PHP
Monthly
Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Google Drive for WordPress 2.2 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by injecting directory traversal sequences in the file_name. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete_export_file AJAX. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Redaxo CMS Addon MyEvents 2.2.1 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the myevents_id parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Remote command injection in Kodbox fileThumb plugin (versions up to 1.64) allows authenticated attackers to execute arbitrary system commands by manipulating the ffmpegBin parameter in video processing functions. Publicly available exploit code increases immediate risk. EPSS data not available, but CVSS temporal metrics indicate confirmed proof-of-concept exploitation (E:P). Vendor has not responded to disclosure, leaving patch status uncertain.
Improper authorization in Z-BlogPHP 1.7.4.3430 allows authenticated attackers to bypass comment approval controls via the CheckComment function in c_system_event.php. Remote exploitation requires low-complexity attacks with low-privilege credentials and no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). Public exploit code is available (VulDB 364334), enabling attackers to read, modify, or disrupt comment moderation workflows with low confidentiality, integrity, and availability impact. No vendor patch information identified at time of analysis; EPSS and KEV data not provided.
ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting in phpMyFAQ before 4.1.2 lets FAQ editors persist HTML-entity-encoded JavaScript that survives sanitization and executes in every visitor's browser, including administrators. The flaw stems from Twig's `| raw` filter being applied to `result.question` and `result.answerPreview` in `search.twig`, combined with a `html_entity_decode(strip_tags())` round-trip in SearchController.php that resurrects encoded tags. Publicly available exploit code exists (POC per SSVC), though EPSS is 0.01% and the issue is not on the CISA KEV list.
Insufficient authorization in phpMyFAQ 4.1.1 and earlier allows any authenticated user to enumerate sensitive system configuration metadata through 12 admin API endpoints. The ConfigurationTabController improperly uses userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT), enabling low-privilege users to query /admin/api/configuration endpoints and discover the permission model, active template, cache backend, mail provider, translation settings, and other deployment details that should require administrative access. This information disclosure violates least privilege principles and aids reconnaissance for subsequent attacks. EPSS data not available; no active exploitation confirmed at time of analysis. Vendor-released patch available in version 4.1.2.
PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Time-of-check-time-of-use DNS rebinding in AVideo <= 29.0 allows remote unauthenticated attackers to bypass Server-Side Request Forgery (SSRF) protections and exfiltrate sensitive data from internal networks. The partial fix for CVE-2026-43884 in commit 603e7bf addressed only two call sites but left six or more locations discarding the DNS-pinning mechanism via CURLOPT_RESOLVE, enabling attackers to race DNS resolution between validation and HTTP request execution. No vendor-released patch identified at time of analysis. EPSS data not available for this CVE.
Cross-site request forgery in AVideo's LoginControl plugin allows remote attackers to disable two-factor authentication for authenticated victims through a single malicious HTTP request. The vulnerability exists in plugin/LoginControl/set.json.php which accepts POST requests to toggle 2FA without CSRF token validation, origin verification, or re-authentication. Attackers deliver a weaponized webpage containing a hidden form that auto-submits to the vulnerable endpoint; when a logged-in AVideo administrator visits this page, their 2FA protection is silently stripped, enabling subsequent credential-based account takeover. The flaw is confirmed through GitHub security advisory GHSA-3mv2-vmwh-rwfx with source code evidence showing the endpoint performs only session authentication (User::isLogged()) while omitting the forbidIfIsUntrustedRequest() protection used throughout the rest of the codebase. No public exploit code identified at time of analysis, though the attack is trivial to weaponize given the detailed advisory.
Stored cross-site scripting in AVideo's Live plugin allows authenticated streamers to inject malicious JavaScript into live stream pages, executing in any visitor's browser context. The vulnerability exists in modeYoutubeLive.php where stream keys are rendered unescaped into HTML class attributes. Attackers with canStream privileges can persist event handlers via crafted stream keys that trigger when victims view the live page, enabling session hijacking, CSRF token theft, and potential admin account compromise. CVSS 5.4 reflects network-accessible exploitation requiring only low-privilege authentication and user interaction, with scope change indicating cross-user impact. No patch is currently available per GitHub advisory GHSA-m5j4-7r85-2cj2.
Remote code execution in AVideo streaming platform allows authenticated users with streaming privileges to execute arbitrary OS commands through shell metacharacter injection in the Live plugin. The vulnerability exists in the on_publish.php webhook endpoint which builds shell commands using unsafe string concatenation instead of proper escaping, allowing attackers to inject commands via specially crafted stream keys containing single quotes. While the CVSS indicates low privileges required (authenticated users with canStream permission), the impact is severe as it grants full web server user access.
Path traversal in SimpleSAMLphp's CAS server module allows unauthenticated remote attackers to read and deserialize arbitrary files outside the ticket directory via crafted ticket parameters. When using FileSystemTicketStore, attackers can inject '../' sequences into CAS validation endpoints to escape the configured directory, potentially deleting files that contain serialized PHP data compatible with array types. The vulnerability has a CVSS score of 8.6 with no public exploits identified at time of analysis.
Path traversal vulnerability in FrankenPHP allows remote code execution through Unicode handling flaws in CGI path splitting. The splitPos() function in cgi.go incorrectly processes non-ASCII bytes in request paths, allowing attackers to trick FrankenPHP into executing arbitrary non-.php files as PHP scripts by crafting URLs with Unicode lookalike characters or specific non-ASCII byte sequences. Successfully exploited in environments where attackers can upload or control file content, leading to remote code execution with CVSS 8.1 (High).
Stored Cross-Site Scripting (XSS) in NukeViet CMS versions up to 4.5.07 allows unauthenticated attackers to inject malicious HTML/JavaScript through any module using the Request class for HTML input. The vulnerability stems from insufficient server-side sanitization that relies on client-side filtering, which attackers can bypass using proxy tools like Burp Suite. While not currently listed in CISA KEV and lacking public exploit code, the issue poses significant risk as it requires no authentication and affects administrative users viewing user-submitted content.
Open redirect in SimpleSAMLphp casserver module allows remote attackers to redirect authenticated users to arbitrary external domains after logout. Versions prior to 6.3.1 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The logout endpoint accepts an unchecked 'url' query parameter without validating it against configured service URLs, enabling phishing attacks that leverage the trusted SimpleSAML domain. Public exploit code exists (POC: YES). EPSS data not available, but exploitation requires only user interaction (no authentication), making this readily exploitable in phishing campaigns targeting SSO users.
Privilege escalation in Frontend Admin by DynamiApps plugin allows authenticated attackers with editor-level access to elevate privileges to administrator. The vulnerability exists due to insufficient authorization checks when configuring user role options in edit_user forms combined with overly permissive capabilities on the admin_form post type. Attackers can bypass UI restrictions by directly manipulating POST data to include 'administrator' in role_options, then use the crafted form to assign themselves administrator privileges. CVSS 8.8 reflects network-accessible, low-complexity exploitation requiring only low privileges (editor account). No public exploit code identified at time of analysis, though the attack chain is straightforward for authenticated users. EPSS data not provided, but the technical barrier is minimal once editor access is obtained.
Authenticated remote code execution in ORSEE 3.1.0 allows low-privileged users to execute arbitrary PHP code on the server by submitting participant profile field values prefixed with 'func:', which are passed unsanitized into eval() calls within tagsets/participant.php and tagsets/options.php. Only version 3.1.0 is confirmed affected; ORSEE is a niche academic tool used in economic research labs, limiting broad attack surface but making unpatched deployments attractive targets for insider threat or compromised-credential scenarios. No public exploit identified at time of analysis beyond a published proof-of-concept writeup on Medium, and EPSS sits at 0.06% (18th percentile), reflecting the narrow deployment footprint.
Stack exhaustion in MongoDB PHP driver allows remote denial of service when processing deeply nested BSON documents from untrusted sources. Unauthenticated attackers can crash applications by sending maliciously crafted BSON payloads with excessive nesting levels, affecting all versions of the PHP driver that parse BSON without depth limits. The vulnerability requires high attack complexity but results in complete availability loss.
Remote code execution in HRConvert2 self-hosted file conversion server allows unauthenticated attackers to execute arbitrary commands via shell metacharacters in filenames. The sanitizeString() function in convertCore.php fails to filter backticks and tab characters before passing user input to shell_exec(), enabling command injection that executes in the web server context (www-data). According to the vendor, exploitation can achieve complete server takeover through two methods: backtick-based command injection or tab-based file dropping. Fixed in version 3.3.8 released May 2026. EPSS data unavailable; no confirmed active exploitation (not in CISA KEV), but the vendor confirms the vulnerability is exploitable and rates severity as critical.
SQL injection in ClipBucket v5's admin panel allows authenticated administrators to exfiltrate database contents via the action_logs.php endpoint. The type parameter is directly concatenated into SQL queries without parameterization, enabling UNION-based attacks to extract sensitive data including user credentials, video metadata, and system configuration. Affects all versions prior to 5.5.3 - #122. No active exploitation confirmed (not in CISA KEV), but the technical barrier is low given the straightforward injection point and admin access requirement.
Remote code execution in Vvveb CMS before 1.0.8.3 allows authenticated super_admin users to upload malicious plugin ZIP files containing arbitrary PHP code. Once uploaded, the code executes with web server privileges via unauthenticated HTTP requests to the plugin's public directory, enabling privilege escalation from authenticated admin to system-level code execution. CVSS 8.6 (High) with network attack vector but requires high privileges (PR:H). No active exploitation confirmed at time of analysis, but attack chain is straightforward with publicly documented technique.
Infinite recursion in Vvveb admin controller exhausts PHP memory through repeated permission checks when low-privilege users access forbidden admin URLs. Sustained requests deplete worker memory causing site-wide denial of service. Fixed in version 1.0.8.3 via commit c766e84b which removes Base class inheritance from Error403 controller to break the dispatch cycle. No evidence of active exploitation but trivial to reproduce with authenticated low-privilege account.
Remote code execution in CoreShop's GitHub Actions CI/CD pipeline allows unauthenticated attackers to compromise the build infrastructure and exfiltrate repository secrets by submitting a malicious pull request. The vulnerability stems from the dangerous combination of pull_request_target trigger with unverified code checkout, enabling attackers to execute arbitrary commands (bin/console) on GitHub-hosted runners with access to sensitive credentials including PIMCORE_SECRET and PIMCORE_PRODUCT_KEY. This 'Pwn Request' attack pattern (CWE-94: Code Injection) affects version 5.0.0 with no vendor patch currently released. The attack requires zero authentication (PR:N) and low complexity (AC:L), representing a critical supply chain security risk for organizations using CoreShop.
Authorization bypass in Database Backup for WordPress plugin (≤2.5.2) enables unauthenticated attackers to redirect scheduled backup files to publicly accessible directories and retrieve them before cleanup. By poisoning the wp_db_temp_dir parameter via wp-cron.php, attackers can intercept database backups containing credentials, password hashes, and PII. Backup filenames follow predictable patterns (database name, table prefix, date, Swatch Internet Time), making interception reliable. Exploitation requires administrator-configured scheduled backups but no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N). EPSS and KEV data not provided; Wordfence-reported vulnerability with publicly accessible source code references enabling attack reproduction.
Authenticated remote code execution in OPNsense firewall versions prior to 26.1.8 allows a user with user-management privileges to execute arbitrary commands as root by smuggling shell payloads inside an email-address-formatted field processed by the local user synchronization script. Publicly available exploit code exists per SSVC, though EPSS scoring (0.13%) indicates low predicted mass exploitation; SSVC classifies technical impact as total but automation as no. No active exploitation has been confirmed in CISA KEV at time of analysis.
Authenticated remote code execution in CubeCart v6 prior to 6.7.3 allows an admin with documents-edit permission to embed raw PHP into the Invoice Editor template, which is later written to a predictable files/print.<md5>.php path that the bundled .htaccess explicitly exposes to unauthenticated visitors. SSVC rates technical impact as total and a POC exists, though EPSS remains very low (0.04%) and the issue is not on CISA KEV - no public exploit identified at time of analysis beyond researcher disclosure.
Account and store takeover in CubeCart 6.6.x through 6.7.1 is possible because the CC_STORE_URL constant is derived from the unvalidated Host header at bootstrap and embedded into password-reset emails. A remote unauthenticated attacker who knows a victim's email address can trigger a host-header poisoning attack that emails the user a reset link pointing at attacker-controlled infrastructure, capturing a valid 3,600-second token on click. SSVC reports a public POC and total technical impact, while EPSS remains low (0.03%) and no public exploit is identified as in-the-wild.
SQL injection in CubeCart v6 prior to 6.7.0 allows an authenticated administrator to execute arbitrary SQL against the store database via the unsanitized ORDER BY clause on the admin transactions listing page. The admin.php orders-transactions endpoint passes attacker-controlled GET parameters directly into a raw SQL fragment, bypassing the platform's sqlSafe() function which only escapes quote characters - none of which are required for ORDER BY injection. An attacker with at minimum CC_PERM_READ permission on orders can leverage time-based blind SQL injection to extract admin password hashes, customer PII, and integrated payment-gateway credentials. No public exploit identified at time of analysis, though SSVC data indicates POC code exists; the EPSS score of 0.03% (9th percentile) reflects limited observed exploitation interest.
Remote code execution in CubeCart v6 prior to 6.7.0 allows API key holders with files:rw permission to upload PHP webshells via the POST /api/v1/files REST endpoint. A path-traversal flaw in the filepath parameter lets attackers write executable files anywhere the webserver can write, including the document root, achieving full server takeover. No public exploit identified at time of analysis, though SSVC notes a POC and EPSS sits at 0.19% (40th percentile).
Reflected XSS in CubeCart v6 (prior to 6.7.0) enables unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted search URL that triggers a specific single-result code path in the search feature. The flaw exists in classes/catalogue.class.php where the searchCatalogue() method reflects the raw $_REQUEST['search']['keywords'] parameter in a notification message without sanitization - but only when the search returns exactly one product, bypassing all other input filters. A working exploit is publicly available on Exploit-DB (52588), though no public exploit identified at time of analysis places this in CISA KEV, and EPSS remains low at 0.03%.
Authenticated server-side template injection in CubeCart v6 before 6.7.0 lets administrators escape the Smarty template sandbox and invoke native PHP functions through modules such as Email Templates and Documents. Attackers can call readgzfile() to exfiltrate configuration secrets and error_log() with message_type=3 to drop a PHP webshell, yielding full remote code execution. No public exploit identified at time of analysis, but a SSVC 'poc' status and an upstream commit hardening the Smarty allowlist indicate the technique is documented.
Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Local File Inclusion vulnerability in RTMKit Addons for Elementor plugin versions up to 2.0.2 allows authenticated attackers with Author-level privileges to include and execute arbitrary PHP files via the 'path' parameter in the 'get_content' AJAX action, enabling remote code execution. The vulnerability requires low-privilege WordPress account access (Author role or higher) and has a CVSS score of 8.8, indicating high impact across confidentiality, integrity, and availability. EPSS data not available, but exploitation requires specific WordPress role assignment, limiting attack surface to sites where untrusted users have Author-level access. No active exploitation confirmed by CISA KEV at time of analysis.
PHP Object Injection vulnerability in coreActivity activity logging plugin through version 3.0 allows remote attackers to trigger persistent Denial of Service blocking administrator access to log pages. Unauthenticated attackers inject crafted PHP serialized payloads via User-Agent headers during any logged event (e.g., failed login). When administrators view the Logs page, the plugin deserializes untrusted data and passes it to DeviceDetector::setUserAgent(), causing Fatal TypeError. Vendor-released patch version 3.1 available (released May 6, 2026). EPSS exploitation probability not available; no CISA KEV listing at time of analysis. CVSS 8.1 reflects high complexity attack requiring precise payload crafting despite no authentication requirement.
ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including cascaded property and record-to-property assignments. This vulnerability is fixed in 7.3.2.
ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.
Insufficient ownership checks in `clientarea.php` allow an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's resources and their cPanel account.
Cross-Site Request Forgery in WooCommerce Minimum Weight plugin for WordPress up to version 3.0.1 allows unauthenticated attackers to modify minimum order weight settings by tricking site administrators into clicking malicious links or visiting attacker-controlled pages. The vulnerability stems from missing nonce verification in the settings update handler, enabling forged POST requests to alter critical e-commerce configuration without admin consent. No public exploit code or active exploitation has been identified at time of analysis.
Cross-Site Request Forgery in the Zawgyi Embed WordPress plugin versions up to 2.1.1 allows unauthenticated attackers to modify the plugin's zawgyi_forceCSS setting by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation in the zawgyi_adminpage function, enabling attackers to submit forged POST requests to the plugin's settings page without the administrator's knowledge.
Unauthenticated remote code execution in GWD Connect WordPress plugin versions up to 2.9 allows attackers to execute arbitrary PHP code on unregistered installations via the update_agent action in standalone agent endpoints (gwd-backup.php and gwd-logs.php) when the API key is not configured. The vulnerability exploits a missing authorization check that occurs only when the authentication key has not been set up, affecting default installations. No public exploit code or active exploitation has been confirmed at this time.
An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Using *show_inline=1* parameter and a valid *file_show_inline_token* CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. ### Impact Cross-site scripting ### Patches - 26647b2e68ba30b9d7987d4e03d7a16416684bc2 ### Workarounds None ### Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. ### Impact Cross-site scripting (XSS) ### Patches - c885af13f0b8596714ffe11df757c09f35fbd8f4 ### Workarounds None ### Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's _script-src_ directive by uploading a crafted attachment to any issue that, when accessed via the _file_download.php_ link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a `<script>` tag by the browser, due to response header X-Content-Type-Options being set to _nosniff_, which requires all imported JavaScript files to be a valid JavaScript MIME type. ### Impact Cross-site scripting ### Patches - 9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe ### Workarounds None ### Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Improper escaping of a textarea custom field's contents in the Update Issue page (bug_update_page.php) allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. ### Impact Session theft leading to admin account takeover, full project data access. - Precondition: A textarea-type custom field must be configured for the project - Attacker: Authenticated user with bug report permission (low privilege) - Victim: Any user viewing the bug edit form, including administrators ### Patches - 5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7 ### Workarounds The default Content-Security Policy will block script execution. ### References - https://mantisbt.org/bugs/view.php?id=37003 - This is related to [CVE-2024-34081](https://github.com/advisories/GHSA-wgx7-jp56-65mq). ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue, and providing a patch to fix it. - Thanks to Nozomu Sasaki (Paul) (@morimori-dev) - Tristan Madani (@TristanInSec) from Talence Security
The core view rendering method `View::renderPhpFile()` calls `extract($_params_, EXTR_OVERWRITE)` before the `require` statement that includes the view file. A caller-controlled parameter named `_file_` in the `$params` array overwrites the internal local variable that specifies which file is included - enabling a Local File Inclusion primitive. ### Impact - Local File Inclusion (arbitrary file read via non-PHP files) - Potential RCE if attacker can write PHP files via a separate primitive - Information disclosure ### Patches 2.0.55 ### Workarounds No.
Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. ### Impact Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content. ### Patches - 0a93267deba445fb9d15250c16e6fdb1246ffa65 ### Workarounds None ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
Stored HTML injection and cross-site scripting in MantisBT versions 2.28.1 and earlier allows a privileged user (manager or administrator) to inject HTML through a Project's name field, which is later rendered unescaped on the issue clone form (bug_report_page.php) when cloning issues across projects. The flaw is mitigated by MantisBT's default Content Security Policy, which blocks inline script execution, and no public exploit identified at time of analysis. The CVSS 4.0 score of 8.6 reflects high confidentiality, integrity, and availability impacts on the vulnerable component despite requiring high privileges.
Insufficient access control checks in _ProjectUsersAddCommand_ (used in *manage_proj_user_add.php* and REST API endpoint `PUT /project/{id}/users`) allows users having *manage_project_threshold* access level (*manager* by default) to grant project-level *administrator* access to any user (including themselves) in any Project they have *manager* rights in. The normal project-user add form does restrict the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. ### Impact Privilege escalation. The consequences of the privilege escalation are not as bad as it may sound, because having *administrator* access at Project level is effectively not very different from being *manager*, it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. ### Patches - 69e0180f180ed5acf48a8d281a73683a7bf32461 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue: - [Dracosec Research Limited](https://dracosec.tech/) (Siu Nam Tang, Chris Chan, Krecendo Hui, William Lam) - Vishal Shukla
Stored Cross-Site Scripting in WeGIA versions prior to 3.7.3 allows authenticated high-privilege users to inject malicious JavaScript into the Processo de Aceitação page that executes when any user accesses the vulnerable endpoint, enabling session hijacking and account takeover. The vulnerability is confined to high-privilege authenticated access (PR:H) with no user interaction required on the victim side, though scope is changed (S:C) indicating cross-context impact. No public exploit code or active exploitation has been identified.
Stored cross-site scripting (XSS) in WeGIA versions prior to 3.7.3 allows authenticated high-privilege users to inject malicious JavaScript into the Etapas de um Processo page, which executes when other users access the page, enabling session hijacking and account takeover. The vulnerability requires high-privilege authentication (PR:H) but affects all users who subsequently visit the injected page, with no public exploit identified at time of analysis.
Information disclosure in WeGIA versions prior to 3.6.10 allows authenticated remote attackers to obtain sensitive technical details through overly descriptive error messages in the file upload endpoint (funcionario/docdependente_upload.php), expanding the attack surface for subsequent exploitation attempts.
Reflected cross-site scripting (XSS) in WeGIA versions before 3.7.0 allows unauthenticated remote attackers to inject arbitrary JavaScript via the id_processo parameter in lista_arquivos_etapa.php, enabling session hijacking, credential theft, or malicious actions in victim browsers. User interaction (clicking a crafted link) is required. The vulnerability is fixed in version 3.7.0.
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a Stored Cross-Site Scripting (XSS) flaw was identified at the following endpoint: funcionario/profile_funcionario.php?id_funcionario=2. By injecting a malicious payload into the 'Description' (Descrição) field and saving the profile, the script becomes persistently stored. The payload is subsequently executed whenever the profile page is accessed. This vulnerability is fixed in 3.7.0.
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, atendido/familiar_docfamiliar.php displays an overly descriptive error message, including database-related details. This verbosity leads to information disclosure, which could assist a potential attacker in mapping the backend infrastructure and expanding the attack surface. This vulnerability is fixed in 3.7.0.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Echo. This vulnerability is associated with program files includes/Api/ApiEchoNotifications.Php. This issue affects Echo: from * before 1.43.7, 1.44.4, 1.45.2.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Specials/SpecialUserRights.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
MediaWiki versions before 1.43.7, 1.44.4, and 1.45.2 expose sensitive information to unauthorized actors through improper handling in the Skin.php component. The vulnerability requires authenticated user access and user interaction (CVSS:4.0/AV:N/AC:H/PR:L/UI:P), resulting in low confidentiality impact. With an EPSS score of 2.1 and no evidence of active exploitation, this poses limited real-world risk but should be patched as part of routine maintenance.
Reflected XSS in ATutor's /install/install.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Version 2.2.4 is confirmed vulnerable; the product is no longer actively maintained and vendor response to disclosure was unsuccessful, leaving no official patch available.
Reflected XSS in ATutor's /install/upgrade.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a specially crafted URL. The vulnerability affects at least version 2.2.4 and potentially other versions; the product is no longer actively maintained and vendors did not respond with details about the full vulnerable version range. While CVSS 5.1 indicates low severity, the attack requires user interaction (clicking a malicious link) and has limited scope impact.
Remote code execution in the Custom css-js-php WordPress plugin versions up to 2.0.7 allows unauthenticated attackers to execute arbitrary PHP code on the server through SQL injection chained with PHP eval(). The plugin fails to sanitize user input before passing it to SQL queries, with query results subsequently executed via eval(). EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, and no public exploit code has been identified at time of analysis, though the technical barrier is low (CVSS AC:L/PR:N).
Reflected cross-site scripting (XSS) in GmbH Mercury Managed Print Services docuForm v11.11c allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting a malicious payload into an unfiltered variable in the dfm-menu_departments.php component. The vulnerability requires user interaction (clicking a crafted link) and affects confidentiality and integrity with limited scope. No public exploit code has been independently confirmed at this time, though the detailed nature of the component reference suggests proof-of-concept research exists.
docuFORM Managed Print Service Client 11.11c allows authenticated remote attackers to upload arbitrary files via the pmupdate.php endpoint, enabling potential remote code execution or system compromise. The vulnerability requires valid user credentials (PR:L per CVSS) but no user interaction, and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed at time of analysis.
SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the /index/controller/Search.php endpoint.
Reflected XSS in docuForm v11.11c allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious payloads into the acc-menu_papers.php component. The vulnerability requires user interaction (clicking a crafted link) and has limited scope (session-based impact), with a CVSS score of 6.1. No public exploit code availability or CISA KEV listing confirmed at time of analysis, though a reference repository exists.
Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Google Drive for WordPress 2.2 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by injecting directory traversal sequences in the file_name. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete_export_file AJAX. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Redaxo CMS Addon MyEvents 2.2.1 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the myevents_id parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Remote command injection in Kodbox fileThumb plugin (versions up to 1.64) allows authenticated attackers to execute arbitrary system commands by manipulating the ffmpegBin parameter in video processing functions. Publicly available exploit code increases immediate risk. EPSS data not available, but CVSS temporal metrics indicate confirmed proof-of-concept exploitation (E:P). Vendor has not responded to disclosure, leaving patch status uncertain.
Improper authorization in Z-BlogPHP 1.7.4.3430 allows authenticated attackers to bypass comment approval controls via the CheckComment function in c_system_event.php. Remote exploitation requires low-complexity attacks with low-privilege credentials and no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). Public exploit code is available (VulDB 364334), enabling attackers to read, modify, or disrupt comment moderation workflows with low confidentiality, integrity, and availability impact. No vendor patch information identified at time of analysis; EPSS and KEV data not provided.
ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting in phpMyFAQ before 4.1.2 lets FAQ editors persist HTML-entity-encoded JavaScript that survives sanitization and executes in every visitor's browser, including administrators. The flaw stems from Twig's `| raw` filter being applied to `result.question` and `result.answerPreview` in `search.twig`, combined with a `html_entity_decode(strip_tags())` round-trip in SearchController.php that resurrects encoded tags. Publicly available exploit code exists (POC per SSVC), though EPSS is 0.01% and the issue is not on the CISA KEV list.
Insufficient authorization in phpMyFAQ 4.1.1 and earlier allows any authenticated user to enumerate sensitive system configuration metadata through 12 admin API endpoints. The ConfigurationTabController improperly uses userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT), enabling low-privilege users to query /admin/api/configuration endpoints and discover the permission model, active template, cache backend, mail provider, translation settings, and other deployment details that should require administrative access. This information disclosure violates least privilege principles and aids reconnaissance for subsequent attacks. EPSS data not available; no active exploitation confirmed at time of analysis. Vendor-released patch available in version 4.1.2.
PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Time-of-check-time-of-use DNS rebinding in AVideo <= 29.0 allows remote unauthenticated attackers to bypass Server-Side Request Forgery (SSRF) protections and exfiltrate sensitive data from internal networks. The partial fix for CVE-2026-43884 in commit 603e7bf addressed only two call sites but left six or more locations discarding the DNS-pinning mechanism via CURLOPT_RESOLVE, enabling attackers to race DNS resolution between validation and HTTP request execution. No vendor-released patch identified at time of analysis. EPSS data not available for this CVE.
Cross-site request forgery in AVideo's LoginControl plugin allows remote attackers to disable two-factor authentication for authenticated victims through a single malicious HTTP request. The vulnerability exists in plugin/LoginControl/set.json.php which accepts POST requests to toggle 2FA without CSRF token validation, origin verification, or re-authentication. Attackers deliver a weaponized webpage containing a hidden form that auto-submits to the vulnerable endpoint; when a logged-in AVideo administrator visits this page, their 2FA protection is silently stripped, enabling subsequent credential-based account takeover. The flaw is confirmed through GitHub security advisory GHSA-3mv2-vmwh-rwfx with source code evidence showing the endpoint performs only session authentication (User::isLogged()) while omitting the forbidIfIsUntrustedRequest() protection used throughout the rest of the codebase. No public exploit code identified at time of analysis, though the attack is trivial to weaponize given the detailed advisory.
Stored cross-site scripting in AVideo's Live plugin allows authenticated streamers to inject malicious JavaScript into live stream pages, executing in any visitor's browser context. The vulnerability exists in modeYoutubeLive.php where stream keys are rendered unescaped into HTML class attributes. Attackers with canStream privileges can persist event handlers via crafted stream keys that trigger when victims view the live page, enabling session hijacking, CSRF token theft, and potential admin account compromise. CVSS 5.4 reflects network-accessible exploitation requiring only low-privilege authentication and user interaction, with scope change indicating cross-user impact. No patch is currently available per GitHub advisory GHSA-m5j4-7r85-2cj2.
Remote code execution in AVideo streaming platform allows authenticated users with streaming privileges to execute arbitrary OS commands through shell metacharacter injection in the Live plugin. The vulnerability exists in the on_publish.php webhook endpoint which builds shell commands using unsafe string concatenation instead of proper escaping, allowing attackers to inject commands via specially crafted stream keys containing single quotes. While the CVSS indicates low privileges required (authenticated users with canStream permission), the impact is severe as it grants full web server user access.
Path traversal in SimpleSAMLphp's CAS server module allows unauthenticated remote attackers to read and deserialize arbitrary files outside the ticket directory via crafted ticket parameters. When using FileSystemTicketStore, attackers can inject '../' sequences into CAS validation endpoints to escape the configured directory, potentially deleting files that contain serialized PHP data compatible with array types. The vulnerability has a CVSS score of 8.6 with no public exploits identified at time of analysis.
Path traversal vulnerability in FrankenPHP allows remote code execution through Unicode handling flaws in CGI path splitting. The splitPos() function in cgi.go incorrectly processes non-ASCII bytes in request paths, allowing attackers to trick FrankenPHP into executing arbitrary non-.php files as PHP scripts by crafting URLs with Unicode lookalike characters or specific non-ASCII byte sequences. Successfully exploited in environments where attackers can upload or control file content, leading to remote code execution with CVSS 8.1 (High).
Stored Cross-Site Scripting (XSS) in NukeViet CMS versions up to 4.5.07 allows unauthenticated attackers to inject malicious HTML/JavaScript through any module using the Request class for HTML input. The vulnerability stems from insufficient server-side sanitization that relies on client-side filtering, which attackers can bypass using proxy tools like Burp Suite. While not currently listed in CISA KEV and lacking public exploit code, the issue poses significant risk as it requires no authentication and affects administrative users viewing user-submitted content.
Open redirect in SimpleSAMLphp casserver module allows remote attackers to redirect authenticated users to arbitrary external domains after logout. Versions prior to 6.3.1 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The logout endpoint accepts an unchecked 'url' query parameter without validating it against configured service URLs, enabling phishing attacks that leverage the trusted SimpleSAML domain. Public exploit code exists (POC: YES). EPSS data not available, but exploitation requires only user interaction (no authentication), making this readily exploitable in phishing campaigns targeting SSO users.
Privilege escalation in Frontend Admin by DynamiApps plugin allows authenticated attackers with editor-level access to elevate privileges to administrator. The vulnerability exists due to insufficient authorization checks when configuring user role options in edit_user forms combined with overly permissive capabilities on the admin_form post type. Attackers can bypass UI restrictions by directly manipulating POST data to include 'administrator' in role_options, then use the crafted form to assign themselves administrator privileges. CVSS 8.8 reflects network-accessible, low-complexity exploitation requiring only low privileges (editor account). No public exploit code identified at time of analysis, though the attack chain is straightforward for authenticated users. EPSS data not provided, but the technical barrier is minimal once editor access is obtained.
Authenticated remote code execution in ORSEE 3.1.0 allows low-privileged users to execute arbitrary PHP code on the server by submitting participant profile field values prefixed with 'func:', which are passed unsanitized into eval() calls within tagsets/participant.php and tagsets/options.php. Only version 3.1.0 is confirmed affected; ORSEE is a niche academic tool used in economic research labs, limiting broad attack surface but making unpatched deployments attractive targets for insider threat or compromised-credential scenarios. No public exploit identified at time of analysis beyond a published proof-of-concept writeup on Medium, and EPSS sits at 0.06% (18th percentile), reflecting the narrow deployment footprint.
Stack exhaustion in MongoDB PHP driver allows remote denial of service when processing deeply nested BSON documents from untrusted sources. Unauthenticated attackers can crash applications by sending maliciously crafted BSON payloads with excessive nesting levels, affecting all versions of the PHP driver that parse BSON without depth limits. The vulnerability requires high attack complexity but results in complete availability loss.
Remote code execution in HRConvert2 self-hosted file conversion server allows unauthenticated attackers to execute arbitrary commands via shell metacharacters in filenames. The sanitizeString() function in convertCore.php fails to filter backticks and tab characters before passing user input to shell_exec(), enabling command injection that executes in the web server context (www-data). According to the vendor, exploitation can achieve complete server takeover through two methods: backtick-based command injection or tab-based file dropping. Fixed in version 3.3.8 released May 2026. EPSS data unavailable; no confirmed active exploitation (not in CISA KEV), but the vendor confirms the vulnerability is exploitable and rates severity as critical.
SQL injection in ClipBucket v5's admin panel allows authenticated administrators to exfiltrate database contents via the action_logs.php endpoint. The type parameter is directly concatenated into SQL queries without parameterization, enabling UNION-based attacks to extract sensitive data including user credentials, video metadata, and system configuration. Affects all versions prior to 5.5.3 - #122. No active exploitation confirmed (not in CISA KEV), but the technical barrier is low given the straightforward injection point and admin access requirement.
Remote code execution in Vvveb CMS before 1.0.8.3 allows authenticated super_admin users to upload malicious plugin ZIP files containing arbitrary PHP code. Once uploaded, the code executes with web server privileges via unauthenticated HTTP requests to the plugin's public directory, enabling privilege escalation from authenticated admin to system-level code execution. CVSS 8.6 (High) with network attack vector but requires high privileges (PR:H). No active exploitation confirmed at time of analysis, but attack chain is straightforward with publicly documented technique.
Infinite recursion in Vvveb admin controller exhausts PHP memory through repeated permission checks when low-privilege users access forbidden admin URLs. Sustained requests deplete worker memory causing site-wide denial of service. Fixed in version 1.0.8.3 via commit c766e84b which removes Base class inheritance from Error403 controller to break the dispatch cycle. No evidence of active exploitation but trivial to reproduce with authenticated low-privilege account.
Remote code execution in CoreShop's GitHub Actions CI/CD pipeline allows unauthenticated attackers to compromise the build infrastructure and exfiltrate repository secrets by submitting a malicious pull request. The vulnerability stems from the dangerous combination of pull_request_target trigger with unverified code checkout, enabling attackers to execute arbitrary commands (bin/console) on GitHub-hosted runners with access to sensitive credentials including PIMCORE_SECRET and PIMCORE_PRODUCT_KEY. This 'Pwn Request' attack pattern (CWE-94: Code Injection) affects version 5.0.0 with no vendor patch currently released. The attack requires zero authentication (PR:N) and low complexity (AC:L), representing a critical supply chain security risk for organizations using CoreShop.
Authorization bypass in Database Backup for WordPress plugin (≤2.5.2) enables unauthenticated attackers to redirect scheduled backup files to publicly accessible directories and retrieve them before cleanup. By poisoning the wp_db_temp_dir parameter via wp-cron.php, attackers can intercept database backups containing credentials, password hashes, and PII. Backup filenames follow predictable patterns (database name, table prefix, date, Swatch Internet Time), making interception reliable. Exploitation requires administrator-configured scheduled backups but no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N). EPSS and KEV data not provided; Wordfence-reported vulnerability with publicly accessible source code references enabling attack reproduction.
Authenticated remote code execution in OPNsense firewall versions prior to 26.1.8 allows a user with user-management privileges to execute arbitrary commands as root by smuggling shell payloads inside an email-address-formatted field processed by the local user synchronization script. Publicly available exploit code exists per SSVC, though EPSS scoring (0.13%) indicates low predicted mass exploitation; SSVC classifies technical impact as total but automation as no. No active exploitation has been confirmed in CISA KEV at time of analysis.
Authenticated remote code execution in CubeCart v6 prior to 6.7.3 allows an admin with documents-edit permission to embed raw PHP into the Invoice Editor template, which is later written to a predictable files/print.<md5>.php path that the bundled .htaccess explicitly exposes to unauthenticated visitors. SSVC rates technical impact as total and a POC exists, though EPSS remains very low (0.04%) and the issue is not on CISA KEV - no public exploit identified at time of analysis beyond researcher disclosure.
Account and store takeover in CubeCart 6.6.x through 6.7.1 is possible because the CC_STORE_URL constant is derived from the unvalidated Host header at bootstrap and embedded into password-reset emails. A remote unauthenticated attacker who knows a victim's email address can trigger a host-header poisoning attack that emails the user a reset link pointing at attacker-controlled infrastructure, capturing a valid 3,600-second token on click. SSVC reports a public POC and total technical impact, while EPSS remains low (0.03%) and no public exploit is identified as in-the-wild.
SQL injection in CubeCart v6 prior to 6.7.0 allows an authenticated administrator to execute arbitrary SQL against the store database via the unsanitized ORDER BY clause on the admin transactions listing page. The admin.php orders-transactions endpoint passes attacker-controlled GET parameters directly into a raw SQL fragment, bypassing the platform's sqlSafe() function which only escapes quote characters - none of which are required for ORDER BY injection. An attacker with at minimum CC_PERM_READ permission on orders can leverage time-based blind SQL injection to extract admin password hashes, customer PII, and integrated payment-gateway credentials. No public exploit identified at time of analysis, though SSVC data indicates POC code exists; the EPSS score of 0.03% (9th percentile) reflects limited observed exploitation interest.
Remote code execution in CubeCart v6 prior to 6.7.0 allows API key holders with files:rw permission to upload PHP webshells via the POST /api/v1/files REST endpoint. A path-traversal flaw in the filepath parameter lets attackers write executable files anywhere the webserver can write, including the document root, achieving full server takeover. No public exploit identified at time of analysis, though SSVC notes a POC and EPSS sits at 0.19% (40th percentile).
Reflected XSS in CubeCart v6 (prior to 6.7.0) enables unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted search URL that triggers a specific single-result code path in the search feature. The flaw exists in classes/catalogue.class.php where the searchCatalogue() method reflects the raw $_REQUEST['search']['keywords'] parameter in a notification message without sanitization - but only when the search returns exactly one product, bypassing all other input filters. A working exploit is publicly available on Exploit-DB (52588), though no public exploit identified at time of analysis places this in CISA KEV, and EPSS remains low at 0.03%.
Authenticated server-side template injection in CubeCart v6 before 6.7.0 lets administrators escape the Smarty template sandbox and invoke native PHP functions through modules such as Email Templates and Documents. Attackers can call readgzfile() to exfiltrate configuration secrets and error_log() with message_type=3 to drop a PHP webshell, yielding full remote code execution. No public exploit identified at time of analysis, but a SSVC 'poc' status and an upstream commit hardening the Smarty allowlist indicate the technique is documented.
Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Local File Inclusion vulnerability in RTMKit Addons for Elementor plugin versions up to 2.0.2 allows authenticated attackers with Author-level privileges to include and execute arbitrary PHP files via the 'path' parameter in the 'get_content' AJAX action, enabling remote code execution. The vulnerability requires low-privilege WordPress account access (Author role or higher) and has a CVSS score of 8.8, indicating high impact across confidentiality, integrity, and availability. EPSS data not available, but exploitation requires specific WordPress role assignment, limiting attack surface to sites where untrusted users have Author-level access. No active exploitation confirmed by CISA KEV at time of analysis.
PHP Object Injection vulnerability in coreActivity activity logging plugin through version 3.0 allows remote attackers to trigger persistent Denial of Service blocking administrator access to log pages. Unauthenticated attackers inject crafted PHP serialized payloads via User-Agent headers during any logged event (e.g., failed login). When administrators view the Logs page, the plugin deserializes untrusted data and passes it to DeviceDetector::setUserAgent(), causing Fatal TypeError. Vendor-released patch version 3.1 available (released May 6, 2026). EPSS exploitation probability not available; no CISA KEV listing at time of analysis. CVSS 8.1 reflects high complexity attack requiring precise payload crafting despite no authentication requirement.
ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including cascaded property and record-to-property assignments. This vulnerability is fixed in 7.3.2.
ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.
Insufficient ownership checks in `clientarea.php` allow an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's resources and their cPanel account.
Cross-Site Request Forgery in WooCommerce Minimum Weight plugin for WordPress up to version 3.0.1 allows unauthenticated attackers to modify minimum order weight settings by tricking site administrators into clicking malicious links or visiting attacker-controlled pages. The vulnerability stems from missing nonce verification in the settings update handler, enabling forged POST requests to alter critical e-commerce configuration without admin consent. No public exploit code or active exploitation has been identified at time of analysis.
Cross-Site Request Forgery in the Zawgyi Embed WordPress plugin versions up to 2.1.1 allows unauthenticated attackers to modify the plugin's zawgyi_forceCSS setting by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation in the zawgyi_adminpage function, enabling attackers to submit forged POST requests to the plugin's settings page without the administrator's knowledge.
Unauthenticated remote code execution in GWD Connect WordPress plugin versions up to 2.9 allows attackers to execute arbitrary PHP code on unregistered installations via the update_agent action in standalone agent endpoints (gwd-backup.php and gwd-logs.php) when the API key is not configured. The vulnerability exploits a missing authorization check that occurs only when the authentication key has not been set up, affecting default installations. No public exploit code or active exploitation has been confirmed at this time.
An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Using *show_inline=1* parameter and a valid *file_show_inline_token* CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. ### Impact Cross-site scripting ### Patches - 26647b2e68ba30b9d7987d4e03d7a16416684bc2 ### Workarounds None ### Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. ### Impact Cross-site scripting (XSS) ### Patches - c885af13f0b8596714ffe11df757c09f35fbd8f4 ### Workarounds None ### Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's _script-src_ directive by uploading a crafted attachment to any issue that, when accessed via the _file_download.php_ link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a `<script>` tag by the browser, due to response header X-Content-Type-Options being set to _nosniff_, which requires all imported JavaScript files to be a valid JavaScript MIME type. ### Impact Cross-site scripting ### Patches - 9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe ### Workarounds None ### Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Improper escaping of a textarea custom field's contents in the Update Issue page (bug_update_page.php) allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. ### Impact Session theft leading to admin account takeover, full project data access. - Precondition: A textarea-type custom field must be configured for the project - Attacker: Authenticated user with bug report permission (low privilege) - Victim: Any user viewing the bug edit form, including administrators ### Patches - 5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7 ### Workarounds The default Content-Security Policy will block script execution. ### References - https://mantisbt.org/bugs/view.php?id=37003 - This is related to [CVE-2024-34081](https://github.com/advisories/GHSA-wgx7-jp56-65mq). ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue, and providing a patch to fix it. - Thanks to Nozomu Sasaki (Paul) (@morimori-dev) - Tristan Madani (@TristanInSec) from Talence Security
The core view rendering method `View::renderPhpFile()` calls `extract($_params_, EXTR_OVERWRITE)` before the `require` statement that includes the view file. A caller-controlled parameter named `_file_` in the `$params` array overwrites the internal local variable that specifies which file is included - enabling a Local File Inclusion primitive. ### Impact - Local File Inclusion (arbitrary file read via non-PHP files) - Potential RCE if attacker can write PHP files via a separate primitive - Information disclosure ### Patches 2.0.55 ### Workarounds No.
Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. ### Impact Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content. ### Patches - 0a93267deba445fb9d15250c16e6fdb1246ffa65 ### Workarounds None ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
Stored HTML injection and cross-site scripting in MantisBT versions 2.28.1 and earlier allows a privileged user (manager or administrator) to inject HTML through a Project's name field, which is later rendered unescaped on the issue clone form (bug_report_page.php) when cloning issues across projects. The flaw is mitigated by MantisBT's default Content Security Policy, which blocks inline script execution, and no public exploit identified at time of analysis. The CVSS 4.0 score of 8.6 reflects high confidentiality, integrity, and availability impacts on the vulnerable component despite requiring high privileges.
Insufficient access control checks in _ProjectUsersAddCommand_ (used in *manage_proj_user_add.php* and REST API endpoint `PUT /project/{id}/users`) allows users having *manage_project_threshold* access level (*manager* by default) to grant project-level *administrator* access to any user (including themselves) in any Project they have *manager* rights in. The normal project-user add form does restrict the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. ### Impact Privilege escalation. The consequences of the privilege escalation are not as bad as it may sound, because having *administrator* access at Project level is effectively not very different from being *manager*, it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. ### Patches - 69e0180f180ed5acf48a8d281a73683a7bf32461 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue: - [Dracosec Research Limited](https://dracosec.tech/) (Siu Nam Tang, Chris Chan, Krecendo Hui, William Lam) - Vishal Shukla
Stored Cross-Site Scripting in WeGIA versions prior to 3.7.3 allows authenticated high-privilege users to inject malicious JavaScript into the Processo de Aceitação page that executes when any user accesses the vulnerable endpoint, enabling session hijacking and account takeover. The vulnerability is confined to high-privilege authenticated access (PR:H) with no user interaction required on the victim side, though scope is changed (S:C) indicating cross-context impact. No public exploit code or active exploitation has been identified.
Stored cross-site scripting (XSS) in WeGIA versions prior to 3.7.3 allows authenticated high-privilege users to inject malicious JavaScript into the Etapas de um Processo page, which executes when other users access the page, enabling session hijacking and account takeover. The vulnerability requires high-privilege authentication (PR:H) but affects all users who subsequently visit the injected page, with no public exploit identified at time of analysis.
Information disclosure in WeGIA versions prior to 3.6.10 allows authenticated remote attackers to obtain sensitive technical details through overly descriptive error messages in the file upload endpoint (funcionario/docdependente_upload.php), expanding the attack surface for subsequent exploitation attempts.
Reflected cross-site scripting (XSS) in WeGIA versions before 3.7.0 allows unauthenticated remote attackers to inject arbitrary JavaScript via the id_processo parameter in lista_arquivos_etapa.php, enabling session hijacking, credential theft, or malicious actions in victim browsers. User interaction (clicking a crafted link) is required. The vulnerability is fixed in version 3.7.0.
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a Stored Cross-Site Scripting (XSS) flaw was identified at the following endpoint: funcionario/profile_funcionario.php?id_funcionario=2. By injecting a malicious payload into the 'Description' (Descrição) field and saving the profile, the script becomes persistently stored. The payload is subsequently executed whenever the profile page is accessed. This vulnerability is fixed in 3.7.0.
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, atendido/familiar_docfamiliar.php displays an overly descriptive error message, including database-related details. This verbosity leads to information disclosure, which could assist a potential attacker in mapping the backend infrastructure and expanding the attack surface. This vulnerability is fixed in 3.7.0.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Echo. This vulnerability is associated with program files includes/Api/ApiEchoNotifications.Php. This issue affects Echo: from * before 1.43.7, 1.44.4, 1.45.2.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Specials/SpecialUserRights.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
MediaWiki versions before 1.43.7, 1.44.4, and 1.45.2 expose sensitive information to unauthorized actors through improper handling in the Skin.php component. The vulnerability requires authenticated user access and user interaction (CVSS:4.0/AV:N/AC:H/PR:L/UI:P), resulting in low confidentiality impact. With an EPSS score of 2.1 and no evidence of active exploitation, this poses limited real-world risk but should be patched as part of routine maintenance.
Reflected XSS in ATutor's /install/install.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Version 2.2.4 is confirmed vulnerable; the product is no longer actively maintained and vendor response to disclosure was unsuccessful, leaving no official patch available.
Reflected XSS in ATutor's /install/upgrade.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a specially crafted URL. The vulnerability affects at least version 2.2.4 and potentially other versions; the product is no longer actively maintained and vendors did not respond with details about the full vulnerable version range. While CVSS 5.1 indicates low severity, the attack requires user interaction (clicking a malicious link) and has limited scope impact.
Remote code execution in the Custom css-js-php WordPress plugin versions up to 2.0.7 allows unauthenticated attackers to execute arbitrary PHP code on the server through SQL injection chained with PHP eval(). The plugin fails to sanitize user input before passing it to SQL queries, with query results subsequently executed via eval(). EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, and no public exploit code has been identified at time of analysis, though the technical barrier is low (CVSS AC:L/PR:N).
Reflected cross-site scripting (XSS) in GmbH Mercury Managed Print Services docuForm v11.11c allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting a malicious payload into an unfiltered variable in the dfm-menu_departments.php component. The vulnerability requires user interaction (clicking a crafted link) and affects confidentiality and integrity with limited scope. No public exploit code has been independently confirmed at this time, though the detailed nature of the component reference suggests proof-of-concept research exists.
docuFORM Managed Print Service Client 11.11c allows authenticated remote attackers to upload arbitrary files via the pmupdate.php endpoint, enabling potential remote code execution or system compromise. The vulnerability requires valid user credentials (PR:L per CVSS) but no user interaction, and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed at time of analysis.
SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the /index/controller/Search.php endpoint.
Reflected XSS in docuForm v11.11c allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious payloads into the acc-menu_papers.php component. The vulnerability requires user interaction (clicking a crafted link) and has limited scope (session-based impact), with a CVSS score of 6.1. No public exploit code availability or CISA KEV listing confirmed at time of analysis, though a reference repository exists.