. **DB write** by anyone with raw SQL access (DBA or shared-hosting admin). `INSERT INTO variantes (referencia, ...) VALUES ('1\',alert(1),\'2', ...)`. This is what I used for the live test; the plant is permanent until the row is deleted. 3. **Plugin / API import.** `ApiAttachedFiles` and the various import endpoints allow a low-privilege API key to land arbitrary `referencia` values that bypass the `EditProducto` `permissions->onlyOwnerData` filter. For `WidgetSubcuenta`, the `codsubcuenta` field is constrained to the exercise's `longsubcuenta` length (10 by default), and the regex-free `Tools::noHtml` pass turns one apostrophe into 5 bytes (`&#39;`), so the post-noHtml string must equal the configured length exactly. A 5-byte payload (`1','` is 4) plus padding is workable for compact bypass payloads such as `'+x+'` (where `x` is a previously-loaded global). DB-write planting (primitive 2) bypasses the length check entirely. The fix wave centred on the `Lib/AjaxForms/*ModalHTML.php` files. Both audited widgets live in `Lib/Widget/` and look superficially safe to a reviewer because every value is `Tools::noHtml`-escaped at storage. The actual decoding step happens inside the browser, not the PHP code, so the defect is not visible in a `grep`-based review of the PHP source unless the reviewer specifically looks for `onclick="...('+ $field +')'` shapes that put a `Tools::noHtml`-escaped value in a JavaScript string position inside an HTML attribute. > **Live PoC verified 2026-05-01** against `http://127.0.0.1:8081/` running facturascripts at commit `24281ca`. A `Variante.referencia` value of `1',alert(1),'2` (planted via raw DB write below) renders inside `widgetVarianteSelect('0', '1&#39;,alert(1),&#39;2');` in the modal grid; opening the variant-picker modal in any user's browser (low-priv or admin) fires `alert(1)` from the host page's realm. Setup: the admin session at `http://127.0.0.1:8081/` is at `/tmp/fs-cookie2`. Step 1 - plant the payload (any of the three primitives works). DB-write primitive: ```bash mysql -h127.0.0.1 -ufs -pfs facturascripts <<'SQL' INSERT INTO productos (referencia, descripcion, codimpuesto, sevende, secompra, bloqueado, nostock, publico, stockfis, ventasinstock, observaciones) VALUES ('XSSPRD', 'XSS via WidgetVariante', 'IVA21', 1, 1, 0, 1, 0, 0, 1, ''); INSERT INTO variantes (referencia, idproducto, precio, coste, margen, stockfis, codbarras) SELECT "1',alert('XSS-WidgetVariante'),'2", idproducto, 0, 0, 0, 0, '' FROM productos WHERE referencia='XSSPRD'; SQL ``` After the insert, `Variante::test()` did not run (the row was created via SQL), so the literal `'` survives. Even via the EditProducto UI primitive, the round trip through `Tools::noHtml` produces the encoded form `1&#39;,alert(...),&#39;2` which decodes back to the working payload at render time. Step 2 - open any controller that uses WidgetVariante with the default `match` (or any third-party plugin form that does so). Core ships two views (`Core/XMLView/EditAgente.xml`, `Core/XMLView/ListAgente.xml`) but both override `match="idproducto"`, so they are not exposed in stock core. Any plugin form that uses `<widget type="variante" .../>` without an explicit `match` attribute opts into the vulnerable code path. Trigger the variant-picker modal: ```bash $ curl -s -b /tmp/fs-cookie2 "http://127.0.0.1:8081/EditAgente?code=1" \ | grep -oE 'widgetVarianteSelect[^<>]{1,200}' | head -3 ``` When the modal renders `match=referencia`, the row in the response contains: ```html <tr class="clickableRow" onclick="widgetVarianteSelect('0', '1&#39;,alert(&#39;XSS-WidgetVariante&#39;),&#39;2');"> ``` The browser HTML-decodes the attribute value before passing it to the script engine, yielding the actual JavaScript `widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');`. The `alert` fires the moment the attribute is parsed for execution (i.e., when the user clicks the row, or when an automation script triggers the click programmatically), and the host realm's session, cookies, and CSRF tokens are exposed to the payload. For `WidgetSubcuenta`, the payload trigger is identical: any controller with `<widget type="subcuenta" fieldname="codsubcuentaXxx"/>` (`Core/XMLView/EditProducto.xml`, `EditCuentaBanco.xml`, `EditFamilia.xml`, `EditImpuesto.xml`, `EditRetencion.xml` are the in-tree consumers) renders the modal with `widgetSubaccountSelect('id', '<HTML-decoded codsubcuenta>')`. A `codsubcuenta` row planted with one apostrophe and five bytes of payload escapes the JS string and runs in the host page. * **Stored XSS in any user's browser the moment they open a product or subaccount picker.** The execution context is the host page, with full access to the viewer's session, CSRF tokens, and the running application. From an admin viewer's perspective the payload achieves admin compromise (install plugins, change passwords); from a normal user's perspective it can be used to exfiltrate the user's data and pivot. * **Within-tenant escalation primitive.** `EditProducto` is a routinely granted role permission. A salesperson, warehouse user, or a plugin-supplied controller without `admin` rights can plant a payload that fires in admin's browser the next time admin opens any sales document and clicks the variant picker. * **Sister vulnerability to the `40bc701` / `8586b97` fix wave.** The maintainers already understand and have fixed the same anti-pattern in three sister classes; these two were missed and remain exploitable. CVSS reasoning: `AV:N`, `AC:L` (one DB or one form POST plant), `PR:H` (the planter must be authenticated and have either `EditProducto` or DB write or import-API access; with weaker roles the payload is also reachable), `UI:R` (the victim opens a form that renders the modal and triggers a click), `S:U` (the impact stays within the application), `C:L I:L A:N` (the viewer's session and CSRF token are exposed; integrity loss bounded by viewer's role). Score 4.8. Mirror the `40bc701` and `8586b97` fix exactly. In both `Core/Lib/Widget/WidgetVariante.php:321` and `Core/Lib/Widget/WidgetSubcuenta.php:296`, replace: ```php $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' ``` with the data-attribute pattern that the modal helpers now use: ```php $encMatch = htmlspecialchars( html_entity_decode((string)$match, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8' ); $items[] = '<tr class="clickableRow" data-match="' . $encMatch . '"' . ' onclick="widgetVarianteSelect(\'' . $this->id . '\', this.dataset.match);">' ``` (and the analogous change for `widgetSubaccountSelect`). The same approach should be applied to: * `WidgetSubcuenta::renderExerciseFilter` (`Core/Lib/Widget/WidgetSubcuenta.php:251-255`) where `$item->codejercicio` is interpolated into `<option value="...">`. Codes are short and predictable but the same escaping consideration applies for defence in depth. * `WidgetVariante::renderManufacturerFilter` (line 213) and `renderFamilyFilter` (line 197). Long term, the `BaseWidget::onclickHtml` and `inputHtml` builders (`Core/Lib/Widget/BaseWidget.php:163-167`, `234-239`, `273-283`) likewise concatenate `$this->value` into HTML attributes without context-aware escaping. Migrating them to use Twig (or at least `htmlspecialchars` with `ENT_QUOTES`) closes a class of bugs that today rely on every model's `test()` to be defensive. A regression test should plant a `Variante.referencia` of `1',alert(1),'2`, render the page through the live HTTP stack, and assert that no JavaScript dialog fires (e.g. via Playwright `page.on('dialog', ...)`).

PHP CSRF XSS
NVD GitHub
CVSS 8.0
HIGH This Week

Stored CSV formula injection in FacturaScripts (all versions through 2026.1) lets an authenticated low-privilege user plant spreadsheet formula payloads in ordinary text fields (customer/supplier/product names, contacts) that execute when an administrator opens a routine list export. Because Core/Lib/Export/CSVExport.php::writeData() wraps values without neutralising leading =,+,-,@,tab, or carriage-return characters, and Tools::noHtml() only strips HTML metacharacters, the payload reaches the CSV verbatim and Excel/LibreOffice run it (including DDE process spawning) in the admin's OS context. A live PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no active exploitation confirmed (not in CISA KEV).

PHP CSRF Microsoft +2
NVD GitHub
CVSS 7.5
HIGH This Week

Unauthenticated arbitrary file read in FacturaScripts (all versions through v2026.2) lets remote attackers retrieve protected documents by abusing the static file controllers Files.php and Myfiles.php, which authorize requests on the raw URL prefix rather than the resolved filesystem path. A request such as /Plugins/../MyFiles/Private/invoice.pdf passes the prefix allow-list yet resolves to a private file, leaking customer/supplier invoices, attachments, and .sql database backups. A detailed, reproducible exploit is publicly available in the GitHub Security Advisory; there is no vendor-released patch identified at time of analysis and no evidence of active exploitation.

Apache PHP Canonical +2
NVD GitHub
CVSS 9.9
CRITICAL Act Now

Cross-resource SQL injection in the FacturaScripts REST API (all versions through 2026.1) lets a low-privileged, scoped ApiKey read or modify arbitrary database tables via the `filter` query parameter, enabling full admin account takeover. A single GET request with a parenthesized filter key leaks the admin's bcrypt password hash and `logkey` session token, which are then replayed as the `fsLogkey` cookie to reach admin-only endpoints like `/AdminPlugins`. A live end-to-end PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no public exploit identified as being used in active attacks (not in CISA KEV).

Oracle SQLi PHP +2
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in SourceCodester Simple and Nice Shopping Cart Script 1.0. This vulnerability affects unknown code of the file /admin/userproductdeletequery.php. Performing a manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Path traversal in DedeCMS 5.7.118's Album Publishing Feature allows remote attackers with administrative credentials to read or write files outside the intended extraction directory by manipulating the `filename` argument passed to the `ExtractFile` function in `include/zip.class.php`. A public proof-of-concept exploit has been released on GitHub, lowering the skill bar for exploitation, though no active exploitation has been confirmed in the CISA KEV catalog. The CVSS 4.0 score of 5.1 with PR:H reflects the high privilege requirement, which materially limits the exposed attack surface to authenticated admin-level sessions.

Path Traversal PHP Dedecms
NVD VulDB GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

OAuth provider rebinding in Easy!Appointments prior to version 1.6.0 allows any authenticated backend user - including low-privilege secretary and provider roles - to silently hijack a peer provider's Google Calendar integration by supplying an arbitrary provider_id to the OAuth initiation endpoint. The attacker completes a legitimate Google OAuth flow with their own Google account, which the application then binds to the victim provider's database row without verifying ownership. From that point forward, every appointment on the victim's schedule syncs to the attacker's Google Calendar, leaking customer names and email addresses as attendee data. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Google Authentication Bypass PHP +1
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Server-side request forgery in Easy!Appointments prior to 1.6.0 allows authenticated backend users - admins, providers, or secretaries - to probe internal network hosts by supplying arbitrary URLs to the CalDAV synchronization endpoint. The Guzzle HTTP client in `Caldav.php:60` forwards a REPORT request to the caller-supplied `caldav_url` without validating the scheme or destination host, enabling access to loopback, RFC1918, and link-local addresses on the deployment network. The SSRF is semi-blind, returning up to approximately 120 bytes of upstream response body through the exception path; no public exploit has been identified, exploitation requires an active backend account, and version 1.6.0 resolves the issue.

SSRF PHP Easyappointments
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

The reschedule endpoint in Easy!Appointments 1.5.2 and earlier exposes the complete customer database record to any party holding the 12-character appointment hash, with no authentication check and no field whitelisting on the ea_users row. These hashes are deliberately distributed to customers in reschedule emails, embedded in confirmation page URLs, and visible in operator calendar links, which means the effective attacker pool is anyone who has ever received or forwarded a booking email. The fix is available in version 1.6.0 per the GitHub security advisory; no public exploit code and no CISA KEV listing have been identified at time of analysis.

PHP Information Disclosure Easyappointments
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in code-projects Online Job Portal 1.0 allows a remote, low-privileged attacker to inject malicious JavaScript via the /Admin/DetailJob.php endpoint, which executes in the browser of any user who views the affected page. The CVSS 4.0 vector (PR:L/UI:P) confirms that exploitation requires an authenticated session and passive victim interaction, constraining but not eliminating real-world risk. A public proof-of-concept has been disclosed on GitHub; no patch from the vendor has been identified at time of analysis.

PHP XSS Online Job Portal
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unrestricted file upload in code-projects Online Job Portal 1.0 exposes unauthenticated remote attackers to arbitrary file upload via the txtFile parameter in /JobSeekerInsert.php, enabling likely webshell deployment and subsequent server-side code execution. A public proof-of-concept exploit exists (no KEV listing), substantially lowering the exploitation barrier for any internet-exposed instance. The CVSS 4.0 impact metrics are conservatively rated Low across C/I/A, which understates the realistic post-exploitation potential of an unrestricted PHP file upload - successful webshell placement typically yields full OS command execution in the web server process context.

PHP File Upload Online Job Portal
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/DeleteUser.php endpoint to unauthenticated remote database manipulation. An attacker can craft HTTP requests that inject arbitrary SQL, enabling data extraction, modification, or deletion from the underlying database. A public proof-of-concept exploit exists (GitHub: shihuizhang-dazhi/MY-CVE/issues/4), lowering the bar for exploitation; this vulnerability is not currently listed in CISA KEV.

SQLi PHP Online Job Portal
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Unauthenticated PHP object injection in the Newsletters WordPress plugin before 4.15 lets remote attackers deserialize attacker-controlled data submitted through a public-facing form, then leverage a property-oriented gadget chain bundled inside the plugin itself to write arbitrary files and achieve remote code execution on the host. Publicly available exploit code exists (published via WPScan), though there is no public exploit identified as being used in active attacks and the flaw is not listed in CISA KEV. The self-contained gadget chain removes the usual dependency on third-party gadgets, making reliable exploitation notably more achievable than typical POI bugs.

PHP WordPress Deserialization +1
NVD WPScan
EPSS 0% CVSS 9.6
CRITICAL POC Act Now

Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list.

PHP CSRF WordPress +1
NVD WPScan
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/EditUser.php endpoint to remote database manipulation via the unsanitized UserId parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) classifies this as remotely exploitable with no authentication or interaction required, though the Admin path location raises questions about actual auth gating in practice. A public exploit exists (E:P confirmed in CVSS 4.0 and via GitHub issue), lowering the skill bar for exploitation considerably; this CVE is not currently listed in CISA KEV.

SQLi PHP Online Job Portal
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin panel endpoint /intrams/admin/add_judges.php to database manipulation via the unsanitized `fname` parameter. Authenticated remote attackers can craft malicious input to read, alter, or potentially enumerate backend database contents. A publicly available proof-of-concept exploit exists on GitHub, though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of 2.1 (Low), reflecting the authenticated access prerequisite and limited-scope CIA impact.

SQLi PHP Electronic Judging System
NVD VulDB GitHub
MEDIUM PATCH This Month

Privilege escalation in Kimai time-tracking software (<=2.57.0) allows authenticated TEAMLEAD users to create and modify global export templates that are intended to be administrator-only resources. The web controller routes `createExportTemplate` and `editExportTemplate` in `ExportController` inherit only the class-level `create_export` permission - granted to ROLE_TEAMLEAD - while the API endpoints and UI correctly enforce the stricter `create_export_template` permission restricted to ROLE_ADMIN and ROLE_SUPER_ADMIN. Because ExportTemplate entities have no per-user or per-team scoping, a TEAMLEAD can silently alter organization-wide export configurations affecting all users including administrators. No public exploit is confirmed at time of analysis, though a private PoC was submitted to the vendor and subsequently removed.

PHP Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

Improper authorization in Kimai's Team API endpoints allows an authenticated Teamlead to add users and activities to their team that fall outside their intended management scope, bypassing the access boundaries enforced by the frontend. Affected versions are Kimai <= 2.57.0 (composer package kimai/kimai). A proof-of-concept was reportedly created but withheld; no public exploit code is currently available and this vulnerability is not listed in CISA KEV. Once a Teamlead writes an out-of-scope team relation, downstream authorization logic may treat those relations as legitimate, silently expanding access to time entries, project visibility, and reporting for the affected users and activities.

PHP Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

Cross-site request forgery in Kimai's timesheet API allows an unauthenticated attacker to trigger unauthorized state changes against any logged-in victim by embedding malicious GET requests in attacker-controlled pages. Kimai versions up to and including 2.57.0 expose the `stop` and `restart` timesheet operations as HTTP GET routes, which browsers will follow automatically using the victim's active session cookie - no CSRF token is required. Impact is limited to timesheet data integrity and availability (corrupted time records, unauthorized entries, billing distortion), not system compromise; no public exploit is confirmed at time of analysis, and no active exploitation has been reported by CISA KEV.

PHP CSRF
NVD GitHub
MEDIUM PATCH This Month

Permission revocation bypass in Kimai's timesheet restart and duplicate workflows allows authenticated users to create new database-persisted time entries under projects they no longer have access to. Affecting Kimai up to and including version 2.57.0, the flaw exists because `TimesheetVoter.php` evaluates the `*_own_timesheet` ownership branch before team-based access checks, meaning a historical timesheet entry acts as a durable capability token that survives administrative revocation. No public exploit is available - a PoC was reportedly submitted to the project and then redacted - and this vulnerability is not listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

Improper object-level authorization in Kimai 2.56.0 allows any authenticated user holding the generic `create_activity` permission to inject Activity records into projects outside their authorized scope by directly invoking the preset-project creation routes with an arbitrary project ID. The controllers in `ActivityController.php` and `ProjectController.php` validate only the global capability (can the user create activities at all?) without performing a secondary check that the user also has edit rights on the specific target project. No public exploit exists at time of analysis, though a PoC was privately shared with the vendor and subsequently removed; the vendor has released a fix in version 2.57.0.

PHP Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

Broken object-level authorization in Kimai's Timesheet API (versions <= 2.56.0) allows any authenticated user with the default ROLE_USER permission to reassign their own timesheet entries to arbitrary project IDs in the database - including projects belonging to teams or customers they have no membership in. The root cause is an unconditional OR branch in the Symfony EntityType query_builder that matches any submitted project ID before team-ACL predicates are evaluated; the TimesheetVoter further compounds this by checking only timesheet ownership, never the destination project's access controls. A proof-of-concept was disclosed with the advisory (later redacted); no active exploitation has been confirmed via CISA KEV.

PHP Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

{id}` correctly enforces teamlead validation through `TimesheetVoter`, but the collection endpoint `GET /api/timesheets?user=<id>` omits this check entirely, creating an inconsistent authorization model (CWE-863) that allows horizontal privilege escalation within the application. A private proof-of-concept was confirmed during responsible disclosure but has not been made public; the vendor-released fix is Kimai 2.57.0.

PHP Authentication Bypass
NVD GitHub
CRITICAL POC PATCH Act Now

Complete account takeover in FacturaScripts (<= 2026.2) lets an unauthenticated network attacker hijack any 2FA-enabled account, including admins, by brute-forcing the /login?action=two-factor-validation endpoint. The handler issues a full session cookie on a matching TOTP without verifying the password, requiring a CSRF token, or enforcing any rate limit, and an over-wide verification window keeps ~17 codes valid at once. Publicly available exploit code exists (a working Python PoC in the GitHub advisory GHSA-c67f-gmxw-mj93); no active exploitation has been reported in CISA KEV.

PHP Python Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Path-traversal privilege escalation in Cockpit CMS Bucket file storage API (before 2.14.0) lets an authenticated low-privileged user bypass per-bucket isolation by supplying a '../' bucket name, granting cross-bucket read, upload, and delete over all files regardless of owner or role. The flaw stems from an incomplete sanitization regex that strips dangerous characters but preserves dot sequences, which Flysystem then normalizes down to the storage root. No public exploit is identified at time of analysis, though a proof-of-concept gist is referenced; the issue was reported by VulnCheck and a vendor patch is available.

PHP Path Traversal Cockpit Cms
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Broken access control in Cockpit CMS's Bucket file storage API (/system/buckets/api) lets any authenticated user, regardless of assigned role, execute all bucket file operations (list, upload, delete, rename, create folder) against any named bucket - including admin-only buckets. VulnCheck reported the flaw and publicly available exploit code exists (proof-of-concept gist), but there is no evidence of active exploitation. With a CVSS 4.0 score of 8.7 and full confidentiality/integrity/availability impact on stored files, it enables privilege escalation of file-storage capabilities across tenant boundaries within the CMS.

PHP Authentication Bypass Cockpit Cms
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_exam2.php` endpoint to remote unauthenticated database manipulation via the unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions, making this trivially exploitable over the network. A public exploit has been released on GitHub (no public exploit identified at time of analysis for KEV, but publicly available exploit code exists per POC data), and while the vulnerability is not listed in the CISA KEV catalog, the zero-friction attack path elevates real-world risk above what the moderate 5.5 CVSS score might suggest.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 exposes users to script injection via the unvalidated `subject` parameter in `/subject.php`, exploitable remotely by unauthenticated attackers. A publicly available proof-of-concept exists on GitHub, confirming practical exploitability with minimal attacker skill. No CISA KEV listing is present; the CVSS 4.0 score of 5.3 reflects limited integrity impact constrained by required user interaction, though POC availability meaningfully elevates real-world risk above the raw score suggests.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 7.0
HIGH This Week

Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.

PHP Privilege Escalation XSS +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `subject` parameter in `/forsubject.php`. A victim user must interact with a crafted URL for the payload to execute in their browser. A public proof-of-concept exploit is available on GitHub, increasing the likelihood of opportunistic exploitation against deployed instances.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.

PHP File Upload RCE +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Authorization bypass in ChurchCRM prior to version 7.4.0 exposes the full congregation member directory to any low-privileged authenticated user via the unprotected POST /CSVCreateFile.php endpoint. The endpoint streams a CSV containing complete PII for every Person and Family record in the database without performing a dedicated function-level authorization check, relying instead on a legacy coarse gate that any single non-admin permission flag satisfies. No public exploit has been identified at time of analysis, but the trivially low exploitation barrier - any valid low-privilege account - makes this a high-priority remediation for organizations managing sensitive congregation data.

PHP Authentication Bypass Crm
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive information exposure in the Smart Slider 3 WordPress plugin (all versions up to and including 3.5.1.37) allows authenticated Contributor-level users to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts belonging to any user on the site - including Administrators and Editors - via the unsecured 'keyword' Ajax parameter. The attack barrier is further lowered because the required nonce is automatically emitted on /wp-admin/post-new.php, a page accessible to any Contributor by default through the edit_posts capability, making nonce acquisition trivial. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis.

PHP Information Disclosure WordPress +1
NVD
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE +3
NVD GitHub
CVSS 7.2
HIGH POC PATCH This Week

Server-side request forgery in NukeViet CMS before 4.6.00 lets a remote unauthenticated attacker coerce the server into issuing outbound HTTP requests to an arbitrary host by spoofing the X-Forwarded-Host and X-Forwarded-Proto headers, which flow unvalidated into the cURL URL built by server_info_update(). Because the __serverInfoUpdate=1 POST handler in includes/ini.php runs before authentication, no credentials are needed. The flaw is blind, HEAD-only and uses a fixed request path, so its practical value is internal host/port discovery and poisoning of the cached server_headers rather than data exfiltration; no public exploit beyond the advisory PoC is identified and it is not in CISA KEV.

Canonical PHP SSRF
NVD GitHub
CVSS 8.7
HIGH PATCH This Week

Arbitrary file deletion in NukeViet CMS (versions before 4.6.00) allows an authenticated administrator to permanently delete any file within the web application root via a path-traversal payload in the comment Edit function. By padding the POST 'attach' parameter with exactly 26 filler characters followed by '../../<target>', an attacker survives the naive substr() prefix-stripping and stores a traversal path in the database; deleting the comment then removes the referenced file (e.g. config.php), forcing the site into the install wizard and causing a full outage. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c9xg-64p9-f2jj) includes a full working reproduction.

PHP Path Traversal
NVD GitHub
CVSS 8.7
HIGH POC PATCH This Week

Stored cross-site scripting in the NukeViet CMS News module (versions before 4.6.00) lets any authenticated user with news-posting permission persist arbitrary JavaScript that runs in the browser of every visitor, including administrators. Two independent filter bypasses defeat the built-in anti-XSS routines in NukeViet\Core\Request: a Form Feed (\x0C) prefix slips event-handler attributes past the /^on/ check, and a decimal HTML-entity tab (&#9;) smuggles a javascript: URI past the keyword filter. Publicly available exploit payloads exist in the vendor advisory; there is no evidence of active exploitation and no EPSS figure was supplied.

PHP Privilege Escalation XSS
NVD GitHub
CVSS 8.7
HIGH POC PATCH This Week

Stored cross-site scripting in NukeViet CMS 4.x through 4.5.08 lets a low-privileged authenticated member embed a JavaScript payload in their profile display name (first_name/last_name), which then executes when any visitor - including administrators - clicks the Reply/Answer link on that member's comment. The flaw stems from HTML-entity encoding being applied where JavaScript-string escaping is required, so the payload runs in the victim's session context and can drive admin session actions, credential phishing, and data exfiltration. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), though there is no public exploit identified as actively used in the wild.

PHP Privilege Escalation XSS
NVD GitHub
CVSS 8.2
HIGH PATCH This Week

Reflected cross-site scripting in the Comment module of NukeViet CMS (versions before 4.5.09) lets remote unauthenticated attackers execute arbitrary JavaScript in a victim's browser via a crafted URL. The status_comment parameter carries base64-encoded HTML that is decoded server-side and rendered unescaped, while a second flaw makes the checkss anti-forgery token static and site-wide, removing the only barrier to URL-based delivery. No public exploit identified at time of analysis, though the advisory documents a confirmed proof-of-concept credential-phishing overlay.

PHP XSS
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote code execution in ThemisNETPanel (vendor 4real) allows unauthenticated network attackers to fully compromise the underlying server by abusing a file-upload endpoint that lacks any authentication check. An attacker submits a base64-encoded PHP payload, writes it as an arbitrary PHP file, and executes it in the web application's context. Reported by CERT-PL with a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass File Upload RCE +2
NVD
EPSS 2% CVSS 9.3
CRITICAL POC Act Now

Remote OS command execution in Vitec Flamingo 4.12.2 lets unauthenticated attackers run arbitrary commands as root through the admin/ajax/gen_graphs.php graph-generation endpoint. The start, end, key, and format GET parameters are passed unsanitized into a PHP passthru() shell call, and because the web server runs with passwordless sudo the impact escalates to full root compromise. Publicly available exploit code exists (VulnCheck), though there is no CISA KEV listing, so this is a high-priority, easily weaponizable flaw.

Command Injection PHP Flamingo
NVD
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

Unauthenticated OS command injection in Vitec Flamingo 4.12.2 (IPTV distribution) lets remote attackers run arbitrary commands as root through the admin/ajax/ping.php endpoint. The flaw stems from a double-evaluation bug where a system wrapper re-uses the decoded, un-escaped host value in a second shell call executed via passwordless sudo. Publicly available exploit code exists (VulnCheck); no active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection PHP Flamingo
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the admin accept handler to database manipulation by low-privilege authenticated remote attackers via the `appid` POST parameter in `/SimpleOnlineLeave/admin/accept.php`. The CVSS 4.0 vector (PR:L, VC:L/VI:L/VA:L) indicates constrained but real impact against the vulnerable system's database, with confidentiality, integrity, and availability all partially compromised. A public exploit is available on GitHub and the E:P evidence tag in the CVSS 4.0 vector corroborates this - however, no CISA KEV listing exists, meaning active exploitation at scale is not confirmed at time of analysis.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the 'ID' parameter in /SimpleOnlineLeave/admin/deletemp.php. The CVSS 4.0 vector (PR:L) indicates low-privilege authenticated access is sufficient to trigger the flaw, and a public proof-of-concept exploit has been disclosed on GitHub. Impact is assessed as low across confidentiality, integrity, and availability, consistent with the CVSS 4.0 score of 2.1, though the underlying SQL injection primitive could theoretically be chained to extract or corrupt database content.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Select-Themes "Tonda" WordPress theme (all versions through 2.5) lets an authenticated attacker with low privileges coerce a PHP include/require statement into loading arbitrary local files on the server. Tracked as CVE-2026-57805 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating and enables disclosure of sensitive files such as wp-config.php, with potential escalation to code execution via log/session poisoning. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin (versions up to and including 5.11.1) lets an authenticated low-privileged attacker coerce the application into including arbitrary local PHP files, exposing sensitive files and potentially executing attacker-influenced code within the site context. Classified as CWE-98 (PHP Remote/Local File Inclusion) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 7.5 with high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and no active exploitation on record.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Select-Themes Struktur Core WordPress plugin (all versions up to and including 2.5.1) lets an authenticated low-privileged user coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive server-side content such as wp-config.php credentials. Reported by Patchstack and classified under CWE-98 (PHP Remote File Inclusion), the flaw carries a CVSS 3.1 score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Depending on server configuration, LFI of attacker-influenced content (e.g., poisoned logs or uploaded files) can escalate to PHP code execution.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Select-Themes "Struktur" WordPress theme (all versions up to and including 2.5.1) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive content such as wp-config.php credentials and, under the right conditions, escalating to code execution. Tracked as CVE-2026-57802 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS vector's PR:L indicates authentication is required and AC:H reflects non-trivial exploitation preconditions.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

PHP Local File Inclusion in the Select-Themes SetSail WordPress theme (versions up to and including 2.1) allows an authenticated attacker to coerce the application into including local files via improper control of a filename in an include/require statement. Successful exploitation can disclose sensitive files (e.g., wp-config.php) and, depending on server conditions, escalate to code execution through log poisoning or PHP wrapper abuse. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Edge-Themes 'Overworld' WordPress theme (versions up to and including 1.5) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary server-side files, disclosing sensitive data such as wp-config.php credentials and potentially escalating to code execution via log/session poisoning. The flaw was reported by Patchstack and is classified as CWE-98 (PHP Remote File Inclusion). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in the uxper Nuss WordPress theme (versions up to and including 1.3.6) lets an authenticated attacker with low-privilege access coerce the theme into including arbitrary PHP-parsable files from the server via improperly controlled include/require paths (CWE-98). Successful exploitation can disclose sensitive files and, depending on what can be included, lead to code execution, with high confidentiality, integrity, and availability impact per the CVSS 7.5 rating. No public exploit identified at time of analysis; the flaw was reported through Patchstack.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the NewsPlus Shortcodes WordPress plugin (versions up to and including 4.2.0) allows an authenticated attacker to coerce the plugin into including arbitrary PHP-processable files from the server, enabling disclosure of sensitive files and potential code execution. The flaw stems from improper control of a filename passed to a PHP include/require statement (CWE-98). No public exploit was identified at the time of analysis, and it is not listed in CISA KEV; risk is moderated by high attack complexity and a required privilege level.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the VLThemes Leedo WordPress theme (versions up to and including 3.0.0) allows authenticated attackers to include and execute arbitrary local files on the server via improper control of a filename passed to a PHP include/require statement. Although classified under PHP Remote File Inclusion (CWE-98), Patchstack characterizes the practical impact as Local File Inclusion, enabling disclosure of sensitive files and potential code execution from locally accessible content. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Kitchor WordPress theme by themelexus (versions up to and including 1.4.3) allows an authenticated attacker to coerce a PHP include/require statement into loading arbitrary local files from the server. Because the theme fails to constrain the filename passed to an include path (CWE-98), an attacker with at least low-level authenticated access can read sensitive files such as wp-config.php and, under the right conditions, escalate to PHP code execution via log poisoning or inclusion of attacker-influenced content. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 3.1 base score is 7.5.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in the uxper Golo Framework WordPress plugin (versions up to and including 1.7.3) lets an authenticated attacker abuse an improperly validated include/require path to read arbitrary server-side files and potentially execute embedded PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N) indicates network-reachable exploitation requiring low-level authentication and elevated attack complexity, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Elated-Themes 'Flow' WordPress theme (all versions up to and including 1.8) lets an authenticated attacker abuse an improperly controlled include/require path to read local files and potentially execute PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but low-privilege, high-complexity flaw. No public exploit identified at time of analysis, and it is not listed in CISA KEV; disclosure comes from Patchstack.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in the Mikado-Themes "Dor" WordPress theme (all versions through 2.4.1) lets an authenticated attacker with low privileges supply a crafted filename to a PHP include/require statement, causing the server to include and execute arbitrary local files. Patchstack attributes it to improper control of a filename passed to a PHP include path (CWE-98), enabling disclosure of sensitive files and potential code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (7.5) reflects the full-impact potential once the low-privilege prerequisite is met.

Information Disclosure LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in the ThemeMove Brook WordPress theme (versions up to and including 2.9.0) lets authenticated attackers coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive data such as wp-config.php credentials and potentially escalating to code execution. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.5, but exploitation is rated high-complexity (AC:H) and requires at least low-level authentication (PR:L). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure LFI PHP +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the jwsthemes Aqua WordPress theme (versions up to and including 5.1.2) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive data and potentially achieving code execution. Reported by Patchstack under CWE-98, the flaw carries CVSS 7.5 but requires low-level privileges and high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure LFI PHP +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the ThemeMove 'Billey' premium WordPress theme (versions up to and including 2.1.8) lets an authenticated attacker with low privileges control a filename used in a PHP include/require statement, exposing sensitive server-side files such as wp-config.php. Classified by Patchstack under CWE-98 (PHP Remote File Inclusion) but resolving to Local File Inclusion in practice, the flaw carries a CVSS 7.5 rating and no public exploit identified at time of analysis. Under specific conditions PHP file inclusion can escalate from information disclosure toward code execution via techniques such as log poisoning.

Information Disclosure LFI PHP +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Edge-Themes "Aalto" WordPress theme (all versions up to and including 1.8) lets an authenticated attacker control a filename passed to a PHP include/require statement, exposing local files and potentially executing PHP. The flaw was reported by Patchstack and carries CVSS 7.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Despite the CWE-98 "Remote File Inclusion" classification, the described impact is Local File Inclusion.

Information Disclosure LFI PHP +1
NVD VulDB
EPSS 1% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attackers coerce the plugin into including attacker-influenced local file paths in an include/require statement, exposing sensitive files and potentially achieving code execution if a suitable includable file exists. All versions from an unspecified start through 2.5 are affected. No public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 3.1 base score is 8.1 (high) and the flaw is reachable without authentication.

Information Disclosure LFI PHP +1
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Local File Inclusion (LFI) in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers to read arbitrary files on the server by manipulating the `page` parameter in `/admin/index.php`, leading to source code and sensitive file disclosure. The vulnerability stems from unsanitized user input passed directly to PHP's include/require statement (CWE-98), with a publicly available proof-of-concept exploit documented on Medium. No patch has been identified; CVSS 4.0 scores this 2.1, reflecting the limited impact scope and authenticated precondition.

Information Disclosure LFI PHP +1
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers with administrative access to upload arbitrary PHP files via the Book Image Upload feature at /admin/index.php?page=books, enabling remote code execution on the host server. A public exploit proof-of-concept has been disclosed on Medium under the title 'Critical Authenticated Remote Code Execution via Unrestricted File Upload,' confirming practical exploitability. While PR:H limits exposure to actors holding admin credentials, successful exploitation yields full server-side code execution, making this a high-impact finding within its threat model.

PHP File Upload Online Book Store System
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM POC PATCH This Month

PHP object injection in the 'Database for Contact Form 7, WPforms, Elementor forms' WordPress plugin (all versions before 1.5.2) permits unauthenticated attackers to embed malicious serialized PHP objects via the entry-editor file-field path, which are instantiated server-side when an administrator views the stored form entry. This is an incomplete remediation of two prior CVEs (CVE-2025-7384 and CVE-2026-2599) - earlier patches hardened other deserialization paths within the same plugin while this specific code route was overlooked. A publicly available exploit exists; no active exploitation is confirmed by CISA KEV at time of analysis.

PHP Deserialization WordPress +1
NVD WPScan
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Online Book Store System 1.0 exposes the admin authentication panel to remote, unauthenticated exploitation via the Username parameter in admin/login.php. A publicly available proof-of-concept - explicitly titled 'SQL Injection Leading to Authentication Bypass' - demonstrates that an attacker can bypass admin login entirely without valid credentials. No active exploitation is confirmed by CISA KEV, but the combination of a publicly released exploit and a trivially low attack complexity significantly elevates real-world risk above what the base CVSS 4.0 score of 6.9 suggests.

SQLi PHP Online Book Store System
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient prescription data to remote authenticated attackers via the `delid` parameter in `/patviewprescription.php`. Low-privilege access is sufficient to exploit this CWE-89 flaw, enabling database read, write, and partial disruption. No public KEV listing exists, but a proof-of-concept exploit is publicly available on GitHub, materially lowering the barrier to exploitation beyond what the CVSS 4.0 score of 5.3 alone implies.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Code injection in DedeCMS 5.7.118 exposes high-privileged remote attackers to arbitrary PHP code execution via the Column Name parameter in the Column Management component of `/plus/search.php`. The exploit document on GitHub describes a cache file writing mechanism through which attacker-supplied input is persisted to disk and subsequently executed by the PHP runtime. A public proof-of-concept exists; no active exploitation is confirmed in the CISA KEV catalog.

Code Injection PHP RCE +1
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Information disclosure in WuzhiCMS up to version 4.1.0 exposes sensitive server-side data through the Attachment API's `config/listimage` function, reachable at `/index.php?m=attachment&f=index&v=upload`. Remote unauthenticated attackers can exploit this endpoint without any privileges or user interaction, as confirmed by a publicly available proof-of-concept published via a GitHub issue report. The vendor has not responded to the disclosure, leaving no patch available and all deployments exposed.

PHP Information Disclosure Wuzhicms
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter within /SimpleOnlineLeave/admin/dashboard.php to inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit is confirmed via a GitHub issue reference, elevating real-world risk above the moderate CVSS 4.0 base score of 5.3. The CVE is not currently listed in the CISA KEV catalog, indicating no confirmed widespread active exploitation, but the low attack complexity combined with an available POC makes this a credible near-term threat for any internet-exposed deployment.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload in AREA 17 Twill CMS (versions up to 3.6.0) allows authenticated admin users to upload arbitrary file types via the `qqfilename` parameter in the Media Library Insert Page, creating a direct path to remote code execution on the underlying server. A public proof-of-concept documenting the full exploitation chain from file upload to RCE has been published by Bytium. No vendor patch exists - the vendor was contacted during responsible disclosure and did not respond, leaving all installations on affected versions without an official remediation path.

PHP File Upload Twill Cms
NVD VulDB
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.

Authentication Bypass PHP Maccms Pro
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.

SQLi PHP Antaris
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in SmartHomeAdatum's users.php Login component exposes the backend database to unauthenticated remote manipulation via a crafted Login argument. All commits up to cf495353d81b680675eb8d9aa14a318aa45ce12c of this PHP-based smart home application are affected, with no patch available and a vendor that did not respond to disclosure. No public exploit code or CISA KEV listing exists at time of analysis, though the CVSS 4.0 vector confirms low-complexity unauthenticated network exploitation.

SQLi PHP Smarthomeadatum
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in AMTT Hotel Broadband Operation System 1.0 exposes the `manager/network/switch_status.php` endpoint to database manipulation via an unsanitized `ID` parameter, exploitable by authenticated remote attackers. A public proof-of-concept exploit exists (GitHub issue referenced in VulDB entry), though the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 2.0 reflects the high-privilege authentication barrier (PR:H) that significantly constrains real-world attack surface, limiting this primarily to insider threat or post-compromise escalation scenarios within hotel network management environments.

SQLi PHP Hotel Broadband Operation System
NVD VulDB GitHub
Page 1 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy