Skip to main content

PHP

24727 CVEs product

Monthly

CVE-2026-48247 HIGH PATCH This Week

Man-in-the-middle exposure in Open ISES Tickets before 3.44.2 stems from the shared helper functions in incs/functions.inc.php disabling TLS certificate verification (CURLOPT_SSL_VERIFYPEER=false) on outbound HTTPS calls, letting network-positioned attackers intercept or modify traffic carrying API keys and session data. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the vendor's v3.44.2 release notes describe it as a critical security update that also bundles fixes for 88 other issues including XSS and SQL injection.

Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48246 HIGH PATCH This Week

TLS certificate verification bypass in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept HTTPS traffic between the application server and Google Maps Directions API during incident report generation. The flaw stems from ajax/reports.php explicitly setting CURLOPT_SSL_VERIFYPEER to false without configuring CURLOPT_SSL_VERIFYHOST, exposing Google API keys and any session-bearing data carried in outbound requests. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but a vendor patch is available in v3.44.2.

Information Disclosure PHP Google
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48245 MEDIUM PATCH This Month

Open ISES Tickets exposes a hardcoded Google Maps API key committed directly to its public GitHub source repository in tables.php, affecting all versions before 3.44.2. Any party with read access to the repository - effectively the entire internet - can extract the key and authenticate to Google Maps Platform as the application owner, generating API usage billed against the victim's Google Cloud project. No public exploit has been identified at time of analysis, but the SSVC framework rates this as automatable with partial technical impact, and the v3.44.2 release notes confirm the key is one of five hardcoded secrets removed in a batch of 88 security fixes.

PHP Google Authentication Bypass
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-48244 MEDIUM PATCH This Month

Hardcoded Google Maps API key exposure in Open ISES Tickets before v3.44.2 enables any party with read access to the public GitHub repository to extract a valid API credential from settings.inc.php and issue arbitrary Google Maps Platform requests billed against the victim organization's Google Cloud project. All versions from the initial release up to (but not including) 3.44.2 are affected per CPE cpe:2.3:a:open_ises:tickets:*:*:*:*:*:*:*:*. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation requires only the ability to read a publicly hosted source file - effectively zero technical barrier for any motivated actor.

PHP Google Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-48243 MEDIUM PATCH This Month

Open ISES Tickets before v3.44.2 exposes a hardcoded WhitePages reverse-phone API key committed directly into the public source file wp1.php, making it trivially accessible to any actor who can read the repository. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) reflects that no authentication or special conditions are required - extraction is as simple as reading a publicly hosted source file. Impact is bounded to third-party API abuse: an attacker can use the stolen key to make WhitePages lookups billed to or rate-capped against the legitimate owner's account. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV, though the passive nature of the exposure means any observer of the repository may already possess the key.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-48242 CRITICAL PATCH Act Now

Credential exposure in Open ISES Tickets versions prior to 3.44.2 allows remote attackers to obtain valid MySQL database connection parameters (host, username, password, database name) hardcoded in import_mdb.php and committed to the public source repository. Any attacker who can read the public GitHub source can extract these credentials and attempt to authenticate against deployed installations that retained the default values, with no public exploit identified at time of analysis.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-48241 CRITICAL PATCH Act Now

Hardcoded MySQL credentials in Open ISES Tickets before 3.44.2 expose database username, password, and database name through a public-facing loader.php utility that was committed to the source repository. Any user able to read the source tree on GitHub or fetch the file from a deployed installation can connect to the backing database if reachable, leading to full read/write access. No public exploit identified at time of analysis, but the credentials are trivially recoverable from the source tree.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-48240 HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 lets authenticated users tamper with backend database queries through the ajax/statistics.php endpoint by injecting payloads into the tick_id and f_tick_id POST parameters. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with lower integrity impact, and while no public exploit is identified at time of analysis, this flaw is one of 19 SQL injection issues bundled into a single critical security release that the vendor urges all users to install immediately.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-48239 HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 lets authenticated users tamper with the incidents summary report query via the tick_id POST parameter in ajax/reports.php, enabling arbitrary read, modification, or destruction of database contents. The v3.44.2 release notes confirm the fix was part of a broader security overhaul addressing 19 SQL injection flaws and 69 XSS issues. No public exploit identified at time of analysis, and SSVC classifies exploitation status as 'none' with partial technical impact.

PHP SQLi
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-48238 HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate database queries via the unsanitized `id` GET parameter in `ajax/mobile_main.php`. The flaw permits arbitrary read, modification, or destruction of database contents, and is part of a broader batch of 19 SQL injection fixes shipped in v3.44.2. No public exploit identified at time of analysis, but the vendor explicitly classifies v3.44.2 as a 'Critical Security Update' urging immediate upgrade.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-48237 HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate backend database queries via the message.php endpoint, enabling unauthorized read, modification, or destruction of database contents. The flaw stems from unsanitized concatenation of the frm_ticket_id and frm_resp_id POST parameters into SELECT and UPDATE statements. No public exploit identified at time of analysis, though VulnCheck has published a dedicated advisory and the vendor's 3.44.2 release bundles fixes for 19 SQL injection issues across the codebase.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-48236 HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate database queries via unsanitized POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) in db_loader.php, enabling read, modification, or destruction of database contents. The vendor confirms this is one of 19 SQL injection flaws patched in v3.44.2, reported by VulnCheck. No public exploit identified at time of analysis, and the vulnerability requires low-privilege authentication (PR:L per CVSS 4.0 vector).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-48235 HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 allows attackers controlling or impersonating an InstaMapper or Google Latitude GPS tracking endpoint to inject malicious SQL via unsanitized latitude, longitude, callsign, mph, altitude, and timestamp values parsed by incs/remotes.inc.php. The CVSS 4.0 base score of 8.8 reflects unauthenticated network exploitation with high confidentiality impact, and no public exploit is identified at time of analysis. The flaw was disclosed by VulnCheck and is one of 19 SQL injection issues patched in the v3.44.2 release.

PHP Google SQLi
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-48234 HIGH PATCH This Week

SQL injection in Open ISES Tickets versions prior to 3.44.2 allows authenticated attackers to manipulate ORDER BY clauses via the sort and dir GET parameters in portal/ajax/list_requests.php, enabling unauthorized read, modification, or destruction of database contents. The CVSS 4.0 score of 7.1 reflects network-reachable exploitation with low privileges and no user interaction required. No public exploit identified at time of analysis, but the vendor's own release notes describe this as part of a critical security update patching 19 SQL injection flaws across 11 files.

PHP SQLi
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-48233 HIGH PATCH This Week

SQL injection in Open ISES Tickets prior to 3.44.2 allows authenticated attackers to manipulate database queries via the unsanitized 'offset' GET parameter in ajax/sit_incidents.php, which is concatenated directly into a LIMIT clause. Successful exploitation enables reading, modifying, or destroying database contents. No public exploit identified at time of analysis, though the underlying flaw is one of 19 SQL injection issues patched in the same release, indicating broad code-level weakness.

PHP SQLi
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-48232 HIGH PATCH This Week

SQL injection in Open ISES Tickets versions prior to 3.44.2 allows authenticated attackers to manipulate database queries through the unsanitized offset parameter in ajax/fullsit_incidents.php. The flaw enables reading, modifying, or destroying database contents and is part of a broader v3.44.2 security release that patched 19 SQL injection issues. No public exploit identified at time of analysis, but the vendor classifies the update as critical and urges immediate upgrade.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-48231 HIGH PATCH This Week

SQL injection in Open ISES Tickets prior to 3.44.2 lets authenticated users tamper with database contents by abusing unsanitized POST parameters (tablename, indexname, sortby) in tables.php that are concatenated directly into SELECT, UPDATE, and DELETE identifier positions. The flaw is one of 19 SQLi issues fixed in the v3.44.2 release; no public exploit identified at time of analysis, but the vendor labels the release a Critical Security Update and urges immediate upgrade.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-48230 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows JavaScript injection via ten unsanitized POST parameters in ticketsmdb_import.php, with payloads executing in the victim's browser upon response rendering. The vendor-released patch v3.44.2 addresses this as part of a critical security update that simultaneously fixed 88 vulnerabilities including 69 XSS and 19 SQL injection issues across the codebase, suggesting systemic input sanitization failures rather than an isolated defect. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48229 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets (all versions before 3.44.2) allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in routes_i.php, rendered directly into HTML form hidden input value attributes. When a victim visits or is redirected to a crafted URL, the payload executes in their browser within the application's security context. No public exploit or CISA KEV listing exists at time of analysis, but the patch release (v3.44.2) simultaneously fixes 88 vulnerabilities - 69 of them XSS - indicating systemic input sanitization failures throughout the codebase that substantially elevate the overall risk posture of this application.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48228 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) allows attackers to inject arbitrary JavaScript through unsanitized id and ticket_id GET parameters in patient_w.php, which are written directly into an HTML form action URL without output encoding. Successful exploitation requires the victim to actively click a crafted link, after which the payload executes in the victim's browser under the application's origin, enabling session hijacking or unauthorized actions. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the scale of the v3.44.2 release - patching 69 XSS and 19 SQL injection issues simultaneously - suggests the codebase has historically received minimal security review.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48227 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 exposes authenticated users to arbitrary JavaScript execution via unsanitized GET parameters in patient.php. The vulnerability exists in the id and ticket_id parameters, whose values are written directly into an HTML form action URL without output encoding, enabling an attacker to craft a malicious link that executes script in the victim's browser upon rendering. No public exploit or active exploitation has been identified at time of analysis; however, the vendor's v3.44.2 release confirms this is one of 69 XSS vulnerabilities patched simultaneously, indicating systemic input-handling failures across the application.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48226 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets (all versions before 3.44.2) allows JavaScript injection via the unsanitized `ref` and `mode_orig` POST parameters in `os_watch.php`, which are written verbatim into HTML form hidden input value attributes without output encoding. An attacker who can trick a user into submitting a crafted POST request will have arbitrary JavaScript execute in that user's browser session, enabling session theft, credential harvesting, or UI redress attacks. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the patch release simultaneously addressed 88 vulnerabilities - including 19 SQL injection issues - suggesting this application carried significant accumulated security debt that amplifies organizational risk beyond this single CVE.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48225 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript via the unsanitized _type POST parameter in landb.php, which is echoed directly into an HTML form hidden input value attribute without encoding. When a victim renders the crafted response, the injected script executes in their browser context, enabling session hijacking, credential theft, or forced action on behalf of the victim. This CVE is one of 69 XSS vulnerabilities addressed in the v3.44.2 critical security update; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48224 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 enables JavaScript injection via the frm_add_str POST parameter in ics214.php, which reflects the unsanitized value directly into an HTML form hidden input value attribute. When a victim renders the crafted response, the payload executes in their browser session, enabling session hijacking or action-on-behalf-of-user attacks. No public exploit has been identified and this CVE is not listed in CISA KEV, though the v3.44.2 release addresses 88 total vulnerabilities - including SQL injection and hardcoded credentials - making upgrade broadly critical regardless of this specific finding.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48223 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows a malicious actor to inject arbitrary JavaScript into a victim's browser session via the unsanitized frm_add_str POST parameter in ics213rr.php, where the value is written directly into an HTML form hidden input attribute without escaping. The CVSS 4.0 vector scores this at 5.1 with scope change to subsequent systems (SC:L/SI:L), meaning successful exploitation affects data beyond the immediately vulnerable component. No public exploit code or CISA KEV listing exists at time of analysis; a vendor-released patch (v3.44.2) is confirmed available and also resolves 87 additional vulnerabilities including SQL injection, hardcoded credentials, and SSL validation failures.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48222 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows injection of arbitrary JavaScript through the frm_add_str POST parameter in ics213.php, which is rendered unsanitized inside an HTML hidden input value attribute. The CVSS 4.0 vector (PR:N/UI:A) indicates no privileges are required on the attacker side, but victim interaction is mandatory - a user must submit or be tricked into triggering the crafted request. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 critical security release, signaling systemic input sanitization failures across the codebase. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48221 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows injection of arbitrary JavaScript via the unsanitized frm_add_str POST parameter in ics205a.php, which is rendered verbatim inside an HTML form hidden input value attribute in the victim's browser. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release - a 'Critical Security Update' that also addressed 19 SQL injection issues and 5 hardcoded secrets, revealing systemic input handling failures across the codebase. No public exploit identified at time of analysis and no CISA KEV listing; however, the broader security debt in this application makes upgrading urgent beyond this single CVE.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48220 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) allows injection of arbitrary JavaScript through the frm_add_str POST parameter in ics205.php, which is rendered unsanitized inside an HTML form hidden input value attribute. The attacker must induce an authenticated victim to submit a crafted request (UI:A), limiting opportunistic exploitation but enabling session hijacking, credential theft, or further browser-based attacks against logged-in users. This CVE is one of 69 XSS vulnerabilities patched in v3.44.2, which also addressed 19 SQL injection issues and hardcoded credentials - indicating systemic input-handling deficiencies across the PHP codebase. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48219 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 enables JavaScript injection via the frm_add_str POST parameter in ics202.php, where the unsanitized value is written directly into an HTML form hidden input value attribute. The CVSS 4.0 vector (PR:N/UI:A) indicates no attacker privilege is required, but victim interaction is mandatory - meaning an attacker must deceive a user into submitting a crafted POST request to trigger execution. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release alongside 19 SQL injection flaws and 5 hardcoded secrets, signaling a systemic insecurity posture in the codebase prior to this release. No public exploit identified at time of analysis; no CISA KEV listing.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48218 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) exposes the icons/buttons/landb.php endpoint to arbitrary JavaScript injection via unsanitized frm_name and frm_id POST parameters, which are rendered directly into both HTML content and inline JavaScript without encoding or sanitization. An attacker who can socially engineer an authenticated user into triggering a crafted POST request can execute arbitrary JavaScript within that user's browser session, enabling session hijacking, credential theft, or malicious UI manipulation. No public exploit has been identified at time of analysis; a vendor-released patch (v3.44.2) is available and all users are urged to upgrade immediately per the vendor's own release advisory.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48217 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 allows JavaScript injection via unsanitized POST parameters (module_choice, flag, confirmation) in delete_module.php, executing attacker-supplied code in the browser of a victim who interacts with a crafted request. The CVSS 4.0 vector (PR:N/UI:A) indicates the attacker requires no privileges but depends on active victim interaction - consistent with a POST-based reflected XSS delivered via a cross-site auto-submitting form targeting an authenticated session. No public exploit has been identified at time of analysis, and vendor-released patch v3.44.2 is available, a landmark release that simultaneously addressed 88 vulnerabilities including 19 SQL injections and 68 additional XSS issues across the same codebase.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48216 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before v3.44.2 allows JavaScript injection via six unsanitized POST parameters in db_loader.php (ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix, db_schema), each reflected verbatim into HTML form input value attributes. An attacker who can deliver a crafted POST request to a victim's browser can execute arbitrary JavaScript in the victim's session context, enabling session hijacking or credential theft. The vendor-confirmed fix (v3.44.2) was released as a critical security update resolving 88 total vulnerabilities; no public exploit or CISA KEV listing is identified at time of analysis.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48215 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets (versions before 3.44.2) allows network-based attackers to inject arbitrary JavaScript through the frm_id POST parameter in circle.php, requiring victim interaction with a crafted link or form. The vulnerability executes malicious scripts in the victim's browser context with low-scope impact to confidentiality and integrity. No public exploit code or active exploitation has been identified at time of analysis. VulnCheck reported this as one of 69 XSS vulnerabilities patched in the v3.44.2 security release, which addressed 88 total security issues including SQL injection and hardcoded credentials.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48214 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before v3.44.2 enables JavaScript injection through the unsanitized ticket_id POST parameter in add_nm.php, which is embedded without encoding into both an HTML form input value attribute and an inline JavaScript string literal - two distinct injection contexts. When a victim renders the malicious response, attacker-controlled script executes in their browser with potential to steal session tokens or perform actions under their identity. No public exploit exists and the vulnerability is not in CISA KEV, but the v3.44.2 release notes reveal 88 co-patched security defects (including 19 SQL injection issues and hardcoded secrets), meaning any unpatched deployment faces compounded, systemic risk far beyond this single CVE.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48213 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the ticket_id POST parameter in add.php, which is echoed unsanitized into an HTML form input value attribute. The CVSS 4.0 vector scores this at 5.1 with no privileges required and active user interaction needed, though the CVE description characterizes attackers as authenticated - a discrepancy discussed in the risk section. No public exploit code or CISA KEV listing exists at time of analysis. This vulnerability is one of 69 XSS issues patched in a single v3.44.2 release that also addressed 19 SQL injection flaws and 5 hardcoded secrets, suggesting systemic insecure coding practices across the codebase.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-6279 CRITICAL Act Now

Unauthenticated remote code execution in the Avada Builder (fusion-builder) WordPress plugin versions up to and including 3.15.2 allows attackers to execute arbitrary PHP on affected sites by abusing an unsanitized call_user_func() invocation reachable through a public AJAX endpoint. Wordfence-reported issue affects any WordPress site running the Avada theme stack that exposes a Post Cards or Table of Contents element on a public page, since the protecting nonce is deterministically leaked in the page's JavaScript. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial precondition (visiting one page that emits the nonce) make this high-priority.

WordPress PHP RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-35016 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `frm_query` POST parameter in `search.php`, which is echoed verbatim into an HTML input `VALUE` attribute. The CVSS 4.0 score of 5.1 (Medium) reflects a required active user interaction step (UI:A) that limits opportunistic exploitation - a victim must be induced to submit a crafted request. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch (v3.44.2) is available and should be applied immediately, as it simultaneously addresses 88 security vulnerabilities - including 68 additional XSS flaws across 22 files - indicating systemic insecurity in all prior versions.

PHP XSS Tickets
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35015 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 enables injection of arbitrary JavaScript via the unsanitized `the_ticket` GET parameter in do_unit_mail.php, which is written directly into a JavaScript variable assignment without output encoding. An attacker who can deliver a crafted URL to a user of the application can execute arbitrary JavaScript in that user's browser session, enabling session hijacking, credential theft, or UI redirection. No active exploitation is confirmed (not in CISA KEV), and no public POC is identified at time of analysis, though a patch commit and vendor release are publicly available, raising the exposure window.

PHP XSS Tickets
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35014 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the ticket_id GET parameter in routes_nm.php, which is unsanitized and written directly into an HTML hidden input field VALUE attribute. The CVSS 4.0 vector (PR:N) indicates no privileges are required, but the CVE description explicitly characterizes the attacker as authenticated - this discrepancy must be verified with the vendor before determining actual exploitation prerequisites. Active user interaction is required (UI:A), meaning exploitation depends on a victim clicking a crafted URL. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

PHP XSS Tickets
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35013 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript into a victim's browser session via the thelat and thelng GET parameters in street_view.php, where values are passed unsanitized directly into JavaScript variable assignments. The attack requires user interaction - a victim must visit a crafted URL - and the CVSS 4.0 score of 5.1 reflects limited scope impact (SC:L/SI:L). Notably, this CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and 5 hardcoded secrets, indicating severe systemic security debt in the codebase. No public exploit identified at time of analysis, and no CISA KEV listing.

PHP XSS Tickets
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35012 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before version 3.44.2 enables JavaScript injection via the ticket_id GET parameter in add_facnote.php, which is written unsanitized into a hidden HTML input field's VALUE attribute. An attacker can craft a URL containing a JavaScript payload and trick a user into visiting it, causing script execution in the victim's browser session within the application's origin. No public exploit has been identified at time of analysis, and a vendor-released patch is confirmed at v3.44.2. Notably, this CVE is one of at least 69 XSS vulnerabilities addressed in the same release, indicating systemic input sanitization failures across the codebase.

PHP XSS Tickets
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35011 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a payload in the `frm_call` GET parameter of `opena.php`, which is reflected directly into page output without sanitization. The CVSS 4.0 vector scores this at 5.1 (Medium), with impact limited to the subsequent browser context (SC:L/SI:L) rather than the server itself. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV - however, the v3.44.2 release patched 88 total vulnerabilities including 19 SQL injection flaws, indicating systemic security debt warranting urgent upgrade regardless of this CVE's moderate score.

PHP XSS Tickets
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35010 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 enables JavaScript injection via the ticket_id GET parameter in patient_JF.php, where the unsanitized value is written directly into a JavaScript variable assignment in the server response. The CVSS 4.0 vector (PR:N, UI:A) indicates no authentication is required from the attacker's side, though the CVE description contradicts this by specifying 'authenticated attackers' - this conflict should be verified with the vendor. Exploitation requires the victim to actively visit a crafted URL, limiting mass exploitation, but the broader v3.44.2 release context - which patches 88 total vulnerabilities including 19 SQL injection flaws - signals systemic input validation failures across the codebase. No public exploit code or CISA KEV listing has been identified at time of analysis.

PHP XSS Tickets
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35009 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in add_note.php, with payload execution occurring in the browser of any authenticated user who visits a crafted URL. The CVSS 4.0 score of 5.1 (Medium) reflects the mandatory user interaction requirement and impact scope limited to the browser context, with no server-side confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis; the vendor released v3.44.2 as a critical security update that addresses this issue alongside 87 additional vulnerabilities.

PHP XSS Tickets
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35008 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript via the ticket_id GET parameter in single.php, which is rendered unsanitized into an HTML attribute and executed in a victim's browser upon visiting a crafted URL. This vulnerability is one of 69 XSS issues patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and hardcoded credentials - signaling systemic input handling deficiencies across the application. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS 4.0 score of 5.1 and mandatory user interaction (UI:A) limit automated exploitation.

PHP XSS Tickets
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35007 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before version 3.44.2 allows attackers to inject arbitrary JavaScript into a victim's browser session via the unsanitized 'id' GET parameter in single_unit.php. The injected value is written directly into an HTML attribute without escaping, enabling session hijacking, credential theft, or malicious redirects when a victim visits an attacker-crafted URL. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 security release - indicating systemic input validation failures across the application. No public exploit or CISA KEV listing has been identified at time of analysis.

PHP XSS Tickets
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-46420 MEDIUM PATCH GHSA This Month

Command injection in shivammathur/setup-php (versions 2.25.0 through 2.37.0) allows an attacker who can influence repository files to execute arbitrary commands on a GitHub Actions runner when the action resolves the PHP version from attacker-controlled content. The risk is highest in privileged workflows using pull_request_target that check out untrusted PR code before invoking setup-php, potentially exposing repository secrets and CI/CD infrastructure. No public exploit code or KEV listing exists at time of analysis, but the attack is realistic in any project using this common CI action pattern with auto-merging or cross-repo workflows.

PHP Command Injection
NVD GitHub
CVSS 3.1
5.6
EPSS
1.6%
CVE-2026-24425 PHP HIGH PATCH GHSA This Week

Sandbox bypass in Twig template engine versions 2.16.x and 3.9.0 through 3.25.x allows attackers with template rendering capabilities to execute arbitrary PHP code when the sandbox is enabled via a SourcePolicyInterface rather than globally. The runtime check on sort, filter, map, and reduce filters fails to propagate the current template source, allowing arbitrary PHP callables to be passed and executed. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the RCE/PHP tagging and CVSS 4.0 score of 8.7 indicate high impact for applications offering user-editable templates.

PHP RCE Twig
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-6405 MEDIUM This Month

Stored Cross-Site Scripting via CSRF in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows unauthenticated remote attackers to inject persistent JavaScript into the WordPress admin panel by tricking a logged-in administrator into visiting an attacker-controlled page. The attack chains two flaws: a missing nonce check on the settings handler (no check_admin_referer()) that permits any cross-origin POST to modify plugin settings, and a double-quote escape bypass where the API key value is stored after sanitize_text_field() sanitization but rendered into an HTML attribute via bare echo without esc_attr(), allowing the payload to survive both sanitization and storage. No public exploit has been identified at time of analysis, and the CVE is not listed in the CISA KEV catalog.

WordPress PHP CSRF XSS
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7522 HIGH This Week

Local File Inclusion in the Advanced Database Cleaner - Premium WordPress plugin (versions up to and including 4.1.0) allows Subscriber-level authenticated users to include and execute arbitrary .php files via the 'template' parameter. The flaw, reported by Wordfence, carries a CVSS score of 8.8 and can be escalated to full remote code execution when combined with a file upload primitive, while no public exploit identified at time of analysis.

LFI Information Disclosure RCE WordPress PHP
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7637 CRITICAL Act Now

PHP Object Injection in the Boost plugin for WordPress (versions up to and including 2.0.3) allows unauthenticated remote attackers to inject arbitrary PHP objects via the STYXKEY-BOOST_USER_LOCATION cookie. The vulnerability stems from unsafe deserialization of attacker-controlled cookie data; while the plugin itself ships no usable POP (property-oriented programming) chain, exploitation becomes high-impact when any other installed plugin or theme provides one. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Deserialization PHP Information Disclosure WordPress
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6401 MEDIUM This Month

Cross-Site Request Forgery in the Bottom Bar WordPress plugin (all versions up to and including 0.1.7) allows unauthenticated attackers to modify plugin configuration by tricking a logged-in administrator into visiting a malicious page. All three administrative settings forms - main settings, sharing services, and restore defaults - lack both wp_nonce_field() output and server-side check_admin_referer() validation in bottom-bar-admin.php, meaning any POST to those endpoints is processed without request authenticity checks. No public exploit has been identified at time of analysis, no patched version has been confirmed, and the vulnerability is not listed in CISA KEV.

WordPress PHP CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7472 MEDIUM This Month

Time-based blind SQL injection in the Read More & Accordion WordPress plugin (slug: expand-maker) through version 3.5.7 enables authenticated administrators to exfiltrate arbitrary database contents, including administrator password hashes, by manipulating the orderby GET parameter. The flaw exists in two data-retrieval functions in ReadMoreData.php, where user input bypasses effective sanitization and is concatenated unquoted into an ORDER BY SQL clause. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, though the high-confidentiality CVSS impact (C:H) reflects genuine data-exposure potential.

WordPress PHP Information Disclosure SQLi
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-6072 MEDIUM This Month

Authentication bypass in the Oliver POS WooCommerce Point of Sale WordPress plugin (all versions through 2.4.2.6) allows unauthenticated remote attackers to gain full access to the plugin's REST API namespace by exploiting PHP type juggling in the permission callback. On fresh installations where the admin has not yet completed the connection wizard, the stored authorization token is unset (PHP false), and sending the header 'OliverAuth: 0' satisfies the loose comparison '0' == false, returning true and granting unrestricted access to all /wp-json/pos-bridge/* endpoints. Successful exploitation enables reading administrator account details, updating user profiles including email addresses, deleting non-admin users, and ultimately resetting the admin email to achieve full WordPress site takeover. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-6456 HIGH This Week

Privilege escalation in the BeycanPress Account Switcher WordPress plugin (versions up to and including 1.0.2) allows authenticated Subscriber-level users to hijack any account, including Administrator, by abusing a loose PHP comparison in the rememberLogin REST endpoint. No public exploit is identified at the time of analysis, but the issue is trivially reproducible from the disclosed root cause and the plugin source on WordPress.org is publicly indexable.

WordPress PHP Authentication Bypass Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8626 MEDIUM This Month

Reflected Cross-Site Scripting in the SponsorMe plugin for WordPress (all versions through 0.5.2) allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking an authenticated user - likely a WordPress administrator - into clicking a specially crafted wp-admin/admin.php URL. The PHP_SELF superglobal is reflected unsanitized in two distinct locations within the same vulnerable function: a form action attribute (sponsorme.php:440) and an anchor href attribute (sponsorme.php:475), doubling the attack surface. No patch has been identified at time of analysis, and no public exploit or CISA KEV listing has been confirmed.

WordPress PHP XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-6555 CRITICAL Act Now

Unauthenticated remote code execution in the ProSolution WP Client WordPress plugin (versions ≤ 2.0.0) allows attackers to upload malicious PHP files to a web-accessible directory by abusing an array validation mismatch in its upload handler. Because only the first file in a multi-file upload array is checked for extension and MIME type while the remaining files are processed unchecked, attackers can pair a benign first file with a PHP webshell to achieve full code execution on the host. No public exploit identified at time of analysis, but the high CVSS 9.8 score and trivially scriptable nature place this in the realistic mass-exploitation tier for WordPress plugins.

File Upload PHP WordPress RCE Prosolution Wp Client
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-34246 MEDIUM PATCH This Month

Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.

PHP XSS Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-34234 CRITICAL PATCH Act Now

Unauthenticated remote code execution in CtrlPanel billing software (versions 1.1.1 and prior) allows attackers to execute arbitrary OS commands via the web-based installer endpoint, even on already-installed instances. The flaw combines a control-flow bug (install.lock gate runs after handler execution) with command injection through unsanitized user input passed into shell commands. The advisory reports active exploitation in the wild, though no CISA KEV listing is present in the supplied data.

PHP RCE Command Injection
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-34216 MEDIUM PATCH This Month

Remote code execution in CtrlPanel versions 1.1.1 and prior allows authenticated administrators to execute arbitrary PHP code by supplying a fully qualified class name to the admin settings update endpoint, which instantiates or invokes static methods on that class without allowlist validation. Any class resolvable by the Composer autoloader - including third-party dependencies - can be targeted, enabling gadget-chain exploitation through PHP magic methods such as __construct, __toString, or __wakeup. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the fix is confirmed in version 1.2.0, released April 2026.

PHP RCE
NVD GitHub VulDB
CVSS 3.1
6.6
EPSS
0.3%
CVE-2026-46337 PHP MEDIUM GHSA This Month

Unauthenticated path traversal in AVideo's `view/img/image404Raw.php` allows any remote attacker to read arbitrary image files accessible to the PHP process, bypassing all application-layer ACLs that normally gate private user photos, admin thumbnails, and encrypted-video poster frames. The vulnerability affects all versions through the current master branch (commit 0dbadbcaaa1b415c7db078a72dc4b26d9fac0485) and all releases up to and including 29.0 (pkg:composer/wwbn_avideo). No vendor-released patch is currently available, and a working proof-of-concept is publicly disclosed in GHSA-w4qq-74h6-58wq, making this immediately actionable by any unauthenticated attacker with HTTP access to the deployment.

PHP Path Traversal
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-45793 PHP HIGH PATCH GHSA This Week

Sensitive token disclosure in Composer (PHP dependency manager) versions prior to 1.10.28, 2.2.28, and 2.9.8 causes GitHub Actions GITHUB_TOKEN values to be written verbatim to stderr/CI logs whenever the token contains characters outside Composer's hardcoded validation regex. The new GitHub Actions token format (ghs_<id>_<base64url-JWT>) includes hyphens, which fail Composer's `^[.A-Za-z0-9_]+$` check and trigger an UnexpectedValueException that interpolates the raw token into its message. No public exploit identified at time of analysis, but the leak triggers automatically without unusual configuration on any pipeline using common actions like shivammathur/setup-php that auto-register GITHUB_TOKEN into Composer's auth.json.

Information Disclosure PHP
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-46511 npm HIGH PATCH GHSA This Week

Cross-tenant account takeover in HAXcms (npm package @haxtheweb/haxcms-nodejs <= 25.0.0) allows an authenticated attacker with edit access to chain a stored XSS flaw with token leakage in the /system/api/connectionSettings endpoint to hijack other tenants' sessions. The endpoint exposes the victim's JWT, user_token, site_token, and appstore_token via the window.appSettings global, letting injected JavaScript silently exfiltrate them to an attacker-controlled webhook and fully impersonate the victim. A detailed reporter-supplied PoC exists in the GitHub Security Advisory, though there is no public exploit identified at time of analysis as a packaged weapon and no CISA KEV entry.

PHP XSS
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-46395 npm CRITICAL PATCH GHSA Act Now

Private key disclosure in HAXcms Node.js backend (@haxtheweb/haxcms-nodejs <= 25.0.0) lets unauthenticated remote attackers extract the master JWT signing secret via a single GET to /system/api/connectionSettings and forge admin-level JWTs for complete site takeover. The broken hmacBase64() function appends the raw privateKey+salt to its output, exposing it through any token the server emits. Publicly available exploit code exists in the GHSA advisory PoC, and the CVSS 4.0 score of 9.3 reflects trivial network exploitation with no privileges or user interaction.

Information Disclosure PHP Node.js
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-46393 npm HIGH PATCH GHSA This Week

Server-Side Request Forgery in HAXcms (versions <= 25.0.0 of @haxtheweb/haxcms-nodejs, with PoC against v11.0.6) allows authenticated low-privileged users to coerce the server into fetching arbitrary URLs or local file paths via the createSite endpoint's build.files parameter, with responses written to a web-accessible directory. This produces arbitrary file read, internal network reconnaissance, and cloud metadata credential theft. Publicly available exploit code exists in the GHSA advisory, though no CISA KEV listing is present.

PHP CSRF SSRF
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-43633 CRITICAL PATCH Act Now

Unauthenticated root-level remote code execution affects HestiaCP versions 1.9.0 through 1.9.4 when the optional web terminal feature is enabled, stemming from a session-handling format mismatch (CWE-502) between the PHP backend and the Node.js web terminal. Remote attackers can inject crafted HTTP header data that PHP writes into session storage but Node.js parses with naive string splitting, yielding arbitrary command execution as root; no public exploit identified at time of analysis, though VulnCheck has published a technical advisory and the upstream patch is publicly diffable.

Deserialization PHP Node.js RCE Hestiacp
NVD GitHub
CVSS 4.0
9.5
EPSS
0.2%
CVE-2026-42099 HIGH This Week

Remote code execution in Sparx Systems Pro Cloud Server (versions 0 through 6.1 build 167) is achievable by authenticated repository users via a race condition in the /data_api/dl_internal_artifact.php endpoint. An attacker who controls both the filename and contents of a downloaded artifact can briefly stage a malicious PHP file in the web root and execute it before cleanup, leading to full server compromise. No public exploit identified at time of analysis, but a detailed technical write-up published by CERT-PL and sploit.tech reduces the barrier to reproduction.

PHP Race Condition RCE
NVD
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-8912 HIGH This Week

SQL injection in the Contest Gallery WordPress plugin (versions through 28.1.6) allows unauthenticated remote attackers to extract sensitive database contents by abusing the 'form_input' parameter handled by the 'post_cg_gallery_form_upload' AJAX action. The endpoint is gated only by a public nonce that is exposed in the page source of any public gallery page, effectively offering no protection against external attackers. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and affects a publicly reachable PHP endpoint.

WordPress PHP SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-46725 PHP CRITICAL POC PATCH GHSA Act Now

Remote code execution in the TYPO3 'Content Element Selector' extension allows unauthenticated attackers to execute arbitrary PHP code by sending a crafted cookie that the extension feeds directly into PHP's unserialize(). The flaw (CWE-502, CVSS 4.0 score 9.2) is exploitable only on installations where a content element is configured with 'Persistent Mode: Static'. No public exploit identified at time of analysis, though the deserialization pattern is well-understood and typically rapid to weaponize.

Deserialization PHP RCE
NVD
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-8727 PHP HIGH PATCH GHSA This Week

Remote code execution in the TYPO3 Crawler extension occurs when the X-T3Crawler-Meta response header from a crawled URL is passed unchecked to PHP's unserialize(), enabling arbitrary PHP object injection. Exploitation requires a high-privileged administrator to configure a crawler-enabled page and a Scheduler task pointing at an attacker-controlled endpoint, so while impact is full RCE on the TYPO3 host, it is gated by an unusual combination of admin access, user interaction, and externally reachable malicious URLs. No public exploit identified at time of analysis and no CISA KEV listing.

Deserialization PHP RCE
NVD
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-45731 PHP MEDIUM GHSA This Month

Authenticated arbitrary file read in WWBN/AVideo's view/update.php exposes any text file readable by the web-server process to admin-level users via path traversal. The $_POST['updateFile'] parameter is concatenated directly into a filesystem path under updatedb/ without sanitization, allowing an authenticated administrator to supply sequences like '../../../../etc/passwd' and have PHP's file() function return the contents line-by-line in the migration-runner HTML response. A proof-of-concept exploit is publicly documented in GitHub Security Advisory GHSA-3mjv-375j-6h92; no patched release has been issued for any version through 29.0 as of analysis time, and no public exploit identified at time of analysis as actively exploited by CISA KEV.

Path Traversal PHP
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-45701 PHP MEDIUM PATCH GHSA This Month

Weak cryptographic algorithm usage in Sulu CMS exposes password reset tokens and API keys to prediction or brute-force attacks, potentially enabling unauthorized account takeover or API access. The flaw resides in the SecurityBundle's User.php and ResettingController.php, affecting all Sulu 2.x releases up to 2.6.22 and all 3.x releases from the first alpha through 3.0.5. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the cryptographic weakness (CWE-327) is structurally exploitable by a motivated attacker with network access to the application.

PHP Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45270 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in the CI4MS (CodeIgniter 4 CMS/ERP) Pages module versions <= 0.31.8.0 allows authenticated content authors holding the pages.create or pages.update permission to persist arbitrary JavaScript that executes in every visitor's browser when the public Pages renderer outputs the field unescaped. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-gqr2-7hcg-rchf), and because vulnerable pages can be promoted to the site home page, a single injection escalates from a low-privileged author to full administrator session takeover when an admin browses the front-end.

Privilege Escalation PHP RCE CSRF XSS
NVD GitHub
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-45139 PHP MEDIUM PATCH GHSA This Month

Destructive file operations in the CI4MS Fileeditor module (composer/ci4-cms-erp/ci4ms ≤ v0.31.8.0) allow an authenticated backend user to delete or rename arbitrary framework files - including the front controller, routing config, and authentication filter pipeline - producing a persistent denial of service that requires filesystem-level redeployment to recover. The root cause is an inconsistent application of the existing extension allowlist: while saveFile and createFile correctly gate writes through allowedFileTypes(), the deleteFileOrFolder and renameFile endpoints apply no such check to the source path, meaning any file inside ROOTPATH not named in the narrow $hiddenItems blocklist is reachable. A working curl-based proof-of-concept is publicly available via GitHub advisory GHSA-245j-xjvr-xvm5; no CISA KEV listing is present at time of analysis.

PHP CSRF Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45138 PHP MEDIUM PATCH GHSA This Month

Stored XSS in CI4MS (composer package ci4-cms-erp/ci4ms, versions up to 0.31.8.0) allows authenticated content editors holding the `blogs.create` or `blogs.update` role to persist arbitrary JavaScript that executes in every visitor's browser, including superadmins who review or preview posts. The root cause is a PHP by-reference mutation in the `html_purify` custom validation rule that CodeIgniter 4's validator silently discards - raw POST data bypasses sanitization entirely and is written unescaped to the database and rendered directly in the public template. A detailed public proof-of-concept exploit exists; vendor-released patch 0.31.9.0 was published on 2026-05-08 and is confirmed to address the issue.

PHP CSRF XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45660 PHP MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in Statamic CMS's Glide image proxy allows unauthenticated remote attackers to bypass IP validation and force the server to issue HTTP requests to internal infrastructure, including loopback addresses, RFC-1918 private networks, and cloud metadata endpoints such as AWS IMDSv1 (169.254.169.254). The bypass exploits unnormalized alternative IP representations (e.g., octal, hexadecimal, decimal-encoded) that evade the public-IP allowlist check before PHP normalizes them. Only deployments running PHP below 8.3 and passing user-supplied URLs to Glide are exposed; vendor-released patches exist in versions 5.73.22 and 6.18.1. No public exploit or CISA KEV listing has been identified at time of analysis.

SSRF PHP
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45135 Go HIGH PATCH GHSA This Week

Remote code execution in Caddy web server (versions 2.7.0 through 2.10.2) is possible when the FastCGI reverse proxy's splitPos() function mishandles non-ASCII bytes in request paths, causing non-PHP files to be routed to a FastCGI upstream like PHP-FPM as if they were scripts. Where an attacker can place file content (uploads, user-content stores, package mirrors), a single crafted URL containing Unicode lookalikes for '.php' or a non-ASCII byte after a dot yields unauthenticated RCE. Publicly available exploit code exists (detailed PoC in the GHSA advisory) and the issue inherits two bugs from FrankenPHP's adapted code; no public exploitation has been reported and EPSS data was not provided.

RCE PHP
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-45620 PHP MEDIUM GHSA This Month

User enumeration in AVideo (composer/WWBN/AVideo ≤ 29.0) exposes account metadata - names, email addresses, usernames, and channel names - to unauthenticated remote attackers through an incomplete patch for CVE-2026-43881. The original fix (commit d9cdc7024) hardened `users.json.php` but left an identical unauthenticated code path alive in `objects/mention.json.php`, which calls `User::getAllUsers()` with no `loginCheck()` or authorization gate. No public exploit is identified at time of analysis, though the trivial HTTP-based trigger and absence of authentication make this a realistic reconnaissance primitive for credential-stuffing or phishing campaigns.

Information Disclosure PHP
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8803 MEDIUM This Month

Weak password hashing in opensourcepos Open Source Point of Sale through version 3.4.2 exposes a legacy code path in the Employee Login component (app/Models/Employee.php) that retains an older, cryptographically weak hash function. The vendor has disputed the severity of this issue, clarifying that the weak hash function persists solely to support an upgrade migration path - default-seeded passwords use the legacy hash but are migrated to a stronger algorithm upon first login, meaning actively managed accounts on updated installations face reduced practical exposure. No public exploit code has been identified at time of analysis, and the vulnerability's real-world impact is currently in question pending independent verification.

Information Disclosure PHP
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-8802 MEDIUM PATCH This Month

Path traversal in opensourcepos Open Source Point of Sale versions 3.4.0 through 3.4.2 allows authenticated remote attackers to read arbitrary image files outside the intended directory via manipulated pic_filename parameters in the getPicThumb controller function. The vulnerability has CVSS 5.3 (Medium) with low attack complexity requiring only low-privilege authentication. Vendor-released patch available via GitHub commit def0c27a0e252668df8d942fc31e16d1edfd7323. No public exploit or active exploitation confirmed at time of analysis, though the fix is publicly documented with code diff showing the vulnerable parameter handling.

Path Traversal PHP
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-8785 MEDIUM POC This Month

SQL injection in projectworlds Hospital Management System in PHP 1.0 enables unauthenticated remote attackers to extract or modify patient data through the appointment_no parameter in update_info.php. The vulnerability has publicly available exploit code and affects the getAllPatientDetail function, with the vendor notified but unresponsive.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-29963 HIGH This Week

Unauthenticated path traversal in HSC MailInspector 5.3.3-7 allows remote attackers to read arbitrary files from the underlying operating system by manipulating the 'text' parameter of the /tap/dw.php endpoint. Public exploit details are disclosed on GitHub (sql3t0/cve-disclosures), though EPSS probability remains low (0.05%) and the issue is not currently listed in CISA KEV. The flaw enables disclosure of sensitive system files such as configuration files, credentials, and mail-related data without prior authentication.

PHP Path Traversal
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-29962 HIGH This Week

Arbitrary file disclosure in HSC MailInspector v5.3.3-7 allows unauthenticated remote attackers to read sensitive files from the host via a path traversal flaw in the exposed /vendor/phpunit/phpunit.php endpoint. The CVSS 7.5 rating reflects high confidentiality impact with no required privileges or user interaction, though EPSS remains very low at 0.05% (15th percentile) and there is no public exploit identified at time of analysis. The exposure of a PHPUnit development artifact in a production path mirrors a long-standing class of PHP supply-chain misconfigurations.

Information Disclosure PHP Path Traversal
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-29964 MEDIUM This Month

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-39079 HIGH This Week

An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components

PHP Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-29965 MEDIUM This Month

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2018-25335 CRITICAL POC Act Now

WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Authentication Bypass File Upload
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2018-25333 HIGH POC This Week

Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2018-25331 MEDIUM POC This Month

Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2018-25329 HIGH POC This Week

WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress LFI
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.0%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Man-in-the-middle exposure in Open ISES Tickets before 3.44.2 stems from the shared helper functions in incs/functions.inc.php disabling TLS certificate verification (CURLOPT_SSL_VERIFYPEER=false) on outbound HTTPS calls, letting network-positioned attackers intercept or modify traffic carrying API keys and session data. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the vendor's v3.44.2 release notes describe it as a critical security update that also bundles fixes for 88 other issues including XSS and SQL injection.

Information Disclosure PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

TLS certificate verification bypass in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept HTTPS traffic between the application server and Google Maps Directions API during incident report generation. The flaw stems from ajax/reports.php explicitly setting CURLOPT_SSL_VERIFYPEER to false without configuring CURLOPT_SSL_VERIFYHOST, exposing Google API keys and any session-bearing data carried in outbound requests. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but a vendor patch is available in v3.44.2.

Information Disclosure PHP Google
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Open ISES Tickets exposes a hardcoded Google Maps API key committed directly to its public GitHub source repository in tables.php, affecting all versions before 3.44.2. Any party with read access to the repository - effectively the entire internet - can extract the key and authenticate to Google Maps Platform as the application owner, generating API usage billed against the victim's Google Cloud project. No public exploit has been identified at time of analysis, but the SSVC framework rates this as automatable with partial technical impact, and the v3.44.2 release notes confirm the key is one of five hardcoded secrets removed in a batch of 88 security fixes.

PHP Google Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Hardcoded Google Maps API key exposure in Open ISES Tickets before v3.44.2 enables any party with read access to the public GitHub repository to extract a valid API credential from settings.inc.php and issue arbitrary Google Maps Platform requests billed against the victim organization's Google Cloud project. All versions from the initial release up to (but not including) 3.44.2 are affected per CPE cpe:2.3:a:open_ises:tickets:*:*:*:*:*:*:*:*. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation requires only the ability to read a publicly hosted source file - effectively zero technical barrier for any motivated actor.

PHP Google Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Open ISES Tickets before v3.44.2 exposes a hardcoded WhitePages reverse-phone API key committed directly into the public source file wp1.php, making it trivially accessible to any actor who can read the repository. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) reflects that no authentication or special conditions are required - extraction is as simple as reading a publicly hosted source file. Impact is bounded to third-party API abuse: an attacker can use the stolen key to make WhitePages lookups billed to or rate-capped against the legitimate owner's account. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV, though the passive nature of the exposure means any observer of the repository may already possess the key.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Credential exposure in Open ISES Tickets versions prior to 3.44.2 allows remote attackers to obtain valid MySQL database connection parameters (host, username, password, database name) hardcoded in import_mdb.php and committed to the public source repository. Any attacker who can read the public GitHub source can extract these credentials and attempt to authenticate against deployed installations that retained the default values, with no public exploit identified at time of analysis.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Hardcoded MySQL credentials in Open ISES Tickets before 3.44.2 expose database username, password, and database name through a public-facing loader.php utility that was committed to the source repository. Any user able to read the source tree on GitHub or fetch the file from a deployed installation can connect to the backing database if reachable, leading to full read/write access. No public exploit identified at time of analysis, but the credentials are trivially recoverable from the source tree.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 lets authenticated users tamper with backend database queries through the ajax/statistics.php endpoint by injecting payloads into the tick_id and f_tick_id POST parameters. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with lower integrity impact, and while no public exploit is identified at time of analysis, this flaw is one of 19 SQL injection issues bundled into a single critical security release that the vendor urges all users to install immediately.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 lets authenticated users tamper with the incidents summary report query via the tick_id POST parameter in ajax/reports.php, enabling arbitrary read, modification, or destruction of database contents. The v3.44.2 release notes confirm the fix was part of a broader security overhaul addressing 19 SQL injection flaws and 69 XSS issues. No public exploit identified at time of analysis, and SSVC classifies exploitation status as 'none' with partial technical impact.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate database queries via the unsanitized `id` GET parameter in `ajax/mobile_main.php`. The flaw permits arbitrary read, modification, or destruction of database contents, and is part of a broader batch of 19 SQL injection fixes shipped in v3.44.2. No public exploit identified at time of analysis, but the vendor explicitly classifies v3.44.2 as a 'Critical Security Update' urging immediate upgrade.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate backend database queries via the message.php endpoint, enabling unauthorized read, modification, or destruction of database contents. The flaw stems from unsanitized concatenation of the frm_ticket_id and frm_resp_id POST parameters into SELECT and UPDATE statements. No public exploit identified at time of analysis, though VulnCheck has published a dedicated advisory and the vendor's 3.44.2 release bundles fixes for 19 SQL injection issues across the codebase.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate database queries via unsanitized POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) in db_loader.php, enabling read, modification, or destruction of database contents. The vendor confirms this is one of 19 SQL injection flaws patched in v3.44.2, reported by VulnCheck. No public exploit identified at time of analysis, and the vulnerability requires low-privilege authentication (PR:L per CVSS 4.0 vector).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 allows attackers controlling or impersonating an InstaMapper or Google Latitude GPS tracking endpoint to inject malicious SQL via unsanitized latitude, longitude, callsign, mph, altitude, and timestamp values parsed by incs/remotes.inc.php. The CVSS 4.0 base score of 8.8 reflects unauthenticated network exploitation with high confidentiality impact, and no public exploit is identified at time of analysis. The flaw was disclosed by VulnCheck and is one of 19 SQL injection issues patched in the v3.44.2 release.

PHP Google SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Open ISES Tickets versions prior to 3.44.2 allows authenticated attackers to manipulate ORDER BY clauses via the sort and dir GET parameters in portal/ajax/list_requests.php, enabling unauthorized read, modification, or destruction of database contents. The CVSS 4.0 score of 7.1 reflects network-reachable exploitation with low privileges and no user interaction required. No public exploit identified at time of analysis, but the vendor's own release notes describe this as part of a critical security update patching 19 SQL injection flaws across 11 files.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Open ISES Tickets prior to 3.44.2 allows authenticated attackers to manipulate database queries via the unsanitized 'offset' GET parameter in ajax/sit_incidents.php, which is concatenated directly into a LIMIT clause. Successful exploitation enables reading, modifying, or destroying database contents. No public exploit identified at time of analysis, though the underlying flaw is one of 19 SQL injection issues patched in the same release, indicating broad code-level weakness.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Open ISES Tickets versions prior to 3.44.2 allows authenticated attackers to manipulate database queries through the unsanitized offset parameter in ajax/fullsit_incidents.php. The flaw enables reading, modifying, or destroying database contents and is part of a broader v3.44.2 security release that patched 19 SQL injection issues. No public exploit identified at time of analysis, but the vendor classifies the update as critical and urges immediate upgrade.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Open ISES Tickets prior to 3.44.2 lets authenticated users tamper with database contents by abusing unsanitized POST parameters (tablename, indexname, sortby) in tables.php that are concatenated directly into SELECT, UPDATE, and DELETE identifier positions. The flaw is one of 19 SQLi issues fixed in the v3.44.2 release; no public exploit identified at time of analysis, but the vendor labels the release a Critical Security Update and urges immediate upgrade.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows JavaScript injection via ten unsanitized POST parameters in ticketsmdb_import.php, with payloads executing in the victim's browser upon response rendering. The vendor-released patch v3.44.2 addresses this as part of a critical security update that simultaneously fixed 88 vulnerabilities including 69 XSS and 19 SQL injection issues across the codebase, suggesting systemic input sanitization failures rather than an isolated defect. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets (all versions before 3.44.2) allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in routes_i.php, rendered directly into HTML form hidden input value attributes. When a victim visits or is redirected to a crafted URL, the payload executes in their browser within the application's security context. No public exploit or CISA KEV listing exists at time of analysis, but the patch release (v3.44.2) simultaneously fixes 88 vulnerabilities - 69 of them XSS - indicating systemic input sanitization failures throughout the codebase that substantially elevate the overall risk posture of this application.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) allows attackers to inject arbitrary JavaScript through unsanitized id and ticket_id GET parameters in patient_w.php, which are written directly into an HTML form action URL without output encoding. Successful exploitation requires the victim to actively click a crafted link, after which the payload executes in the victim's browser under the application's origin, enabling session hijacking or unauthorized actions. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the scale of the v3.44.2 release - patching 69 XSS and 19 SQL injection issues simultaneously - suggests the codebase has historically received minimal security review.

PHP XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 exposes authenticated users to arbitrary JavaScript execution via unsanitized GET parameters in patient.php. The vulnerability exists in the id and ticket_id parameters, whose values are written directly into an HTML form action URL without output encoding, enabling an attacker to craft a malicious link that executes script in the victim's browser upon rendering. No public exploit or active exploitation has been identified at time of analysis; however, the vendor's v3.44.2 release confirms this is one of 69 XSS vulnerabilities patched simultaneously, indicating systemic input-handling failures across the application.

PHP XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets (all versions before 3.44.2) allows JavaScript injection via the unsanitized `ref` and `mode_orig` POST parameters in `os_watch.php`, which are written verbatim into HTML form hidden input value attributes without output encoding. An attacker who can trick a user into submitting a crafted POST request will have arbitrary JavaScript execute in that user's browser session, enabling session theft, credential harvesting, or UI redress attacks. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the patch release simultaneously addressed 88 vulnerabilities - including 19 SQL injection issues - suggesting this application carried significant accumulated security debt that amplifies organizational risk beyond this single CVE.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript via the unsanitized _type POST parameter in landb.php, which is echoed directly into an HTML form hidden input value attribute without encoding. When a victim renders the crafted response, the injected script executes in their browser context, enabling session hijacking, credential theft, or forced action on behalf of the victim. This CVE is one of 69 XSS vulnerabilities addressed in the v3.44.2 critical security update; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 enables JavaScript injection via the frm_add_str POST parameter in ics214.php, which reflects the unsanitized value directly into an HTML form hidden input value attribute. When a victim renders the crafted response, the payload executes in their browser session, enabling session hijacking or action-on-behalf-of-user attacks. No public exploit has been identified and this CVE is not listed in CISA KEV, though the v3.44.2 release addresses 88 total vulnerabilities - including SQL injection and hardcoded credentials - making upgrade broadly critical regardless of this specific finding.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows a malicious actor to inject arbitrary JavaScript into a victim's browser session via the unsanitized frm_add_str POST parameter in ics213rr.php, where the value is written directly into an HTML form hidden input attribute without escaping. The CVSS 4.0 vector scores this at 5.1 with scope change to subsequent systems (SC:L/SI:L), meaning successful exploitation affects data beyond the immediately vulnerable component. No public exploit code or CISA KEV listing exists at time of analysis; a vendor-released patch (v3.44.2) is confirmed available and also resolves 87 additional vulnerabilities including SQL injection, hardcoded credentials, and SSL validation failures.

PHP XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows injection of arbitrary JavaScript through the frm_add_str POST parameter in ics213.php, which is rendered unsanitized inside an HTML hidden input value attribute. The CVSS 4.0 vector (PR:N/UI:A) indicates no privileges are required on the attacker side, but victim interaction is mandatory - a user must submit or be tricked into triggering the crafted request. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 critical security release, signaling systemic input sanitization failures across the codebase. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

PHP XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows injection of arbitrary JavaScript via the unsanitized frm_add_str POST parameter in ics205a.php, which is rendered verbatim inside an HTML form hidden input value attribute in the victim's browser. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release - a 'Critical Security Update' that also addressed 19 SQL injection issues and 5 hardcoded secrets, revealing systemic input handling failures across the codebase. No public exploit identified at time of analysis and no CISA KEV listing; however, the broader security debt in this application makes upgrading urgent beyond this single CVE.

PHP XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) allows injection of arbitrary JavaScript through the frm_add_str POST parameter in ics205.php, which is rendered unsanitized inside an HTML form hidden input value attribute. The attacker must induce an authenticated victim to submit a crafted request (UI:A), limiting opportunistic exploitation but enabling session hijacking, credential theft, or further browser-based attacks against logged-in users. This CVE is one of 69 XSS vulnerabilities patched in v3.44.2, which also addressed 19 SQL injection issues and hardcoded credentials - indicating systemic input-handling deficiencies across the PHP codebase. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 enables JavaScript injection via the frm_add_str POST parameter in ics202.php, where the unsanitized value is written directly into an HTML form hidden input value attribute. The CVSS 4.0 vector (PR:N/UI:A) indicates no attacker privilege is required, but victim interaction is mandatory - meaning an attacker must deceive a user into submitting a crafted POST request to trigger execution. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release alongside 19 SQL injection flaws and 5 hardcoded secrets, signaling a systemic insecurity posture in the codebase prior to this release. No public exploit identified at time of analysis; no CISA KEV listing.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) exposes the icons/buttons/landb.php endpoint to arbitrary JavaScript injection via unsanitized frm_name and frm_id POST parameters, which are rendered directly into both HTML content and inline JavaScript without encoding or sanitization. An attacker who can socially engineer an authenticated user into triggering a crafted POST request can execute arbitrary JavaScript within that user's browser session, enabling session hijacking, credential theft, or malicious UI manipulation. No public exploit has been identified at time of analysis; a vendor-released patch (v3.44.2) is available and all users are urged to upgrade immediately per the vendor's own release advisory.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 allows JavaScript injection via unsanitized POST parameters (module_choice, flag, confirmation) in delete_module.php, executing attacker-supplied code in the browser of a victim who interacts with a crafted request. The CVSS 4.0 vector (PR:N/UI:A) indicates the attacker requires no privileges but depends on active victim interaction - consistent with a POST-based reflected XSS delivered via a cross-site auto-submitting form targeting an authenticated session. No public exploit has been identified at time of analysis, and vendor-released patch v3.44.2 is available, a landmark release that simultaneously addressed 88 vulnerabilities including 19 SQL injections and 68 additional XSS issues across the same codebase.

PHP XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before v3.44.2 allows JavaScript injection via six unsanitized POST parameters in db_loader.php (ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix, db_schema), each reflected verbatim into HTML form input value attributes. An attacker who can deliver a crafted POST request to a victim's browser can execute arbitrary JavaScript in the victim's session context, enabling session hijacking or credential theft. The vendor-confirmed fix (v3.44.2) was released as a critical security update resolving 88 total vulnerabilities; no public exploit or CISA KEV listing is identified at time of analysis.

PHP XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets (versions before 3.44.2) allows network-based attackers to inject arbitrary JavaScript through the frm_id POST parameter in circle.php, requiring victim interaction with a crafted link or form. The vulnerability executes malicious scripts in the victim's browser context with low-scope impact to confidentiality and integrity. No public exploit code or active exploitation has been identified at time of analysis. VulnCheck reported this as one of 69 XSS vulnerabilities patched in the v3.44.2 security release, which addressed 88 total security issues including SQL injection and hardcoded credentials.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before v3.44.2 enables JavaScript injection through the unsanitized ticket_id POST parameter in add_nm.php, which is embedded without encoding into both an HTML form input value attribute and an inline JavaScript string literal - two distinct injection contexts. When a victim renders the malicious response, attacker-controlled script executes in their browser with potential to steal session tokens or perform actions under their identity. No public exploit exists and the vulnerability is not in CISA KEV, but the v3.44.2 release notes reveal 88 co-patched security defects (including 19 SQL injection issues and hardcoded secrets), meaning any unpatched deployment faces compounded, systemic risk far beyond this single CVE.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the ticket_id POST parameter in add.php, which is echoed unsanitized into an HTML form input value attribute. The CVSS 4.0 vector scores this at 5.1 with no privileges required and active user interaction needed, though the CVE description characterizes attackers as authenticated - a discrepancy discussed in the risk section. No public exploit code or CISA KEV listing exists at time of analysis. This vulnerability is one of 69 XSS issues patched in a single v3.44.2 release that also addressed 19 SQL injection flaws and 5 hardcoded secrets, suggesting systemic insecure coding practices across the codebase.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution in the Avada Builder (fusion-builder) WordPress plugin versions up to and including 3.15.2 allows attackers to execute arbitrary PHP on affected sites by abusing an unsanitized call_user_func() invocation reachable through a public AJAX endpoint. Wordfence-reported issue affects any WordPress site running the Avada theme stack that exposes a Post Cards or Table of Contents element on a public page, since the protecting nonce is deterministically leaked in the page's JavaScript. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial precondition (visiting one page that emits the nonce) make this high-priority.

WordPress PHP RCE
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `frm_query` POST parameter in `search.php`, which is echoed verbatim into an HTML input `VALUE` attribute. The CVSS 4.0 score of 5.1 (Medium) reflects a required active user interaction step (UI:A) that limits opportunistic exploitation - a victim must be induced to submit a crafted request. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch (v3.44.2) is available and should be applied immediately, as it simultaneously addresses 88 security vulnerabilities - including 68 additional XSS flaws across 22 files - indicating systemic insecurity in all prior versions.

PHP XSS Tickets
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 enables injection of arbitrary JavaScript via the unsanitized `the_ticket` GET parameter in do_unit_mail.php, which is written directly into a JavaScript variable assignment without output encoding. An attacker who can deliver a crafted URL to a user of the application can execute arbitrary JavaScript in that user's browser session, enabling session hijacking, credential theft, or UI redirection. No active exploitation is confirmed (not in CISA KEV), and no public POC is identified at time of analysis, though a patch commit and vendor release are publicly available, raising the exposure window.

PHP XSS Tickets
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the ticket_id GET parameter in routes_nm.php, which is unsanitized and written directly into an HTML hidden input field VALUE attribute. The CVSS 4.0 vector (PR:N) indicates no privileges are required, but the CVE description explicitly characterizes the attacker as authenticated - this discrepancy must be verified with the vendor before determining actual exploitation prerequisites. Active user interaction is required (UI:A), meaning exploitation depends on a victim clicking a crafted URL. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

PHP XSS Tickets
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript into a victim's browser session via the thelat and thelng GET parameters in street_view.php, where values are passed unsanitized directly into JavaScript variable assignments. The attack requires user interaction - a victim must visit a crafted URL - and the CVSS 4.0 score of 5.1 reflects limited scope impact (SC:L/SI:L). Notably, this CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and 5 hardcoded secrets, indicating severe systemic security debt in the codebase. No public exploit identified at time of analysis, and no CISA KEV listing.

PHP XSS Tickets
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before version 3.44.2 enables JavaScript injection via the ticket_id GET parameter in add_facnote.php, which is written unsanitized into a hidden HTML input field's VALUE attribute. An attacker can craft a URL containing a JavaScript payload and trick a user into visiting it, causing script execution in the victim's browser session within the application's origin. No public exploit has been identified at time of analysis, and a vendor-released patch is confirmed at v3.44.2. Notably, this CVE is one of at least 69 XSS vulnerabilities addressed in the same release, indicating systemic input sanitization failures across the codebase.

PHP XSS Tickets
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a payload in the `frm_call` GET parameter of `opena.php`, which is reflected directly into page output without sanitization. The CVSS 4.0 vector scores this at 5.1 (Medium), with impact limited to the subsequent browser context (SC:L/SI:L) rather than the server itself. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV - however, the v3.44.2 release patched 88 total vulnerabilities including 19 SQL injection flaws, indicating systemic security debt warranting urgent upgrade regardless of this CVE's moderate score.

PHP XSS Tickets
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 enables JavaScript injection via the ticket_id GET parameter in patient_JF.php, where the unsanitized value is written directly into a JavaScript variable assignment in the server response. The CVSS 4.0 vector (PR:N, UI:A) indicates no authentication is required from the attacker's side, though the CVE description contradicts this by specifying 'authenticated attackers' - this conflict should be verified with the vendor. Exploitation requires the victim to actively visit a crafted URL, limiting mass exploitation, but the broader v3.44.2 release context - which patches 88 total vulnerabilities including 19 SQL injection flaws - signals systemic input validation failures across the codebase. No public exploit code or CISA KEV listing has been identified at time of analysis.

PHP XSS Tickets
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in add_note.php, with payload execution occurring in the browser of any authenticated user who visits a crafted URL. The CVSS 4.0 score of 5.1 (Medium) reflects the mandatory user interaction requirement and impact scope limited to the browser context, with no server-side confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis; the vendor released v3.44.2 as a critical security update that addresses this issue alongside 87 additional vulnerabilities.

PHP XSS Tickets
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript via the ticket_id GET parameter in single.php, which is rendered unsanitized into an HTML attribute and executed in a victim's browser upon visiting a crafted URL. This vulnerability is one of 69 XSS issues patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and hardcoded credentials - signaling systemic input handling deficiencies across the application. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS 4.0 score of 5.1 and mandatory user interaction (UI:A) limit automated exploitation.

PHP XSS Tickets
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before version 3.44.2 allows attackers to inject arbitrary JavaScript into a victim's browser session via the unsanitized 'id' GET parameter in single_unit.php. The injected value is written directly into an HTML attribute without escaping, enabling session hijacking, credential theft, or malicious redirects when a victim visits an attacker-crafted URL. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 security release - indicating systemic input validation failures across the application. No public exploit or CISA KEV listing has been identified at time of analysis.

PHP XSS Tickets
NVD GitHub
EPSS 2% CVSS 5.6
MEDIUM PATCH This Month

Command injection in shivammathur/setup-php (versions 2.25.0 through 2.37.0) allows an attacker who can influence repository files to execute arbitrary commands on a GitHub Actions runner when the action resolves the PHP version from attacker-controlled content. The risk is highest in privileged workflows using pull_request_target that check out untrusted PR code before invoking setup-php, potentially exposing repository secrets and CI/CD infrastructure. No public exploit code or KEV listing exists at time of analysis, but the attack is realistic in any project using this common CI action pattern with auto-merging or cross-repo workflows.

PHP Command Injection
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Sandbox bypass in Twig template engine versions 2.16.x and 3.9.0 through 3.25.x allows attackers with template rendering capabilities to execute arbitrary PHP code when the sandbox is enabled via a SourcePolicyInterface rather than globally. The runtime check on sort, filter, map, and reduce filters fails to propagate the current template source, allowing arbitrary PHP callables to be passed and executed. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the RCE/PHP tagging and CVSS 4.0 score of 8.7 indicate high impact for applications offering user-editable templates.

PHP RCE Twig
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Stored Cross-Site Scripting via CSRF in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows unauthenticated remote attackers to inject persistent JavaScript into the WordPress admin panel by tricking a logged-in administrator into visiting an attacker-controlled page. The attack chains two flaws: a missing nonce check on the settings handler (no check_admin_referer()) that permits any cross-origin POST to modify plugin settings, and a double-quote escape bypass where the API key value is stored after sanitize_text_field() sanitization but rendered into an HTML attribute via bare echo without esc_attr(), allowing the payload to survive both sanitization and storage. No public exploit has been identified at time of analysis, and the CVE is not listed in the CISA KEV catalog.

WordPress PHP CSRF +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Local File Inclusion in the Advanced Database Cleaner - Premium WordPress plugin (versions up to and including 4.1.0) allows Subscriber-level authenticated users to include and execute arbitrary .php files via the 'template' parameter. The flaw, reported by Wordfence, carries a CVSS score of 8.8 and can be escalated to full remote code execution when combined with a file upload primitive, while no public exploit identified at time of analysis.

LFI Information Disclosure RCE +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP Object Injection in the Boost plugin for WordPress (versions up to and including 2.0.3) allows unauthenticated remote attackers to inject arbitrary PHP objects via the STYXKEY-BOOST_USER_LOCATION cookie. The vulnerability stems from unsafe deserialization of attacker-controlled cookie data; while the plugin itself ships no usable POP (property-oriented programming) chain, exploitation becomes high-impact when any other installed plugin or theme provides one. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Deserialization PHP Information Disclosure +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Bottom Bar WordPress plugin (all versions up to and including 0.1.7) allows unauthenticated attackers to modify plugin configuration by tricking a logged-in administrator into visiting a malicious page. All three administrative settings forms - main settings, sharing services, and restore defaults - lack both wp_nonce_field() output and server-side check_admin_referer() validation in bottom-bar-admin.php, meaning any POST to those endpoints is processed without request authenticity checks. No public exploit has been identified at time of analysis, no patched version has been confirmed, and the vulnerability is not listed in CISA KEV.

WordPress PHP CSRF
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Time-based blind SQL injection in the Read More & Accordion WordPress plugin (slug: expand-maker) through version 3.5.7 enables authenticated administrators to exfiltrate arbitrary database contents, including administrator password hashes, by manipulating the orderby GET parameter. The flaw exists in two data-retrieval functions in ReadMoreData.php, where user input bypasses effective sanitization and is concatenated unquoted into an ORDER BY SQL clause. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, though the high-confidentiality CVSS impact (C:H) reflects genuine data-exposure potential.

WordPress PHP Information Disclosure +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Authentication bypass in the Oliver POS WooCommerce Point of Sale WordPress plugin (all versions through 2.4.2.6) allows unauthenticated remote attackers to gain full access to the plugin's REST API namespace by exploiting PHP type juggling in the permission callback. On fresh installations where the admin has not yet completed the connection wizard, the stored authorization token is unset (PHP false), and sending the header 'OliverAuth: 0' satisfies the loose comparison '0' == false, returning true and granting unrestricted access to all /wp-json/pos-bridge/* endpoints. Successful exploitation enables reading administrator account details, updating user profiles including email addresses, deleting non-admin users, and ultimately resetting the admin email to achieve full WordPress site takeover. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress PHP Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the BeycanPress Account Switcher WordPress plugin (versions up to and including 1.0.2) allows authenticated Subscriber-level users to hijack any account, including Administrator, by abusing a loose PHP comparison in the rememberLogin REST endpoint. No public exploit is identified at the time of analysis, but the issue is trivially reproducible from the disclosed root cause and the plugin source on WordPress.org is publicly indexable.

WordPress PHP Authentication Bypass +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the SponsorMe plugin for WordPress (all versions through 0.5.2) allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking an authenticated user - likely a WordPress administrator - into clicking a specially crafted wp-admin/admin.php URL. The PHP_SELF superglobal is reflected unsanitized in two distinct locations within the same vulnerable function: a form action attribute (sponsorme.php:440) and an anchor href attribute (sponsorme.php:475), doubling the attack surface. No patch has been identified at time of analysis, and no public exploit or CISA KEV listing has been confirmed.

WordPress PHP XSS
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution in the ProSolution WP Client WordPress plugin (versions ≤ 2.0.0) allows attackers to upload malicious PHP files to a web-accessible directory by abusing an array validation mismatch in its upload handler. Because only the first file in a multi-file upload array is checked for extension and MIME type while the remaining files are processed unchecked, attackers can pair a benign first file with a PHP webshell to achieve full code execution on the host. No public exploit identified at time of analysis, but the high CVSS 9.8 score and trivially scriptable nature place this in the realistic mass-exploitation tier for WordPress plugins.

File Upload PHP WordPress +2
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.

PHP XSS Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution in CtrlPanel billing software (versions 1.1.1 and prior) allows attackers to execute arbitrary OS commands via the web-based installer endpoint, even on already-installed instances. The flaw combines a control-flow bug (install.lock gate runs after handler execution) with command injection through unsanitized user input passed into shell commands. The advisory reports active exploitation in the wild, though no CISA KEV listing is present in the supplied data.

PHP RCE Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Remote code execution in CtrlPanel versions 1.1.1 and prior allows authenticated administrators to execute arbitrary PHP code by supplying a fully qualified class name to the admin settings update endpoint, which instantiates or invokes static methods on that class without allowlist validation. Any class resolvable by the Composer autoloader - including third-party dependencies - can be targeted, enabling gadget-chain exploitation through PHP magic methods such as __construct, __toString, or __wakeup. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the fix is confirmed in version 1.2.0, released April 2026.

PHP RCE
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Unauthenticated path traversal in AVideo's `view/img/image404Raw.php` allows any remote attacker to read arbitrary image files accessible to the PHP process, bypassing all application-layer ACLs that normally gate private user photos, admin thumbnails, and encrypted-video poster frames. The vulnerability affects all versions through the current master branch (commit 0dbadbcaaa1b415c7db078a72dc4b26d9fac0485) and all releases up to and including 29.0 (pkg:composer/wwbn_avideo). No vendor-released patch is currently available, and a working proof-of-concept is publicly disclosed in GHSA-w4qq-74h6-58wq, making this immediately actionable by any unauthenticated attacker with HTTP access to the deployment.

PHP Path Traversal
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Sensitive token disclosure in Composer (PHP dependency manager) versions prior to 1.10.28, 2.2.28, and 2.9.8 causes GitHub Actions GITHUB_TOKEN values to be written verbatim to stderr/CI logs whenever the token contains characters outside Composer's hardcoded validation regex. The new GitHub Actions token format (ghs_<id>_<base64url-JWT>) includes hyphens, which fail Composer's `^[.A-Za-z0-9_]+$` check and trigger an UnexpectedValueException that interpolates the raw token into its message. No public exploit identified at time of analysis, but the leak triggers automatically without unusual configuration on any pipeline using common actions like shivammathur/setup-php that auto-register GITHUB_TOKEN into Composer's auth.json.

Information Disclosure PHP
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-tenant account takeover in HAXcms (npm package @haxtheweb/haxcms-nodejs <= 25.0.0) allows an authenticated attacker with edit access to chain a stored XSS flaw with token leakage in the /system/api/connectionSettings endpoint to hijack other tenants' sessions. The endpoint exposes the victim's JWT, user_token, site_token, and appstore_token via the window.appSettings global, letting injected JavaScript silently exfiltrate them to an attacker-controlled webhook and fully impersonate the victim. A detailed reporter-supplied PoC exists in the GitHub Security Advisory, though there is no public exploit identified at time of analysis as a packaged weapon and no CISA KEV entry.

PHP XSS
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Private key disclosure in HAXcms Node.js backend (@haxtheweb/haxcms-nodejs <= 25.0.0) lets unauthenticated remote attackers extract the master JWT signing secret via a single GET to /system/api/connectionSettings and forge admin-level JWTs for complete site takeover. The broken hmacBase64() function appends the raw privateKey+salt to its output, exposing it through any token the server emits. Publicly available exploit code exists in the GHSA advisory PoC, and the CVSS 4.0 score of 9.3 reflects trivial network exploitation with no privileges or user interaction.

Information Disclosure PHP Node.js
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Server-Side Request Forgery in HAXcms (versions <= 25.0.0 of @haxtheweb/haxcms-nodejs, with PoC against v11.0.6) allows authenticated low-privileged users to coerce the server into fetching arbitrary URLs or local file paths via the createSite endpoint's build.files parameter, with responses written to a web-accessible directory. This produces arbitrary file read, internal network reconnaissance, and cloud metadata credential theft. Publicly available exploit code exists in the GHSA advisory, though no CISA KEV listing is present.

PHP CSRF SSRF
NVD GitHub
EPSS 0% CVSS 9.5
CRITICAL PATCH Act Now

Unauthenticated root-level remote code execution affects HestiaCP versions 1.9.0 through 1.9.4 when the optional web terminal feature is enabled, stemming from a session-handling format mismatch (CWE-502) between the PHP backend and the Node.js web terminal. Remote attackers can inject crafted HTTP header data that PHP writes into session storage but Node.js parses with naive string splitting, yielding arbitrary command execution as root; no public exploit identified at time of analysis, though VulnCheck has published a technical advisory and the upstream patch is publicly diffable.

Deserialization PHP Node.js +2
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

Remote code execution in Sparx Systems Pro Cloud Server (versions 0 through 6.1 build 167) is achievable by authenticated repository users via a race condition in the /data_api/dl_internal_artifact.php endpoint. An attacker who controls both the filename and contents of a downloaded artifact can briefly stage a malicious PHP file in the web root and execute it before cleanup, leading to full server compromise. No public exploit identified at time of analysis, but a detailed technical write-up published by CERT-PL and sploit.tech reduces the barrier to reproduction.

PHP Race Condition RCE
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the Contest Gallery WordPress plugin (versions through 28.1.6) allows unauthenticated remote attackers to extract sensitive database contents by abusing the 'form_input' parameter handled by the 'post_cg_gallery_form_upload' AJAX action. The endpoint is gated only by a public nonce that is exposed in the page source of any public gallery page, effectively offering no protection against external attackers. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and affects a publicly reachable PHP endpoint.

WordPress PHP SQLi
NVD
EPSS 0% CVSS 9.2
CRITICAL POC PATCH Act Now

Remote code execution in the TYPO3 'Content Element Selector' extension allows unauthenticated attackers to execute arbitrary PHP code by sending a crafted cookie that the extension feeds directly into PHP's unserialize(). The flaw (CWE-502, CVSS 4.0 score 9.2) is exploitable only on installations where a content element is configured with 'Persistent Mode: Static'. No public exploit identified at time of analysis, though the deserialization pattern is well-understood and typically rapid to weaponize.

Deserialization PHP RCE
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Remote code execution in the TYPO3 Crawler extension occurs when the X-T3Crawler-Meta response header from a crawled URL is passed unchecked to PHP's unserialize(), enabling arbitrary PHP object injection. Exploitation requires a high-privileged administrator to configure a crawler-enabled page and a Scheduler task pointing at an attacker-controlled endpoint, so while impact is full RCE on the TYPO3 host, it is gated by an unusual combination of admin access, user interaction, and externally reachable malicious URLs. No public exploit identified at time of analysis and no CISA KEV listing.

Deserialization PHP RCE
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Authenticated arbitrary file read in WWBN/AVideo's view/update.php exposes any text file readable by the web-server process to admin-level users via path traversal. The $_POST['updateFile'] parameter is concatenated directly into a filesystem path under updatedb/ without sanitization, allowing an authenticated administrator to supply sequences like '../../../../etc/passwd' and have PHP's file() function return the contents line-by-line in the migration-runner HTML response. A proof-of-concept exploit is publicly documented in GitHub Security Advisory GHSA-3mjv-375j-6h92; no patched release has been issued for any version through 29.0 as of analysis time, and no public exploit identified at time of analysis as actively exploited by CISA KEV.

Path Traversal PHP
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Weak cryptographic algorithm usage in Sulu CMS exposes password reset tokens and API keys to prediction or brute-force attacks, potentially enabling unauthorized account takeover or API access. The flaw resides in the SecurityBundle's User.php and ResettingController.php, affecting all Sulu 2.x releases up to 2.6.22 and all 3.x releases from the first alpha through 3.0.5. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the cryptographic weakness (CWE-327) is structurally exploitable by a motivated attacker with network access to the application.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in the CI4MS (CodeIgniter 4 CMS/ERP) Pages module versions <= 0.31.8.0 allows authenticated content authors holding the pages.create or pages.update permission to persist arbitrary JavaScript that executes in every visitor's browser when the public Pages renderer outputs the field unescaped. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-gqr2-7hcg-rchf), and because vulnerable pages can be promoted to the site home page, a single injection escalates from a low-privileged author to full administrator session takeover when an admin browses the front-end.

Privilege Escalation PHP RCE +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Destructive file operations in the CI4MS Fileeditor module (composer/ci4-cms-erp/ci4ms ≤ v0.31.8.0) allow an authenticated backend user to delete or rename arbitrary framework files - including the front controller, routing config, and authentication filter pipeline - producing a persistent denial of service that requires filesystem-level redeployment to recover. The root cause is an inconsistent application of the existing extension allowlist: while saveFile and createFile correctly gate writes through allowedFileTypes(), the deleteFileOrFolder and renameFile endpoints apply no such check to the source path, meaning any file inside ROOTPATH not named in the narrow $hiddenItems blocklist is reachable. A working curl-based proof-of-concept is publicly available via GitHub advisory GHSA-245j-xjvr-xvm5; no CISA KEV listing is present at time of analysis.

PHP CSRF Denial Of Service
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in CI4MS (composer package ci4-cms-erp/ci4ms, versions up to 0.31.8.0) allows authenticated content editors holding the `blogs.create` or `blogs.update` role to persist arbitrary JavaScript that executes in every visitor's browser, including superadmins who review or preview posts. The root cause is a PHP by-reference mutation in the `html_purify` custom validation rule that CodeIgniter 4's validator silently discards - raw POST data bypasses sanitization entirely and is written unescaped to the database and rendered directly in the public template. A detailed public proof-of-concept exploit exists; vendor-released patch 0.31.9.0 was published on 2026-05-08 and is confirmed to address the issue.

PHP CSRF XSS
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Server-Side Request Forgery in Statamic CMS's Glide image proxy allows unauthenticated remote attackers to bypass IP validation and force the server to issue HTTP requests to internal infrastructure, including loopback addresses, RFC-1918 private networks, and cloud metadata endpoints such as AWS IMDSv1 (169.254.169.254). The bypass exploits unnormalized alternative IP representations (e.g., octal, hexadecimal, decimal-encoded) that evade the public-IP allowlist check before PHP normalizes them. Only deployments running PHP below 8.3 and passing user-supplied URLs to Glide are exposed; vendor-released patches exist in versions 5.73.22 and 6.18.1. No public exploit or CISA KEV listing has been identified at time of analysis.

SSRF PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Caddy web server (versions 2.7.0 through 2.10.2) is possible when the FastCGI reverse proxy's splitPos() function mishandles non-ASCII bytes in request paths, causing non-PHP files to be routed to a FastCGI upstream like PHP-FPM as if they were scripts. Where an attacker can place file content (uploads, user-content stores, package mirrors), a single crafted URL containing Unicode lookalikes for '.php' or a non-ASCII byte after a dot yields unauthenticated RCE. Publicly available exploit code exists (detailed PoC in the GHSA advisory) and the issue inherits two bugs from FrankenPHP's adapted code; no public exploitation has been reported and EPSS data was not provided.

RCE PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

User enumeration in AVideo (composer/WWBN/AVideo ≤ 29.0) exposes account metadata - names, email addresses, usernames, and channel names - to unauthenticated remote attackers through an incomplete patch for CVE-2026-43881. The original fix (commit d9cdc7024) hardened `users.json.php` but left an identical unauthenticated code path alive in `objects/mention.json.php`, which calls `User::getAllUsers()` with no `loginCheck()` or authorization gate. No public exploit is identified at time of analysis, though the trivial HTTP-based trigger and absence of authentication make this a realistic reconnaissance primitive for credential-stuffing or phishing campaigns.

Information Disclosure PHP
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Weak password hashing in opensourcepos Open Source Point of Sale through version 3.4.2 exposes a legacy code path in the Employee Login component (app/Models/Employee.php) that retains an older, cryptographically weak hash function. The vendor has disputed the severity of this issue, clarifying that the weak hash function persists solely to support an upgrade migration path - default-seeded passwords use the legacy hash but are migrated to a stronger algorithm upon first login, meaning actively managed accounts on updated installations face reduced practical exposure. No public exploit code has been identified at time of analysis, and the vulnerability's real-world impact is currently in question pending independent verification.

Information Disclosure PHP
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Path traversal in opensourcepos Open Source Point of Sale versions 3.4.0 through 3.4.2 allows authenticated remote attackers to read arbitrary image files outside the intended directory via manipulated pic_filename parameters in the getPicThumb controller function. The vulnerability has CVSS 5.3 (Medium) with low attack complexity requiring only low-privilege authentication. Vendor-released patch available via GitHub commit def0c27a0e252668df8d942fc31e16d1edfd7323. No public exploit or active exploitation confirmed at time of analysis, though the fix is publicly documented with code diff showing the vulnerable parameter handling.

Path Traversal PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in projectworlds Hospital Management System in PHP 1.0 enables unauthenticated remote attackers to extract or modify patient data through the appointment_no parameter in update_info.php. The vulnerability has publicly available exploit code and affects the getAllPatientDetail function, with the vendor notified but unresponsive.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated path traversal in HSC MailInspector 5.3.3-7 allows remote attackers to read arbitrary files from the underlying operating system by manipulating the 'text' parameter of the /tap/dw.php endpoint. Public exploit details are disclosed on GitHub (sql3t0/cve-disclosures), though EPSS probability remains low (0.05%) and the issue is not currently listed in CISA KEV. The flaw enables disclosure of sensitive system files such as configuration files, credentials, and mail-related data without prior authentication.

PHP Path Traversal
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in HSC MailInspector v5.3.3-7 allows unauthenticated remote attackers to read sensitive files from the host via a path traversal flaw in the exposed /vendor/phpunit/phpunit.php endpoint. The CVSS 7.5 rating reflects high confidentiality impact with no required privileges or user interaction, though EPSS remains very low at 0.05% (15th percentile) and there is no public exploit identified at time of analysis. The exposure of a PHPUnit development artifact in a production path mirrors a long-standing class of PHP supply-chain misconfigurations.

Information Disclosure PHP Path Traversal
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components

PHP Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Authentication Bypass +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD Exploit-DB VulDB
Prev Page 14 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy