Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-42550 PHP HIGH PATCH GHSA This Week

SQL injection in Flight PHP framework's SimplePdo database helpers allows privilege escalation through crafted array keys. Applications forwarding user-controlled request data shapes to insert(), update(), or delete() methods enable remote authenticated attackers to inject arbitrary SQL, create administrative accounts, modify sensitive columns, or exfiltrate data. Vendor-released patch in version 3.18.1 validates identifiers with safe-identifier regex. Publicly available proof-of-concept demonstrates privilege escalation via malicious JSON request keys. Researcher @Rootingg discovered and reported through GitHub Security Advisory GHSA-xwqr-rcqg-22mr.

Privilege Escalation PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-42549 PHP MEDIUM PATCH GHSA This Month

### Summary The `make:controller` CLI command calls `mkdir(..., recursive: true)` on a path built from the user-supplied controller name, **before** Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains `/`, but the recursive directory creation side effect is already committed - including directories located outside the project root through `../` traversal. ### Affected code `flight/commands/ControllerCommand.php` (≈ 63-66): ```php if (is_dir(dirname($controllerPath)) === false) { $io->info('Creating directory ' . dirname($controllerPath), true); mkdir(dirname($controllerPath), 0755, true); // un-normalized, runs before validation } ``` ### Proof of concept ``` $ php vendor/flightphp/runway/runway make:controller '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwn' Creating directory .../app/controllers/../../../../tmp/CONTROLLER_TRAVERSAL_TEST Nette\InvalidArgumentException: Value '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwnController' is not valid class name. $ ls /home/user/tmp/CONTROLLER_TRAVERSAL_TEST (directory exists - created before the exception was thrown) ``` ### Impact - **Arbitrary directory creation outside the project root**, executable by any local actor that can run the Flight CLI (developer machine, shared CI build agent, compromised dev container). - Primes log-file planting for chained LFI exploitation (e.g. creating a directory where an attacker can later drop a `.php` file to be included via a distinct template-include weakness). - On Windows, the `\` separator opens additional traversal surface. ### Patch (fixed in `3.18.1`, commit `b8dd23a`) The controller name is now normalized with `basename()` and validated against `^[A-Za-z_][A-Za-z0-9_]*$` before any `mkdir` side effect runs. ### Credit Discovered by **@Rootingg**.

Microsoft PHP Path Traversal
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-42548 PHP HIGH PATCH GHSA This Week

Reflected cross-site scripting in Flight PHP framework's JSONP endpoint implementation allows remote attackers to execute arbitrary JavaScript in victim browsers by injecting malicious code through unvalidated callback parameters. Flight PHP versions prior to 3.18.1 concatenate user-supplied `jsonp` query parameters directly into JavaScript responses without identifier validation, enabling cookie theft and session hijacking when vulnerable endpoints are embedded via script tags. The vulnerability was patched in version 3.18.1 (commit b8dd23a) with regex validation limiting callbacks to legal JavaScript identifiers. A working proof-of-concept demonstrates cookie exfiltration via crafted callback parameters.

XSS PHP
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-42844 PHP HIGH PATCH GHSA This Week

Privilege escalation in Grav CMS 2.0.0-beta.2 allows authenticated API users with minimal media.write permissions to fabricate super-admin accounts via arbitrary YAML file upload. The /api/v1/blueprint-upload endpoint accepts attacker-controlled destination and scope parameters that, when combined with specific values (destination=self@: and scope=users/anything), write files directly into user/accounts/. Because Grav parses YAML files in this directory as authoritative user accounts and accepts plaintext passwords on first login, attackers craft a new account with api.super privileges, then authenticate as that account to gain full administrative control. Publicly available exploit code exists (detailed PoC in vendor advisory). Vendor-released patch restricts accounts directory uploads to image-only extensions and blocks config-bearing file types (YAML, JSON, Twig) across all blueprint-upload targets.

Privilege Escalation PHP RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42458 PHP MEDIUM PATCH GHSA This Month

Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.

XSS PHP
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-44262 PHP CRITICAL POC PATCH GHSA Act Now

Remote code execution in Scramble API documentation generator versions 0.13.2 through 0.13.21 allows unauthenticated attackers to execute arbitrary PHP code when documentation endpoints are publicly accessible and validation rules reference user-controlled input. Fixed in version 0.13.22. The CVSS score of 9.4 (Critical) reflects the network-accessible, low-complexity attack requiring no authentication, though exploitation requires specific configuration where documentation endpoints remain enabled and validation rules incorporate request-supplied data. No active exploitation (CISA KEV) or public POC identified at time of analysis, but the GitHub security advisory provides full technical details enabling reproduction.

PHP Code Injection RCE
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-41938 HIGH PATCH This Week

Remote code execution in Vvveb CMS versions before 1.0.8.2 allows authenticated users with media-upload permissions to execute arbitrary PHP code with web server privileges via a two-stage attack: uploading a malicious .htaccess file to map .phtml extensions to the PHP handler, then uploading a .phtml file containing PHP code. Exploitation requires only low-privileged authentication (CVSS PR:L) and no user interaction (UI:N), making post-authentication compromise straightforward. Vendor-released patch available in version 1.0.8.2 per GitHub security advisory GHSA-wwmv-4g9g-p48g and commit 54a9e846. VulnCheck advisory provides detailed technical analysis of the bypass technique.

PHP RCE File Upload
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41934 HIGH PATCH This Week

Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, contributor, or site_admin roles) to escalate privileges and execute arbitrary PHP code. Attackers exploit the admin code editor's insufficient file extension validation by first uploading a malicious .htaccess file that maps arbitrary extensions to the PHP handler, then uploading PHP code disguised with that extension. Once uploaded, the PHP code executes with web server privileges when accessed via HTTP, effectively bypassing authentication and achieving full system compromise. The vulnerability requires only low-privilege access (PR:L) with no attack complexity or user interaction (AC:L/UI:N), and vendor-released patch version 1.0.8.2 is confirmed available via GitHub. No public exploit code or active exploitation (KEV) confirmed at time of analysis.

PHP RCE Vvveb
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-41936 HIGH PATCH This Week

XML external entity injection in Vvveb CMS versions before 1.0.8.2 allows authenticated site_admin users to read arbitrary server files and overwrite administrator password hashes via the admin Tools/Import feature. The vulnerability resides in system/import/xml.php where LIBXML_NOENT flag enabled external entity resolution, allowing injection of file:// and php://filter protocols. Attackers with low-privilege admin accounts can escalate to full administrator access by replacing password hashes in the database. Vendor-released patch version 1.0.8.2 removes LIBXML_NOENT flag. No active exploitation confirmed by CISA KEV at time of analysis.

XXE Privilege Escalation PHP
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-44012 PHP HIGH PATCH GHSA This Week

Authenticated control-panel users in Craft CMS 5.x can enumerate asset filenames and complete folder hierarchies (volume handles, UIDs, folder names, URIs) across all volumes by sending arbitrary asset IDs to the AssetsController::actionShowInFolder endpoint, bypassing volume-level viewAssets and viewPeerAssets permission checks. The flaw stems from an incomplete February 2026 patch wave that fixed four sibling endpoints but missed this method, introduced 13 days before the patch release. No public exploit identified at time of analysis; vendor-released patch fixes 5.9.18 and later. This information disclosure vulnerability enables reconnaissance for follow-up attacks against restricted asset volumes.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-44010 PHP HIGH POC PATCH GHSA This Week

Unauthorized PII disclosure in Craft CMS GraphQL API allows cross-scope address enumeration via missing authorization check. A GraphQL API token scoped to any single low-privilege user group can read all addresses system-wide, including PII from restricted user groups (full names, home addresses, corporate addresses, tax IDs, GPS coordinates). The Address element resolver bypasses schema scope filtering that all other element resolvers enforce. Vendor-released patch: versions 5.9.18 and 4.17.12. Publicly available exploit code exists (detailed PoC in GitHub advisory). Affects all Craft CMS Pro deployments (v4.0.0+) using headless GraphQL APIs with user group scoping-a standard deployment pattern for Next.js/Nuxt/Gatsby frontends.

Authentication Bypass Docker PHP
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-6344 MEDIUM This Month

Fluent Forms plugin for WordPress up to version 6.2.1 allows authenticated administrators to read arbitrary files readable by the web server through path traversal in the getAttachments() method of EmailNotificationActions. The vulnerability stems from insufficient validation of file-upload URLs in admin notification configurations, permitting attackers to supply traversal sequences like <upload_baseurl>/../../<target> to access sensitive files such as wp-config.php containing database credentials and authentication salts. While unauthenticated users can trigger email notifications, the exploit requires administrator-level access to configure the malicious notification attachment.

PHP WordPress Path Traversal
NVD VulDB
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-43885 PHP HIGH PATCH GHSA This Week

AVideo version 29.0 and earlier exposes API authentication secrets (APISecret) to unauthenticated remote attackers via a publicly accessible plugin configuration endpoint at objects/plugins.json.php. This vulnerability enables complete bypass of authentication controls protecting sensitive API endpoints including user enumeration (users_list) and other privileged operations. Publicly available exploit code exists (proof-of-concept demonstrated in GitHub advisory GHSA-xr49-f4rh-qcjf). Upstream fix available via commit 1c36f229 but no tagged release version has been independently confirmed at time of analysis.

Authentication Bypass PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-43884 PHP HIGH PATCH GHSA This Week

Server-Side Request Forgery (SSRF) in AVideo versions up to 29.0 allows authenticated attackers to exfiltrate cloud metadata credentials and access internal services via HTTP redirect bypass and DNS rebinding attacks. Two endpoints in AVideo's AI plugin and EPG parser validate user-supplied URLs using isSSRFSafeURL() but then fetch them with file_get_contents() using PHP's default automatic redirect following. An attacker supplies a URL to a controlled server returning a 302 redirect to internal resources (e.g., AWS instance metadata at 169.254.169.254), bypassing SSRF protections since only the initial URL is validated. Vendor-released patch available via GitHub commit 603e7bf7. CVSS 7.7 reflects Changed Scope due to cross-boundary access to cloud infrastructure credentials.

Python SSRF PHP
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-43883 PHP MEDIUM PATCH GHSA This Month

Insecure Direct Object Reference (IDOR) in AVideo's PayPalYPT plugin allows any authenticated user to cancel arbitrary PayPal billing agreements belonging to other users by supplying a victim's agreement ID to the `agreementCancel.json.php` endpoint. An attacker can silently suspend a victim's recurring subscription without authorization, causing revenue loss to the platform operator and service interruption to the victim. The vulnerability exists because the endpoint only checks that the user is logged in, but fails to verify ownership of the agreement being canceled, despite a sister endpoint (`PayPalAgreementCancel.json.php`) implementing the correct authorization check.

Authentication Bypass PHP CSRF
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-43882 PHP MEDIUM PATCH GHSA This Month

Unauthenticated CRLF injection in AVideo's Scheduler plugin allows remote attackers to inject arbitrary calendar events into ICS files served from the victim's trusted domain, enabling high-credibility calendar phishing attacks. The vulnerable endpoint accepts attacker-controlled parameters without sanitization, passes them through an incomplete escape function that does not neutralize carriage-return/line-feed bytes, and constructs RFC 5545-compliant ICS calendar files containing injected VEVENT blocks. Exploitation requires only that the Scheduler plugin be enabled (common default) and user interaction to import the malicious .ics file; no authentication or special configuration is needed. A vendor-released patch is available.

Microsoft PHP CSRF Mozilla Apple +1
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-43881 PHP MEDIUM PATCH GHSA This Month

Unauthenticated user enumeration in AVideo objects/users.json.php allows remote attackers to disclose all registered user accounts via an isCompany parameter that bypasses admin-only access controls, and a users_id parameter that acts as a sequential-ID existence oracle. An unauthenticated attacker can harvest the complete user directory-including display names, numeric IDs, profile URLs, photos, and active/inactive status-in a single unbounded GET request, enabling credential stuffing and phishing campaigns. The vulnerability affects AVideo through version 29.0; vendor patch available.

Authentication Bypass Oracle CSRF PHP
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-43880 PHP MEDIUM PATCH GHSA This Month

Unauthenticated arbitrary email sending via sendEmail.json.php allows remote attackers to send phishing emails from the site's legitimate sender address to arbitrary recipients by omitting the contactForm parameter, bypassing authentication and CSRF protections. The endpoint is explicitly allow-listed as a public write action and requires only a solved captcha, enabling an attacker to impersonate the site operator and send messages with forged From/Reply-To headers that pass SPF/DKIM/DMARC validation for the site's domain, ideal for targeted credential harvesting and brand impersonation attacks.

PHP CSRF
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-43879 PHP MEDIUM PATCH GHSA This Month

Blind server-side request forgery (SSRF) in AVideo's donation webhook system allows authenticated users to configure webhook URLs pointing to internal/loopback/metadata services (127.0.0.1, 169.254.169.254, RFC1918 addresses). When any user donates via the CustomizeUser plugin, the AVideo server issues an unauthenticated POST request to the attacker-supplied URL without validating it against the codebase's existing isSSRFSafeURL() helper. The vulnerability is compounded by CURLOPT_FOLLOWLOCATION being enabled without per-hop revalidation, permitting HTTP 307 redirects from attacker-controlled hosts to bypass even future URL validation. CVSS 5.4 (network-accessible, requires authentication, low complexity); no public proof-of-concept or active KEV exploitation confirmed at analysis time, but the vulnerability is trivially exploitable with two attacker-controlled accounts and the PoC is fully documented in the advisory.

Redis SSRF CSRF PHP
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-42611 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in Grav CMS allows low-privileged users with page-creation permissions to inject malicious SVG payloads that execute when administrators view the page. The vulnerability stems from regex-based XSS detection that fails to catch unquoted event handlers and omits SVG/MathML from dangerous tags. Exploitation exfiltrates the admin-nonce token from /admin/config/info, enabling CSRF bypass and chained remote code execution through scheduled tasks or plugin endpoints. GitHub advisory GHSA-w8cg-7jcj-4vv2 confirms exploit details; patch available in Grav 2.0.0-beta.2 (commit 5a12f9be8). CVSS 8.9 (High) with network attack vector, low complexity, and scope change reflecting cross-context session hijacking.

PHP CSRF XSS Mozilla RCE
NVD GitHub
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-42608 PHP HIGH PATCH GHSA This Week

Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.

Denial Of Service PHP Path Traversal
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-42609 PHP HIGH PATCH GHSA This Week

Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.

Denial Of Service Privilege Escalation PHP
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42612 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in Grav CMS allows publisher-level authenticated users to execute arbitrary JavaScript in victim browsers by injecting unquoted HTML event handlers that bypass the detectXss() blacklist regex. The flawed pattern failed to detect on* event attributes without surrounding quotes, enabling payloads like <img src=x onerror=eval(...)> to persist in content fields and execute when administrators or other users view the compromised page. Vendor-released patch confirmed in commit 5a12f9be8 (Grav 2.0.0-beta.2), which tightens the on_events regex to flag unquoted attributes, adds dangerous XML namespace tags (svg, math) to the default blocklist, and hardens MediaObjectTrait::attribute() with strict identifier validation. Publicly available exploit code exists. EPSS and KEV data not provided; exploitation requires publisher-level account privileges.

XSS PHP
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-42610 PHP MEDIUM PATCH GHSA This Month

Sensitive information disclosure in Grav CMS v1.8.0-beta.29 allows low-privileged users with page editing permissions to bypass Twig sandbox restrictions and extract administrative password hashes and security salts via the exposed `grav['accounts']` service. A content editor can inject a Twig template with `{{ grav['accounts'].load('admin').get('hashed_password') }}` to retrieve plaintext Bcrypt hashes accessible for offline brute-force attack. Vendor-released patch available (2.0.0-beta.2 and commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47); publicly available proof-of-concept exists demonstrating practical exploitation.

Authentication Bypass PHP Information Disclosure CSRF
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42613 PHP CRITICAL PATCH GHSA Act Now

Unauthenticated privilege escalation in Grav CMS Login plugin 3.8.0 allows remote attackers to self-register with admin.super privileges via missing server-side validation of groups and access fields. When administrators configure user registration with groups or access in allowed fields (a permitted UI action), attackers inject these fields into registration POST requests to bypass config-level defaults and gain full administrative access. Vendor-released patch: Login plugin 3.8.2 / Grav 2.0.0-beta.2 (commit 3d419a0). No public exploit identified at time of analysis, but the GitHub security advisory includes detailed proof-of-concept code demonstrating the attack.

Privilege Escalation PHP
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-42842 PHP MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Grav CMS Form plugin allows editor-level users to inject arbitrary JavaScript via taxonomy tag and category values that execute in administrator browsers when viewing any page in the admin panel. The vulnerability exploits unescaped Twig `|raw` filters in the select field template combined with a bypassable XSS detection regex, enabling privilege escalation through nonce theft and unauthorized admin actions. Vendor-released patch available in grav-plugin-form 9.0.1 and Grav core 2.0.0-beta.2.

XSS PHP Privilege Escalation
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-42841 PHP MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Grav CMS via Markdown media attribute injection allows authenticated page editors to inject executable JavaScript event-handler attributes into rendered image HTML. An editor can craft Markdown syntax like `![alt](image.gif?attribute=onload,alert(1))` which bypasses the attribute() media method's input validation and renders as `<img onload="alert(1)">`, executing arbitrary JavaScript in the browsers of any user viewing the affected page, including administrators and reviewers in multi-user installations. Publicly available patch confirmed in version 2.0.0-beta.2.

XSS PHP
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-42607 PHP CRITICAL POC PATCH GHSA Act Now

Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.

Microsoft PHP CSRF Python RCE +2
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-42843 PHP HIGH PATCH GHSA This Week

Privilege escalation in Grav API Plugin (versions < 1.0.0-beta.15) allows any authenticated user with basic 'api.access' permission to elevate themselves to Super Administrator by sending a crafted PATCH request to modify their own permission configuration. The vulnerability, confirmed by vendor GitHub Security Advisory GHSA-r945-h4vm-h736, stems from inadequate authorization checks in the UsersController::update method, which permits self-editing users to overwrite the 'access' field containing role definitions. Successful exploitation grants complete CMS control including the ability to edit Twig templates outside sandbox restrictions for remote code execution. A detailed proof-of-concept is publicly available, and vendor-released patch is confirmed in version 1.0.0-beta.15.

Authentication Bypass Privilege Escalation PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-42267 PHP MEDIUM PATCH GHSA This Month

Formula injection in Kimai 2.27.0 through 2.53.0 allows authenticated users with ROLE_USER to create tags containing formula strings (e.g., =SUM(54+51)) via the POST /api/tags endpoint. When administrators export timesheets to XLSX format, the ArrayFormatter joins tag names without sanitization, and OpenSpout automatically promotes formula-prefixed strings to FormulaCell objects. Excel or LibreOffice Calc evaluates these formulas when the exported file is opened, enabling code execution on any workstation that imports and opens the poisoned spreadsheet. Publicly available exploit code demonstrates the attack via normal user account and admin export workflow.

PHP Code Injection
NVD GitHub
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-42207 PHP MEDIUM PATCH GHSA This Month

Open redirect vulnerability in OpenMage LTS through version 20.17.0 allows authenticated attackers to redirect logged-in customers to arbitrary external URLs via an unvalidated `uenc` parameter in the ProductAlert `stockAction()` controller. The vulnerability occurs when a non-existent product ID is supplied, bypassing the `_isUrlInternal()` validation check present in the analogous `priceAction()` method. Attackers can exploit this for credential phishing, OAuth token theft, affiliate fraud, or malware distribution by crafting a malicious link and distributing it via email, forums, or social media.

PHP Google Open Redirect
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-42194 PHP MEDIUM PATCH GHSA This Month

DNS rebinding in Admidio's SSO metadata fetch endpoint bypasses SSRF protections by validating a hostname's IP address with gethostbyname() but passing the original hostname to curl_init(), allowing attackers to redirect requests to internal services including cloud metadata endpoints. Authenticated administrators can exploit this TOCTOU window between DNS resolution check and cURL connection to access internal IP ranges, read instance metadata, or scan internal networks.

Python SSRF PHP
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-42155 PHP CRITICAL PATCH GHSA Act Now

Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory.

PHP Adobe Information Disclosure
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-43878 PHP MEDIUM PATCH GHSA This Month

Reflected XSS in AVideo's Meet plugin allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unescaped user and pass query parameters into a JavaScript string literal. The vulnerability is reachable without authentication on any public Meet schedule with no password (the default configuration), enabling session cookie theft and account takeover of authenticated users. CVSS 6.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects network delivery requiring user interaction but changed scope due to cookie exfiltration across the AVideo application origin.

XSS PHP CSRF
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-43877 PHP MEDIUM PATCH GHSA This Month

Cross-site request forgery in AVideo's userSavePhoto.php endpoint allows unauthenticated remote attackers to overwrite any logged-in user's profile photo with arbitrary bytes by luring them to a malicious webpage. The vulnerability exploits a missing CSRF token and a default cookie policy of SameSite=None on HTTPS deployments, combined with unvalidated base64 decoding that accepts any file content. Each successful attack also triggers a global cache invalidation, enabling denial-of-service via cache thrashing.

PHP CSRF RCE
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-43876 PHP MEDIUM PATCH GHSA This Month

Stored HTML injection in AVideo's notifySubscribers endpoint allows any authenticated uploader to broadcast platform-branded phishing emails to up to 10,000 channel subscribers without sanitization, escaping, or rate limits. The attacker-supplied HTML is injected directly into the email template via str_replace and rendered by PHPMailer, arriving with the platform's official contact email address, logo, and site title, enabling credential theft and reconnaissance at scale with no visible indication that content originated from an uploader rather than the platform operator.

Canonical XSS PHP CSRF
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-43875 PHP MEDIUM PATCH GHSA This Month

Password hash exposure in AVideo's MobileManager OAuth redirect enables account takeover when unauthenticated attackers capture the redirect URL from server logs, browser history, or referrer leakage, then replay the hash via the login endpoint's encodedPass bypass. The vulnerability affects all users who authenticate through OAuth (Google, etc.) when the MobileManager plugin is enabled, including administrators, and requires only user interaction to trigger the initial OAuth flow-no active exploitation in the wild has been confirmed at analysis time, but a working proof-of-concept exists and patch has been released by the vendor.

PHP CSRF Google
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-43874 PHP HIGH PATCH GHSA This Week

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

PHP CSRF Python XSS RCE +2
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-43873 PHP HIGH PATCH GHSA This Week

Unauthenticated information disclosure in AVideo CloneSite plugin (versions ≤29.0) leaks the installation's shared secret authentication key through an error message, enabling attackers to impersonate the victim installation to its federated clone server and trigger a full database dump into a publicly accessible directory. The vulnerability chains two flaws: cloneClient.json.php echoes the local myKey credential in HTTP responses to any unauthenticated request due to incorrect $argv handling in web contexts, and the remote cloneServer.json.php then accepts this leaked key to authenticate mysqldump operations without IP restrictions or access controls on the resulting dump files. Patch available via GitHub commit e6566f56. No evidence of active exploitation (not in CISA KEV); EPSS data not provided. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from direct credential exposure plus cross-site database access in federated deployments.

PHP Information Disclosure Nginx
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7822 LOW POC Monitor

SQL injection in itsourcecode Courier Management System 1.0 via the ids parameter in /print_pdets.php allows authenticated remote attackers to execute arbitrary SQL queries with low impact to confidentiality, integrity, and availability. The vulnerability has a publicly available proof-of-concept and is characterized by low CVSS score (2.1) due to authentication requirement and limited scope, but SQL injection itself represents a persistent threat vector if the system processes sensitive courier data.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5957 MEDIUM This Month

EmailKit plugin for WordPress versions up to 1.6.5 allows authenticated attackers with Author-level access to read arbitrary files from the server due to a path traversal vulnerability in the create_template() method. The vulnerability exploits a PHP 8.x type coercion flaw where realpath() returns false for non-existent directories, causing strpos() validation to incorrectly evaluate and bypass directory restrictions. Attackers can retrieve sensitive files such as wp-config.php by submitting absolute paths via the emailkit-editor-template REST API parameter. No public exploit code identified at time of analysis, though the vulnerability mechanism is trivial to weaponize once authentication is obtained.

PHP WordPress Path Traversal
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-1921 MEDIUM This Month

Loco Translate plugin for WordPress versions up to 2.8.2 allows authenticated attackers with Translator-level access to read arbitrary files outside the intended translation directory via path traversal in the `fsReference` AJAX endpoint. The vulnerability exploits insufficient validation of directory traversal sequences (`../`) in the `findSourceFile()` method, enabling disclosure of sensitive `.php`, `.js`, `.json`, and `.twig` files including wp-config.php-adjacent files. No public exploit code has been identified at time of analysis, and the attack requires administrative capability assignment (`loco_admin` capability) granted to translators by default.

PHP WordPress Path Traversal
NVD VulDB
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-6702 MEDIUM This Month

Cross-Site Request Forgery in Publish 2 Ping.fm WordPress plugin up to version 1.1 allows unauthenticated attackers to modify plugin settings and inject malicious scripts by tricking site administrators into clicking a crafted link, exploiting missing nonce validation on the admin settings page. The vulnerability requires user interaction (admin click) and affects the plugin's confidentiality and integrity but not availability. No public exploit code or active exploitation has been confirmed.

PHP CSRF WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-7783 LOW POC Monitor

SQL injection in CodeCanyon Perfex CRM up to version 3.4.1 allows authenticated remote attackers to execute arbitrary SQL queries via the Admin Kanban Endpoint's AbstractKanban::applySortQuery function. The vulnerability stems from improper sanitization of the sort query argument and can lead to unauthorized data access, modification, and potential system compromise. Publicly available exploit code exists, increasing real-world risk.

PHP SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7782 LOW POC Monitor

Authorization bypass in CodeCanyon Perfex CRM up to 3.4.1 allows authenticated remote attackers to access projects belonging to other tenants via manipulation of the ID parameter in the Clients::project function. The vulnerability requires valid user credentials but grants access to cross-tenant data with low confidentiality, integrity, and availability impact. Publicly available exploit code exists for this flaw.

Authentication Bypass PHP
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-42606 PHP HIGH PATCH GHSA This Week

Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.

Docker CSRF PHP Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42605 PHP HIGH PATCH GHSA This Week

Path traversal in AzuraCast's Flow.js media upload endpoint allows authenticated users with media management permissions to write arbitrary PHP files outside designated storage directories, achieving remote code execution. The vulnerability exists in versions ≤0.23.5 where the unsanitized `currentDirectory` parameter bypasses filename sanitization, and a `finally` block writes uploaded files before MIME validation completes. Only local filesystem storage (default configuration) is affected-remote S3/cloud backends are not vulnerable. Vendor-confirmed patch available in version 0.23.6. No public exploit or CISA KEV listing identified at time of analysis, but detailed proof-of-concept exists in GitHub advisory GHSA-vp2f-cqqp-478j demonstrating webshell upload to web root.

Privilege Escalation PHP RCE Path Traversal
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-41890 PHP MEDIUM PATCH GHSA This Month

Arbitrary database table drop in CI4MS theme deletion allows authenticated administrators with theme.delete permission to craft malicious POST requests to the `/backend/themes/delete-process/` endpoint and drop any table in the database, including critical tables such as ci4ms_users and ci4ms_auth_identities. The vulnerability exists because the deleteProcess() action accepts user-supplied table names without validating them against the theme's own migration files, violating the principle of least privilege even within the admin trust model. Vendor-released patch 0.31.8.0 implements migration-based whitelist validation to restrict deletions to declared theme tables.

PHP RCE
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-25863 HIGH PATCH This Week

Denial-of-service condition in Conditional Fields for Contact Form 7 WordPress plugin allows remote unauthenticated attackers to crash PHP processes by injecting arbitrarily large iteration values through REST API parameters. The Wpcf7cfMailParser class processes user-supplied POST data without validation, enabling attackers to trigger unbounded loops with multiple regex operations that exhaust server memory. Affects all versions through 2.6.7 with vendor patch now available. EPSS data not provided, but the network-accessible unauthenticated attack vector (AV:N/PR:N) combined with low complexity (AC:L) indicates straightforward exploitation potential against publicly accessible WordPress sites running this plugin.

Denial Of Service PHP WordPress
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41471 HIGH POC Monitor

Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.

Authentication Bypass WordPress Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-7746 LOW POC Monitor

SQL injection in SourceCodester Web-based Pharmacy Product Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /product_expiry/edit-admin.php, enabling unauthorized data access, modification, and deletion. The vulnerability has a publicly available exploit and CVSS 6.3 base score reflects moderate impact with low attack complexity; however, authentication is required, limiting exposure to users with valid credentials.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7733 PHP MEDIUM POC PATCH This Month

Unrestricted file upload in funadmin up to version 7.1.0-rc6 allows remote attackers to upload arbitrary files via the Frontend Chunked Upload Endpoint (UploadService::chunkUpload function). The vulnerability stems from insufficient validation of the File parameter and can be exploited without authentication; publicly available exploit code exists and a patch (PR #59) has been released by the vendor.

PHP File Upload
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7732 LOW POC Monitor

Unrestricted file upload in code-projects BloodBank Managing System 1.0 via request_blood.php allows authenticated remote attackers to upload arbitrary files with limited impact. The vulnerability requires valid user credentials (PR:L per CVSS vector) but has low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists; however, the low CVSS score (2.1) and confined impact scope suggest this poses minimal risk despite public disclosure.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7731 LOW POC Monitor

SQL injection in code-projects BloodBank Managing System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the G_STATE_ID parameter in get_state.php, potentially exfiltrating sensitive patient or blood bank data. The vulnerability has low confidentiality and integrity impact but carries exploitability risk (E:P in CVSS 4.0) and publicly available exploit code, making it a practical concern for deployed instances despite the low CVSS score of 2.1.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7716 LOW POC Monitor

SQL injection in code-projects Gym Management System in PHP allows authenticated remote attackers to manipulate the 'day' parameter in /index.php, enabling arbitrary SQL query execution with limited confidentiality and integrity impact. The vulnerability carries a CVSS score of 2.1 and requires prior authentication (PR:L); publicly available exploit code exists but active exploitation confirmation is absent from CISA KEV data.

Microsoft PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-38751 PHP HIGH POC GHSA This Week

Arbitrary file upload in OpenSTAManager 2.10 and earlier allows authenticated high-privilege users to upload malicious files via the module update functionality at modules/aggiornamenti/upload_modules.php, leading to remote code execution. Publicly available exploit code exists (GitHub POC), though EPSS exploitation probability remains low (2%, 5th percentile), suggesting limited observed exploitation activity. CVSS 7.2 reflects high impact but requires high-privilege authentication (PR:H), substantially limiting attack surface to compromised admin accounts or malicious insiders.

PHP File Upload
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-31205 MEDIUM This Month

Stored cross-site scripting in Pluck CMS before v4.7.21dev allows authenticated high-privilege users to inject arbitrary JavaScript via the page editor, escalating privileges through the sanitizePageContent function in editpage.php. The vulnerability requires attacker authentication with administrative role and user interaction (UI:R), limiting spontaneous exploitation but enabling privilege escalation attacks within compromised admin accounts.

PHP XSS
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-7697 LOW POC Monitor

SQL injection in AMTT Hotel Broadband Operation System 1.0 allows authenticated remote attackers with high privileges to manipulate the ID argument in /manager/card/cardhand_submit.php, potentially extracting or modifying database contents. Publicly available exploit code exists, though the CVSS score of 4.7 reflects the requirement for authenticated administrative access, limiting real-world impact compared to unauthenticated SQL injection vulnerabilities.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7689 PHP LOW POC Monitor

Improper cryptographic signature verification in Dolibarr ERP CRM up to version 23.0.2 allows remote attackers to bypass signature validation in the Online Signature Module, potentially forging or manipulating signed transactions. The vulnerability affects the dol_verifyHash function and has been publicly disclosed with exploit code available, though exploitation requires high technical complexity and is not confirmed as actively exploited in production environments.

PHP Jwt Attack Information Disclosure
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-7688 PHP LOW Monitor

SQL injection in Dolibarr ERP CRM up to version 23.0.2 allows authenticated remote attackers to execute arbitrary SQL queries via the fields parameter in the Shipments API Endpoint (_checkValForAPI function). Exploitation requires high attack complexity and authenticated access, with publicly available exploit code confirmed but no active exploitation reported in CISA KEV at time of analysis.

PHP SQLi
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-7632 MEDIUM POC This Month

SQL injection in code-projects Online Hospital Management System 1.0 allows remote unauthenticated attackers to manipulate the delid parameter in /viewappointment.php, enabling database queries with limited confidentiality and integrity impact. The vulnerability is publicly disclosed with available exploit code and poses a network-accessible risk to unpatched deployments.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7630 MEDIUM POC PATCH This Month

InnoShop e-commerce platform versions up to 0.7.8 allow unauthenticated remote attackers to bypass authentication controls in the installation endpoint via improper authentication handling in InstallServiceProvider::boot. The vulnerability permits unauthorized access to installation functionality even after initial setup is complete, enabling attackers to achieve partial confidentiality, integrity, and availability impact. Publicly available exploit code exists (GitHub issue #314), and vendor has released patch commit 45758e4ec22451ab944ae2ae826b1e70f6450dc9.

Authentication Bypass PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-4062 HIGH This Week

Time-based SQL injection in Geo Mashup WordPress plugin versions ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from ineffective sanitization in the 'object_ids' and 'exclude_object_ids' parameters-while esc_sql() is applied, it provides no protection in unquoted IN() contexts where attackers can inject parentheses and SQL keywords. The numeric sanitizer exists but only applies to AJAX paths, leaving render-map.php and template tag paths vulnerable. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence Threat Intelligence disclosure increases likelihood of weaponization.

PHP WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4060 HIGH This Week

Time-based SQL injection in WordPress Geo Mashup plugin ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The 'sort' parameter in multiple code paths (render-map.php, template tags) lacks proper sanitization despite esc_sql() application, which is ineffective in ORDER BY contexts without quote encapsulation. Version 1.13.18 added allowlist-based sanitization but only protected the AJAX endpoint, leaving other attack vectors exploitable. EPSS and KEV data not available; vulnerability disclosed by Wordfence with public source code references confirming the flaw.

PHP WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7612 LOW Monitor

SQL injection in itsourcecode Courier Management System 1.0 allows high-privilege remote attackers to manipulate the ID parameter in /edit_user.php, leading to unauthorized database queries with limited confidentiality and integrity impact. Exploit code has been publicly disclosed, though the CVSS 4.0 score of 2.0 and requirement for high-privilege authentication significantly constrain real-world risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5324 HIGH This Week

Unauthenticated attackers can inject stored cross-site scripting payloads into Brizy Page Builder for WordPress (versions ≤2.8.11) via form submission FileUpload fields, which execute when administrators view the form Leads page. The vulnerability chains three implementation flaws: missing nonce verification for anonymous form submissions, inadequate sanitization of FileUpload field values when no file is attached, and reversal of HTML entity encoding via html_entity_decode() before unescaped output in admin views. Publicly available exploit code exists. EPSS data not provided, but the CVSS 7.2 (High) with scope change reflects the privilege escalation from unauthenticated user to admin-context execution. Patch released in version 2.8.12 per WordPress plugin repository changeset 3502206.

PHP WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-5110 HIGH This Week

Stored cross-site scripting (XSS) in Gravity Forms WordPress plugin versions ≤2.10.0 allows remote unauthenticated attackers to inject malicious JavaScript that executes when administrators view form entries. The vulnerability exploits a validation bypass in nested SingleProduct fields within Repeater fields, where product name tampering is not validated. When admins access compromised entries via wp-admin, the unsanitized payload executes in their browser session. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication or user interaction during payload delivery, though the attack requires subsequent admin interaction (viewing the entry) for payload execution. No active exploitation confirmed in CISA KEV at time of analysis.

PHP WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-7647 HIGH This Week

Unauthenticated PHP object injection in Profile Builder Pro for WordPress allows remote attackers to execute arbitrary code by deserializing malicious objects through an unprotected AJAX endpoint. The vulnerability affects all versions through 3.14.5 and stems from unsafe deserialization of attacker-controlled POST data in the wppb_request_users_pins_action_callback() handler, which was registered for both authenticated and unauthenticated users without nonce verification. With CVSS 8.1 and AC:H complexity, exploitation requires chaining with a POP gadget chain, though EPSS data and KEV status are not available to confirm active exploitation.

PHP WordPress Deserialization
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-5109 HIGH This Week

Stored XSS in Gravity Forms for WordPress ≤2.10.0 allows unauthenticated remote attackers to inject malicious JavaScript through Product Option field values that execute when administrators view entry details. The flaw exploits a sanitization bypass: the plugin's state validation accepts values matching wp_kses()-cleaned legitimate options but stores the raw unsanitized input, which is then rendered without escaping in the Order Summary view (view-order-summary.php:32). EPSS data not available; no public exploit identified at time of analysis. Vendor patch status requires verification via changelog.

PHP WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-7641 HIGH This Week

Authenticated privilege escalation in 'Import and export users and customers' WordPress plugin versions up to 2.0.8 allows Subscriber-level users to elevate privileges to Administrator on any subsite within a WordPress Multisite network. The vulnerability stems from an incomplete blocklist in save_extra_user_profile_fields() that restricts primary site capability meta keys (wp_capabilities) but fails to block multisite-prefixed equivalents (wp_2_capabilities, wp_3_capabilities, etc.). Exploitation requires that an administrator has previously imported a CSV with multisite-prefixed capability headers and enabled the 'Show fields in profile?' option. Patch released in changeset 3515646 per WordPress plugin repository. No EPSS or KEV data available, indicating no widespread exploitation detected at time of analysis.

Privilege Escalation WordPress PHP
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7458 CRITICAL Act Now

Authentication bypass in User Verification by PickPlugins for WordPress allows remote unauthenticated attackers to log in as any user with a verified email - including administrators - by submitting the string 'true' as the OTP code. The vulnerability stems from a loose PHP comparison operator (==) in the OTP validation logic, which treats the boolean true as equal to any non-zero numeric OTP value. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents complete system compromise risk for WordPress sites running vulnerable versions (≤2.0.46). Fixed in version 2.0.47 per Wordfence advisory and WordPress plugin repository changeset 3519113.

PHP WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-7592 MEDIUM This Month

SQL injection in itsourcecode Courier Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /edit_staff.php, potentially leading to unauthorized database access and data disclosure. The vulnerability has a CVSS score of 5.5 with a publicly available exploit, indicating moderate real-world risk despite the low confidentiality impact rating.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-69606 MEDIUM This Month

Reflected cross-site scripting (XSS) in GSVoIP web panel version 2.0.90 allows remote attackers to inject arbitrary JavaScript via the `msg` parameter in the `/painel/gateways.php/error` endpoint. The vulnerability requires user interaction (clicking a malicious link) but can lead to session hijacking, credential theft, or malware distribution. No authentication is required, and public exploit code exists.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3772 HIGH This Week

Cross-Site Request Forgery in WP Editor plugin through version 1.2.9.2 enables remote attackers to inject arbitrary PHP code into plugin and theme files. The vulnerability requires administrator interaction (clicking a malicious link) but no authentication for the attacker, allowing complete website compromise through file overwrite. EPSS data not available; no confirmed active exploitation at time of analysis. Patch available in changeset 3480577.

CSRF PHP WordPress
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7578 LOW POC Monitor

Unrestricted file upload in MacCMS Pro up to version 2022.1.3 allows authenticated high-privilege administrators to upload arbitrary files via the plugin installation handler at /admin/addon/add.html, potentially enabling remote code execution. Publicly available exploit code exists, and the vendor has not responded to early disclosure despite contact.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7555 MEDIUM POC This Month

SQL injection in itsourcecode Electronic Judging System 1.0 allows remote attackers to manipulate the Username parameter in /intrams/login.php, leading to unauthorized data access and modification. The vulnerability requires no authentication and can be exploited over the network with low complexity. Publicly available exploit code exists, and the CVSS 4.0 vector indicates confidentiality and integrity impact on the affected application.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7553 LOW POC Monitor

SQL injection in code-projects Gym Management System 1.0 allows authenticated high-privilege users to manipulate the edit_exercise parameter in /admin/edit_exercises.php, enabling remote database queries with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists; CVSS 4.7 reflects low real-world risk due to high-privilege requirement (PR:H), though the vulnerability remains remotely accessible without user interaction.

PHP SQLi
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7550 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in /ajax.php?action=save_customer. CVSS 7.3 with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), elevating immediate risk for exposed installations. EPSS data not available, but the combination of network vector, zero authentication, and public POC indicates high probability of opportunistic scanning and exploitation.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7549 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to extract database contents, modify records, or execute unauthorized queries via the ID parameter in /ajax.php?action=delete_customer. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation against exposed instances. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication requirement, though EPSS data unavailable and not currently listed in CISA KEV, suggesting limited widespread exploitation despite POC availability.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7545 MEDIUM POC This Month

SQL injection in SourceCodester Advanced School Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the checkEmail endpoint in commonController.php, potentially exposing or modifying database contents. Publicly available exploit code exists and the vulnerability requires only network access with no authentication, making it a practical exploitation risk for exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-42471 HIGH POC This Week

Client-side remote code execution affects MixPHP Framework 2.x through 2.2.17 when sync-invoke clients connect to attacker-controlled servers. The vulnerability enables malicious servers to execute arbitrary code on connecting clients through unsafe deserialization of server responses (CWE-502). EPSS data unavailable, but SSVC indicates no confirmed exploitation and non-automatable attack complexity aligns with CVSS AC:H rating. Primary risk exists in scenarios where MixPHP clients connect to untrusted external services or where server infrastructure could be compromised.

PHP Deserialization
NVD GitHub Exploit-DB VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42474 PHP MEDIUM This Month

SQL injection in MixPHP Framework 2.x through 2.2.17 allows unauthenticated remote attackers to read or modify database contents via a crafted data array passed to the data function in BuildHelper.php. The vulnerability has an automatable exploitation path per CISA SSVC but no public exploit code or active KEV listing identified at analysis time. CVSS 6.5 (medium) reflects network-accessible SQL injection with partial confidentiality and integrity impact but no availability impact.

PHP SQLi
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42475 PHP MEDIUM This Month

SQL injection in MixPHP Framework versions 2.0 through 2.2.17 allows unauthenticated remote attackers to execute arbitrary SQL queries by supplying crafted array parameters to the joinOn function in BuildHelper.php. The vulnerability has a CVSS score of 6.5 with network-accessible exploitation requiring no authentication or user interaction. SSVC signals indicate exploitation is automatable, though no active exploitation in the wild has been reported at time of analysis.

PHP SQLi N A
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-37552 HIGH This Week

Arbitrary code execution in MixPHP Framework 2.x through 2.2.17 allows local attackers to execute malicious PHP closures via unauthenticated TCP connections to the sync-invoke server. The vulnerability stems from unsafe deserialization of untrusted data on localhost-bound port 127.0.0.1, where Server.php directly passes socket data to Opis\Closure\unserialize() and executes the result without authentication or signature verification. Exploitation requires local network access or SSRF capability against the application server. No public exploit code identified at time of analysis, but the attack mechanism is straightforward for attackers with PHP deserialization knowledge.

PHP Deserialization RCE N A
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-37505 MEDIUM This Month

Authenticated admin users in V2Board through version 1.7.4 can exploit unsanitized sort parameters in the user management interface to disclose sensitive database information including password hashes and authentication tokens through ORDER BY-based information disclosure. The vulnerability requires admin privileges and does not enable data modification or service disruption, but allows attackers with administrative access to extract confidential user data by analyzing sort order patterns.

PHP Information Disclosure SQLi
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-37504 MEDIUM This Month

V2Board through version 1.7.4 exposes sensitive server authentication tokens via GET parameters in the UniProxy API endpoint, causing tokens to be recorded in web server access logs, browser history, HTTP Referer headers, and intermediary proxies. An attacker who obtains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic passing through that node.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-37503 MEDIUM This Month

Stored cross-site scripting in V2Board through version 1.7.4 allows authenticated administrators to inject arbitrary JavaScript into the custom_html theme configuration field via the saveThemeConfig API, which is rendered unescaped in the dashboard.blade.php template and executed in the browsers of all site visitors, enabling cookie theft, session hijacking, and phishing attacks.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.0%
CVE-2026-7508 LOW Monitor

Code injection in Bootstrap CMS 0.9.0-alpha page creation handler allows authenticated remote attackers to inject arbitrary code via the body parameter in resources/views/pages/show.blade.php, with publicly available exploit code and a CVSS score of 2.1 reflecting low confidentiality/integrity impact. The vulnerability affects an unmaintained product with an inactive code repository, limiting real-world exposure but enabling opportunistic exploitation of legacy deployments.

PHP Code Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7506 MEDIUM POC This Month

SQL injection in SourceCodester Hotel Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the room_type parameter in /index.php/reservation/check. CVSS 7.3 indicates medium-to-high severity with confidentiality, integrity, and availability impacts. Publicly available exploit code (GitHub) significantly lowers the barrier to exploitation. EPSS data unavailable, but public POC availability and remote unauthenticated attack vector suggest elevated real-world risk for internet-exposed installations of this PHP-based hotel management system.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7502 LOW POC PATCH Monitor

LinkStack up to version 4.8.6 contains an authorization bypass vulnerability in the saveLink function of UserController.php that allows authenticated attackers to modify links belonging to other users via insecure direct object references (IDOR). The vulnerability affects the Management Endpoint and enables remote attackers with valid credentials to manipulate or delete arbitrary user links, with publicly available exploit code and an unmerged patch awaiting acceptance.

Authentication Bypass PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in Flight PHP framework's SimplePdo database helpers allows privilege escalation through crafted array keys. Applications forwarding user-controlled request data shapes to insert(), update(), or delete() methods enable remote authenticated attackers to inject arbitrary SQL, create administrative accounts, modify sensitive columns, or exfiltrate data. Vendor-released patch in version 3.18.1 validates identifiers with safe-identifier regex. Publicly available proof-of-concept demonstrates privilege escalation via malicious JSON request keys. Researcher @Rootingg discovered and reported through GitHub Security Advisory GHSA-xwqr-rcqg-22mr.

Privilege Escalation PHP SQLi
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

### Summary The `make:controller` CLI command calls `mkdir(..., recursive: true)` on a path built from the user-supplied controller name, **before** Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains `/`, but the recursive directory creation side effect is already committed - including directories located outside the project root through `../` traversal. ### Affected code `flight/commands/ControllerCommand.php` (≈ 63-66): ```php if (is_dir(dirname($controllerPath)) === false) { $io->info('Creating directory ' . dirname($controllerPath), true); mkdir(dirname($controllerPath), 0755, true); // un-normalized, runs before validation } ``` ### Proof of concept ``` $ php vendor/flightphp/runway/runway make:controller '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwn' Creating directory .../app/controllers/../../../../tmp/CONTROLLER_TRAVERSAL_TEST Nette\InvalidArgumentException: Value '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwnController' is not valid class name. $ ls /home/user/tmp/CONTROLLER_TRAVERSAL_TEST (directory exists - created before the exception was thrown) ``` ### Impact - **Arbitrary directory creation outside the project root**, executable by any local actor that can run the Flight CLI (developer machine, shared CI build agent, compromised dev container). - Primes log-file planting for chained LFI exploitation (e.g. creating a directory where an attacker can later drop a `.php` file to be included via a distinct template-include weakness). - On Windows, the `\` separator opens additional traversal surface. ### Patch (fixed in `3.18.1`, commit `b8dd23a`) The controller name is now normalized with `basename()` and validated against `^[A-Za-z_][A-Za-z0-9_]*$` before any `mkdir` side effect runs. ### Credit Discovered by **@Rootingg**.

Microsoft PHP Path Traversal
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Reflected cross-site scripting in Flight PHP framework's JSONP endpoint implementation allows remote attackers to execute arbitrary JavaScript in victim browsers by injecting malicious code through unvalidated callback parameters. Flight PHP versions prior to 3.18.1 concatenate user-supplied `jsonp` query parameters directly into JavaScript responses without identifier validation, enabling cookie theft and session hijacking when vulnerable endpoints are embedded via script tags. The vulnerability was patched in version 3.18.1 (commit b8dd23a) with regex validation limiting callbacks to legal JavaScript identifiers. A working proof-of-concept demonstrates cookie exfiltration via crafted callback parameters.

XSS PHP
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in Grav CMS 2.0.0-beta.2 allows authenticated API users with minimal media.write permissions to fabricate super-admin accounts via arbitrary YAML file upload. The /api/v1/blueprint-upload endpoint accepts attacker-controlled destination and scope parameters that, when combined with specific values (destination=self@: and scope=users/anything), write files directly into user/accounts/. Because Grav parses YAML files in this directory as authoritative user accounts and accepts plaintext passwords on first login, attackers craft a new account with api.super privileges, then authenticate as that account to gain full administrative control. Publicly available exploit code exists (detailed PoC in vendor advisory). Vendor-released patch restricts accounts directory uploads to image-only extensions and blocks config-bearing file types (YAML, JSON, Twig) across all blueprint-upload targets.

Privilege Escalation PHP RCE
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.

XSS PHP
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL POC PATCH Act Now

Remote code execution in Scramble API documentation generator versions 0.13.2 through 0.13.21 allows unauthenticated attackers to execute arbitrary PHP code when documentation endpoints are publicly accessible and validation rules reference user-controlled input. Fixed in version 0.13.22. The CVSS score of 9.4 (Critical) reflects the network-accessible, low-complexity attack requiring no authentication, though exploitation requires specific configuration where documentation endpoints remain enabled and validation rules incorporate request-supplied data. No active exploitation (CISA KEV) or public POC identified at time of analysis, but the GitHub security advisory provides full technical details enabling reproduction.

PHP Code Injection RCE
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in Vvveb CMS versions before 1.0.8.2 allows authenticated users with media-upload permissions to execute arbitrary PHP code with web server privileges via a two-stage attack: uploading a malicious .htaccess file to map .phtml extensions to the PHP handler, then uploading a .phtml file containing PHP code. Exploitation requires only low-privileged authentication (CVSS PR:L) and no user interaction (UI:N), making post-authentication compromise straightforward. Vendor-released patch available in version 1.0.8.2 per GitHub security advisory GHSA-wwmv-4g9g-p48g and commit 54a9e846. VulnCheck advisory provides detailed technical analysis of the bypass technique.

PHP RCE File Upload
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, contributor, or site_admin roles) to escalate privileges and execute arbitrary PHP code. Attackers exploit the admin code editor's insufficient file extension validation by first uploading a malicious .htaccess file that maps arbitrary extensions to the PHP handler, then uploading PHP code disguised with that extension. Once uploaded, the PHP code executes with web server privileges when accessed via HTTP, effectively bypassing authentication and achieving full system compromise. The vulnerability requires only low-privilege access (PR:L) with no attack complexity or user interaction (AC:L/UI:N), and vendor-released patch version 1.0.8.2 is confirmed available via GitHub. No public exploit code or active exploitation (KEV) confirmed at time of analysis.

PHP RCE Vvveb
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

XML external entity injection in Vvveb CMS versions before 1.0.8.2 allows authenticated site_admin users to read arbitrary server files and overwrite administrator password hashes via the admin Tools/Import feature. The vulnerability resides in system/import/xml.php where LIBXML_NOENT flag enabled external entity resolution, allowing injection of file:// and php://filter protocols. Attackers with low-privilege admin accounts can escalate to full administrator access by replacing password hashes in the database. Vendor-released patch version 1.0.8.2 removes LIBXML_NOENT flag. No active exploitation confirmed by CISA KEV at time of analysis.

XXE Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authenticated control-panel users in Craft CMS 5.x can enumerate asset filenames and complete folder hierarchies (volume handles, UIDs, folder names, URIs) across all volumes by sending arbitrary asset IDs to the AssetsController::actionShowInFolder endpoint, bypassing volume-level viewAssets and viewPeerAssets permission checks. The flaw stems from an incomplete February 2026 patch wave that fixed four sibling endpoints but missed this method, introduced 13 days before the patch release. No public exploit identified at time of analysis; vendor-released patch fixes 5.9.18 and later. This information disclosure vulnerability enables reconnaissance for follow-up attacks against restricted asset volumes.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Unauthorized PII disclosure in Craft CMS GraphQL API allows cross-scope address enumeration via missing authorization check. A GraphQL API token scoped to any single low-privilege user group can read all addresses system-wide, including PII from restricted user groups (full names, home addresses, corporate addresses, tax IDs, GPS coordinates). The Address element resolver bypasses schema scope filtering that all other element resolvers enforce. Vendor-released patch: versions 5.9.18 and 4.17.12. Publicly available exploit code exists (detailed PoC in GitHub advisory). Affects all Craft CMS Pro deployments (v4.0.0+) using headless GraphQL APIs with user group scoping-a standard deployment pattern for Next.js/Nuxt/Gatsby frontends.

Authentication Bypass Docker PHP
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Fluent Forms plugin for WordPress up to version 6.2.1 allows authenticated administrators to read arbitrary files readable by the web server through path traversal in the getAttachments() method of EmailNotificationActions. The vulnerability stems from insufficient validation of file-upload URLs in admin notification configurations, permitting attackers to supply traversal sequences like <upload_baseurl>/../../<target> to access sensitive files such as wp-config.php containing database credentials and authentication salts. While unauthenticated users can trigger email notifications, the exploit requires administrator-level access to configure the malicious notification attachment.

PHP WordPress Path Traversal
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

AVideo version 29.0 and earlier exposes API authentication secrets (APISecret) to unauthenticated remote attackers via a publicly accessible plugin configuration endpoint at objects/plugins.json.php. This vulnerability enables complete bypass of authentication controls protecting sensitive API endpoints including user enumeration (users_list) and other privileged operations. Publicly available exploit code exists (proof-of-concept demonstrated in GitHub advisory GHSA-xr49-f4rh-qcjf). Upstream fix available via commit 1c36f229 but no tagged release version has been independently confirmed at time of analysis.

Authentication Bypass PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in AVideo versions up to 29.0 allows authenticated attackers to exfiltrate cloud metadata credentials and access internal services via HTTP redirect bypass and DNS rebinding attacks. Two endpoints in AVideo's AI plugin and EPG parser validate user-supplied URLs using isSSRFSafeURL() but then fetch them with file_get_contents() using PHP's default automatic redirect following. An attacker supplies a URL to a controlled server returning a 302 redirect to internal resources (e.g., AWS instance metadata at 169.254.169.254), bypassing SSRF protections since only the initial URL is validated. Vendor-released patch available via GitHub commit 603e7bf7. CVSS 7.7 reflects Changed Scope due to cross-boundary access to cloud infrastructure credentials.

Python SSRF PHP
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in AVideo's PayPalYPT plugin allows any authenticated user to cancel arbitrary PayPal billing agreements belonging to other users by supplying a victim's agreement ID to the `agreementCancel.json.php` endpoint. An attacker can silently suspend a victim's recurring subscription without authorization, causing revenue loss to the platform operator and service interruption to the victim. The vulnerability exists because the endpoint only checks that the user is logged in, but fails to verify ownership of the agreement being canceled, despite a sister endpoint (`PayPalAgreementCancel.json.php`) implementing the correct authorization check.

Authentication Bypass PHP CSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthenticated CRLF injection in AVideo's Scheduler plugin allows remote attackers to inject arbitrary calendar events into ICS files served from the victim's trusted domain, enabling high-credibility calendar phishing attacks. The vulnerable endpoint accepts attacker-controlled parameters without sanitization, passes them through an incomplete escape function that does not neutralize carriage-return/line-feed bytes, and constructs RFC 5545-compliant ICS calendar files containing injected VEVENT blocks. Exploitation requires only that the Scheduler plugin be enabled (common default) and user interaction to import the malicious .ics file; no authentication or special configuration is needed. A vendor-released patch is available.

Microsoft PHP CSRF +3
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated user enumeration in AVideo objects/users.json.php allows remote attackers to disclose all registered user accounts via an isCompany parameter that bypasses admin-only access controls, and a users_id parameter that acts as a sequential-ID existence oracle. An unauthenticated attacker can harvest the complete user directory-including display names, numeric IDs, profile URLs, photos, and active/inactive status-in a single unbounded GET request, enabling credential stuffing and phishing campaigns. The vulnerability affects AVideo through version 29.0; vendor patch available.

Authentication Bypass Oracle CSRF +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated arbitrary email sending via sendEmail.json.php allows remote attackers to send phishing emails from the site's legitimate sender address to arbitrary recipients by omitting the contactForm parameter, bypassing authentication and CSRF protections. The endpoint is explicitly allow-listed as a public write action and requires only a solved captcha, enabling an attacker to impersonate the site operator and send messages with forged From/Reply-To headers that pass SPF/DKIM/DMARC validation for the site's domain, ideal for targeted credential harvesting and brand impersonation attacks.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Blind server-side request forgery (SSRF) in AVideo's donation webhook system allows authenticated users to configure webhook URLs pointing to internal/loopback/metadata services (127.0.0.1, 169.254.169.254, RFC1918 addresses). When any user donates via the CustomizeUser plugin, the AVideo server issues an unauthenticated POST request to the attacker-supplied URL without validating it against the codebase's existing isSSRFSafeURL() helper. The vulnerability is compounded by CURLOPT_FOLLOWLOCATION being enabled without per-hop revalidation, permitting HTTP 307 redirects from attacker-controlled hosts to bypass even future URL validation. CVSS 5.4 (network-accessible, requires authentication, low complexity); no public proof-of-concept or active KEV exploitation confirmed at analysis time, but the vulnerability is trivially exploitable with two attacker-controlled accounts and the PoC is fully documented in the advisory.

Redis SSRF CSRF +1
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Stored cross-site scripting in Grav CMS allows low-privileged users with page-creation permissions to inject malicious SVG payloads that execute when administrators view the page. The vulnerability stems from regex-based XSS detection that fails to catch unquoted event handlers and omits SVG/MathML from dangerous tags. Exploitation exfiltrates the admin-nonce token from /admin/config/info, enabling CSRF bypass and chained remote code execution through scheduled tasks or plugin endpoints. GitHub advisory GHSA-w8cg-7jcj-4vv2 confirms exploit details; patch available in Grav 2.0.0-beta.2 (commit 5a12f9be8). CVSS 8.9 (High) with network attack vector, low complexity, and scope change reflecting cross-context session hijacking.

PHP CSRF XSS +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.

Denial Of Service PHP Path Traversal
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.

Denial Of Service Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored cross-site scripting in Grav CMS allows publisher-level authenticated users to execute arbitrary JavaScript in victim browsers by injecting unquoted HTML event handlers that bypass the detectXss() blacklist regex. The flawed pattern failed to detect on* event attributes without surrounding quotes, enabling payloads like <img src=x onerror=eval(...)> to persist in content fields and execute when administrators or other users view the compromised page. Vendor-released patch confirmed in commit 5a12f9be8 (Grav 2.0.0-beta.2), which tightens the on_events regex to flag unquoted attributes, adds dangerous XML namespace tags (svg, math) to the default blocklist, and hardens MediaObjectTrait::attribute() with strict identifier validation. Publicly available exploit code exists. EPSS and KEV data not provided; exploitation requires publisher-level account privileges.

XSS PHP
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Sensitive information disclosure in Grav CMS v1.8.0-beta.29 allows low-privileged users with page editing permissions to bypass Twig sandbox restrictions and extract administrative password hashes and security salts via the exposed `grav['accounts']` service. A content editor can inject a Twig template with `{{ grav['accounts'].load('admin').get('hashed_password') }}` to retrieve plaintext Bcrypt hashes accessible for offline brute-force attack. Vendor-released patch available (2.0.0-beta.2 and commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47); publicly available proof-of-concept exists demonstrating practical exploitation.

Authentication Bypass PHP Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Unauthenticated privilege escalation in Grav CMS Login plugin 3.8.0 allows remote attackers to self-register with admin.super privileges via missing server-side validation of groups and access fields. When administrators configure user registration with groups or access in allowed fields (a permitted UI action), attackers inject these fields into registration POST requests to bypass config-level defaults and gain full administrative access. Vendor-released patch: Login plugin 3.8.2 / Grav 2.0.0-beta.2 (commit 3d419a0). No public exploit identified at time of analysis, but the GitHub security advisory includes detailed proof-of-concept code demonstrating the attack.

Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Grav CMS Form plugin allows editor-level users to inject arbitrary JavaScript via taxonomy tag and category values that execute in administrator browsers when viewing any page in the admin panel. The vulnerability exploits unescaped Twig `|raw` filters in the select field template combined with a bypassable XSS detection regex, enabling privilege escalation through nonce theft and unauthorized admin actions. Vendor-released patch available in grav-plugin-form 9.0.1 and Grav core 2.0.0-beta.2.

XSS PHP Privilege Escalation
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Stored cross-site scripting in Grav CMS via Markdown media attribute injection allows authenticated page editors to inject executable JavaScript event-handler attributes into rendered image HTML. An editor can craft Markdown syntax like `![alt](image.gif?attribute=onload,alert(1))` which bypasses the attribute() media method's input validation and renders as `<img onload="alert(1)">`, executing arbitrary JavaScript in the browsers of any user viewing the affected page, including administrators and reviewers in multi-user installations. Publicly available patch confirmed in version 2.0.0-beta.2.

XSS PHP
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.

Microsoft PHP CSRF +4
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Grav API Plugin (versions < 1.0.0-beta.15) allows any authenticated user with basic 'api.access' permission to elevate themselves to Super Administrator by sending a crafted PATCH request to modify their own permission configuration. The vulnerability, confirmed by vendor GitHub Security Advisory GHSA-r945-h4vm-h736, stems from inadequate authorization checks in the UsersController::update method, which permits self-editing users to overwrite the 'access' field containing role definitions. Successful exploitation grants complete CMS control including the ability to edit Twig templates outside sandbox restrictions for remote code execution. A detailed proof-of-concept is publicly available, and vendor-released patch is confirmed in version 1.0.0-beta.15.

Authentication Bypass Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Formula injection in Kimai 2.27.0 through 2.53.0 allows authenticated users with ROLE_USER to create tags containing formula strings (e.g., =SUM(54+51)) via the POST /api/tags endpoint. When administrators export timesheets to XLSX format, the ArrayFormatter joins tag names without sanitization, and OpenSpout automatically promotes formula-prefixed strings to FormulaCell objects. Excel or LibreOffice Calc evaluates these formulas when the exported file is opened, enabling code execution on any workstation that imports and opens the poisoned spreadsheet. Publicly available exploit code demonstrates the attack via normal user account and admin export workflow.

PHP Code Injection
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Open redirect vulnerability in OpenMage LTS through version 20.17.0 allows authenticated attackers to redirect logged-in customers to arbitrary external URLs via an unvalidated `uenc` parameter in the ProductAlert `stockAction()` controller. The vulnerability occurs when a non-existent product ID is supplied, bypassing the `_isUrlInternal()` validation check present in the analogous `priceAction()` method. Attackers can exploit this for credential phishing, OAuth token theft, affiliate fraud, or malware distribution by crafting a malicious link and distributing it via email, forums, or social media.

PHP Google Open Redirect
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

DNS rebinding in Admidio's SSO metadata fetch endpoint bypasses SSRF protections by validating a hostname's IP address with gethostbyname() but passing the original hostname to curl_init(), allowing attackers to redirect requests to internal services including cloud metadata endpoints. Authenticated administrators can exploit this TOCTOU window between DNS resolution check and cURL connection to access internal IP ranges, read instance metadata, or scan internal networks.

Python SSRF PHP
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory.

PHP Adobe Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in AVideo's Meet plugin allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unescaped user and pass query parameters into a JavaScript string literal. The vulnerability is reachable without authentication on any public Meet schedule with no password (the default configuration), enabling session cookie theft and account takeover of authenticated users. CVSS 6.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects network delivery requiring user interaction but changed scope due to cookie exfiltration across the AVideo application origin.

XSS PHP CSRF
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site request forgery in AVideo's userSavePhoto.php endpoint allows unauthenticated remote attackers to overwrite any logged-in user's profile photo with arbitrary bytes by luring them to a malicious webpage. The vulnerability exploits a missing CSRF token and a default cookie policy of SameSite=None on HTTPS deployments, combined with unvalidated base64 decoding that accepts any file content. Each successful attack also triggers a global cache invalidation, enabling denial-of-service via cache thrashing.

PHP CSRF RCE
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Stored HTML injection in AVideo's notifySubscribers endpoint allows any authenticated uploader to broadcast platform-branded phishing emails to up to 10,000 channel subscribers without sanitization, escaping, or rate limits. The attacker-supplied HTML is injected directly into the email template via str_replace and rendered by PHPMailer, arriving with the platform's official contact email address, logo, and site title, enabling credential theft and reconnaissance at scale with no visible indication that content originated from an uploader rather than the platform operator.

Canonical XSS PHP +1
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Password hash exposure in AVideo's MobileManager OAuth redirect enables account takeover when unauthenticated attackers capture the redirect URL from server logs, browser history, or referrer leakage, then replay the hash via the login endpoint's encodedPass bypass. The vulnerability affects all users who authenticate through OAuth (Google, etc.) when the MobileManager plugin is enabled, including administrators, and requires only user interaction to trigger the initial OAuth flow-no active exploitation in the wild has been confirmed at analysis time, but a working proof-of-concept exists and patch has been released by the vendor.

PHP CSRF Google
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

PHP CSRF Python +4
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated information disclosure in AVideo CloneSite plugin (versions ≤29.0) leaks the installation's shared secret authentication key through an error message, enabling attackers to impersonate the victim installation to its federated clone server and trigger a full database dump into a publicly accessible directory. The vulnerability chains two flaws: cloneClient.json.php echoes the local myKey credential in HTTP responses to any unauthenticated request due to incorrect $argv handling in web contexts, and the remote cloneServer.json.php then accepts this leaked key to authenticate mysqldump operations without IP restrictions or access controls on the resulting dump files. Patch available via GitHub commit e6566f56. No evidence of active exploitation (not in CISA KEV); EPSS data not provided. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from direct credential exposure plus cross-site database access in federated deployments.

PHP Information Disclosure Nginx
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Courier Management System 1.0 via the ids parameter in /print_pdets.php allows authenticated remote attackers to execute arbitrary SQL queries with low impact to confidentiality, integrity, and availability. The vulnerability has a publicly available proof-of-concept and is characterized by low CVSS score (2.1) due to authentication requirement and limited scope, but SQL injection itself represents a persistent threat vector if the system processes sensitive courier data.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

EmailKit plugin for WordPress versions up to 1.6.5 allows authenticated attackers with Author-level access to read arbitrary files from the server due to a path traversal vulnerability in the create_template() method. The vulnerability exploits a PHP 8.x type coercion flaw where realpath() returns false for non-existent directories, causing strpos() validation to incorrectly evaluate and bypass directory restrictions. Attackers can retrieve sensitive files such as wp-config.php by submitting absolute paths via the emailkit-editor-template REST API parameter. No public exploit code identified at time of analysis, though the vulnerability mechanism is trivial to weaponize once authentication is obtained.

PHP WordPress Path Traversal
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Loco Translate plugin for WordPress versions up to 2.8.2 allows authenticated attackers with Translator-level access to read arbitrary files outside the intended translation directory via path traversal in the `fsReference` AJAX endpoint. The vulnerability exploits insufficient validation of directory traversal sequences (`../`) in the `findSourceFile()` method, enabling disclosure of sensitive `.php`, `.js`, `.json`, and `.twig` files including wp-config.php-adjacent files. No public exploit code has been identified at time of analysis, and the attack requires administrative capability assignment (`loco_admin` capability) granted to translators by default.

PHP WordPress Path Traversal
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery in Publish 2 Ping.fm WordPress plugin up to version 1.1 allows unauthenticated attackers to modify plugin settings and inject malicious scripts by tricking site administrators into clicking a crafted link, exploiting missing nonce validation on the admin settings page. The vulnerability requires user interaction (admin click) and affects the plugin's confidentiality and integrity but not availability. No public exploit code or active exploitation has been confirmed.

PHP CSRF WordPress
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeCanyon Perfex CRM up to version 3.4.1 allows authenticated remote attackers to execute arbitrary SQL queries via the Admin Kanban Endpoint's AbstractKanban::applySortQuery function. The vulnerability stems from improper sanitization of the sort query argument and can lead to unauthorized data access, modification, and potential system compromise. Publicly available exploit code exists, increasing real-world risk.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Authorization bypass in CodeCanyon Perfex CRM up to 3.4.1 allows authenticated remote attackers to access projects belonging to other tenants via manipulation of the ID parameter in the Clients::project function. The vulnerability requires valid user credentials but grants access to cross-tenant data with low confidentiality, integrity, and availability impact. Publicly available exploit code exists for this flaw.

Authentication Bypass PHP
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.

Docker CSRF PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Path traversal in AzuraCast's Flow.js media upload endpoint allows authenticated users with media management permissions to write arbitrary PHP files outside designated storage directories, achieving remote code execution. The vulnerability exists in versions ≤0.23.5 where the unsanitized `currentDirectory` parameter bypasses filename sanitization, and a `finally` block writes uploaded files before MIME validation completes. Only local filesystem storage (default configuration) is affected-remote S3/cloud backends are not vulnerable. Vendor-confirmed patch available in version 0.23.6. No public exploit or CISA KEV listing identified at time of analysis, but detailed proof-of-concept exists in GitHub advisory GHSA-vp2f-cqqp-478j demonstrating webshell upload to web root.

Privilege Escalation PHP RCE +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Arbitrary database table drop in CI4MS theme deletion allows authenticated administrators with theme.delete permission to craft malicious POST requests to the `/backend/themes/delete-process/` endpoint and drop any table in the database, including critical tables such as ci4ms_users and ci4ms_auth_identities. The vulnerability exists because the deleteProcess() action accepts user-supplied table names without validating them against the theme's own migration files, violating the principle of least privilege even within the admin trust model. Vendor-released patch 0.31.8.0 implements migration-based whitelist validation to restrict deletions to declared theme tables.

PHP RCE
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial-of-service condition in Conditional Fields for Contact Form 7 WordPress plugin allows remote unauthenticated attackers to crash PHP processes by injecting arbitrarily large iteration values through REST API parameters. The Wpcf7cfMailParser class processes user-supplied POST data without validation, enabling attackers to trigger unbounded loops with multiple regex operations that exhaust server memory. Affects all versions through 2.6.7 with vendor patch now available. EPSS data not provided, but the network-accessible unauthenticated attack vector (AV:N/PR:N) combined with low complexity (AC:L) indicates straightforward exploitation potential against publicly accessible WordPress sites running this plugin.

Denial Of Service PHP WordPress
NVD VulDB
EPSS 0% CVSS 8.2
HIGH POC Monitor

Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.

Authentication Bypass WordPress Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Web-based Pharmacy Product Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /product_expiry/edit-admin.php, enabling unauthorized data access, modification, and deletion. The vulnerability has a publicly available exploit and CVSS 6.3 base score reflects moderate impact with low attack complexity; however, authentication is required, limiting exposure to users with valid credentials.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Unrestricted file upload in funadmin up to version 7.1.0-rc6 allows remote attackers to upload arbitrary files via the Frontend Chunked Upload Endpoint (UploadService::chunkUpload function). The vulnerability stems from insufficient validation of the File parameter and can be exploited without authentication; publicly available exploit code exists and a patch (PR #59) has been released by the vendor.

PHP File Upload
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in code-projects BloodBank Managing System 1.0 via request_blood.php allows authenticated remote attackers to upload arbitrary files with limited impact. The vulnerability requires valid user credentials (PR:L per CVSS vector) but has low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists; however, the low CVSS score (2.1) and confined impact scope suggest this poses minimal risk despite public disclosure.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects BloodBank Managing System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the G_STATE_ID parameter in get_state.php, potentially exfiltrating sensitive patient or blood bank data. The vulnerability has low confidentiality and integrity impact but carries exploitability risk (E:P in CVSS 4.0) and publicly available exploit code, making it a practical concern for deployed instances despite the low CVSS score of 2.1.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Gym Management System in PHP allows authenticated remote attackers to manipulate the 'day' parameter in /index.php, enabling arbitrary SQL query execution with limited confidentiality and integrity impact. The vulnerability carries a CVSS score of 2.1 and requires prior authentication (PR:L); publicly available exploit code exists but active exploitation confirmation is absent from CISA KEV data.

Microsoft PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 7.2
HIGH POC This Week

Arbitrary file upload in OpenSTAManager 2.10 and earlier allows authenticated high-privilege users to upload malicious files via the module update functionality at modules/aggiornamenti/upload_modules.php, leading to remote code execution. Publicly available exploit code exists (GitHub POC), though EPSS exploitation probability remains low (2%, 5th percentile), suggesting limited observed exploitation activity. CVSS 7.2 reflects high impact but requires high-privilege authentication (PR:H), substantially limiting attack surface to compromised admin accounts or malicious insiders.

PHP File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM This Month

Stored cross-site scripting in Pluck CMS before v4.7.21dev allows authenticated high-privilege users to inject arbitrary JavaScript via the page editor, escalating privileges through the sanitizePageContent function in editpage.php. The vulnerability requires attacker authentication with administrative role and user interaction (UI:R), limiting spontaneous exploitation but enabling privilege escalation attacks within compromised admin accounts.

PHP XSS
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in AMTT Hotel Broadband Operation System 1.0 allows authenticated remote attackers with high privileges to manipulate the ID argument in /manager/card/cardhand_submit.php, potentially extracting or modifying database contents. Publicly available exploit code exists, though the CVSS score of 4.7 reflects the requirement for authenticated administrative access, limiting real-world impact compared to unauthenticated SQL injection vulnerabilities.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper cryptographic signature verification in Dolibarr ERP CRM up to version 23.0.2 allows remote attackers to bypass signature validation in the Online Signature Module, potentially forging or manipulating signed transactions. The vulnerability affects the dol_verifyHash function and has been publicly disclosed with exploit code available, though exploitation requires high technical complexity and is not confirmed as actively exploited in production environments.

PHP Jwt Attack Information Disclosure
NVD VulDB GitHub
EPSS 0% CVSS 1.3
LOW Monitor

SQL injection in Dolibarr ERP CRM up to version 23.0.2 allows authenticated remote attackers to execute arbitrary SQL queries via the fields parameter in the Shipments API Endpoint (_checkValForAPI function). Exploitation requires high attack complexity and authenticated access, with publicly available exploit code confirmed but no active exploitation reported in CISA KEV at time of analysis.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Hospital Management System 1.0 allows remote unauthenticated attackers to manipulate the delid parameter in /viewappointment.php, enabling database queries with limited confidentiality and integrity impact. The vulnerability is publicly disclosed with available exploit code and poses a network-accessible risk to unpatched deployments.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

InnoShop e-commerce platform versions up to 0.7.8 allow unauthenticated remote attackers to bypass authentication controls in the installation endpoint via improper authentication handling in InstallServiceProvider::boot. The vulnerability permits unauthorized access to installation functionality even after initial setup is complete, enabling attackers to achieve partial confidentiality, integrity, and availability impact. Publicly available exploit code exists (GitHub issue #314), and vendor has released patch commit 45758e4ec22451ab944ae2ae826b1e70f6450dc9.

Authentication Bypass PHP
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Time-based SQL injection in Geo Mashup WordPress plugin versions ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from ineffective sanitization in the 'object_ids' and 'exclude_object_ids' parameters-while esc_sql() is applied, it provides no protection in unquoted IN() contexts where attackers can inject parentheses and SQL keywords. The numeric sanitizer exists but only applies to AJAX paths, leaving render-map.php and template tag paths vulnerable. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence Threat Intelligence disclosure increases likelihood of weaponization.

PHP WordPress SQLi
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Time-based SQL injection in WordPress Geo Mashup plugin ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The 'sort' parameter in multiple code paths (render-map.php, template tags) lacks proper sanitization despite esc_sql() application, which is ineffective in ORDER BY contexts without quote encapsulation. Version 1.13.18 added allowlist-based sanitization but only protected the AJAX endpoint, leaving other attack vectors exploitable. EPSS and KEV data not available; vulnerability disclosed by Wordfence with public source code references confirming the flaw.

PHP WordPress SQLi
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in itsourcecode Courier Management System 1.0 allows high-privilege remote attackers to manipulate the ID parameter in /edit_user.php, leading to unauthorized database queries with limited confidentiality and integrity impact. Exploit code has been publicly disclosed, though the CVSS 4.0 score of 2.0 and requirement for high-privilege authentication significantly constrain real-world risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated attackers can inject stored cross-site scripting payloads into Brizy Page Builder for WordPress (versions ≤2.8.11) via form submission FileUpload fields, which execute when administrators view the form Leads page. The vulnerability chains three implementation flaws: missing nonce verification for anonymous form submissions, inadequate sanitization of FileUpload field values when no file is attached, and reversal of HTML entity encoding via html_entity_decode() before unescaped output in admin views. Publicly available exploit code exists. EPSS data not provided, but the CVSS 7.2 (High) with scope change reflects the privilege escalation from unauthenticated user to admin-context execution. Patch released in version 2.8.12 per WordPress plugin repository changeset 3502206.

PHP WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting (XSS) in Gravity Forms WordPress plugin versions ≤2.10.0 allows remote unauthenticated attackers to inject malicious JavaScript that executes when administrators view form entries. The vulnerability exploits a validation bypass in nested SingleProduct fields within Repeater fields, where product name tampering is not validated. When admins access compromised entries via wp-admin, the unsanitized payload executes in their browser session. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication or user interaction during payload delivery, though the attack requires subsequent admin interaction (viewing the entry) for payload execution. No active exploitation confirmed in CISA KEV at time of analysis.

PHP WordPress XSS
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in Profile Builder Pro for WordPress allows remote attackers to execute arbitrary code by deserializing malicious objects through an unprotected AJAX endpoint. The vulnerability affects all versions through 3.14.5 and stems from unsafe deserialization of attacker-controlled POST data in the wppb_request_users_pins_action_callback() handler, which was registered for both authenticated and unauthenticated users without nonce verification. With CVSS 8.1 and AC:H complexity, exploitation requires chaining with a POP gadget chain, though EPSS data and KEV status are not available to confirm active exploitation.

PHP WordPress Deserialization
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in Gravity Forms for WordPress ≤2.10.0 allows unauthenticated remote attackers to inject malicious JavaScript through Product Option field values that execute when administrators view entry details. The flaw exploits a sanitization bypass: the plugin's state validation accepts values matching wp_kses()-cleaned legitimate options but stores the raw unsanitized input, which is then rendered without escaping in the Order Summary view (view-order-summary.php:32). EPSS data not available; no public exploit identified at time of analysis. Vendor patch status requires verification via changelog.

PHP WordPress XSS
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated privilege escalation in 'Import and export users and customers' WordPress plugin versions up to 2.0.8 allows Subscriber-level users to elevate privileges to Administrator on any subsite within a WordPress Multisite network. The vulnerability stems from an incomplete blocklist in save_extra_user_profile_fields() that restricts primary site capability meta keys (wp_capabilities) but fails to block multisite-prefixed equivalents (wp_2_capabilities, wp_3_capabilities, etc.). Exploitation requires that an administrator has previously imported a CSV with multisite-prefixed capability headers and enabled the 'Show fields in profile?' option. Patch released in changeset 3515646 per WordPress plugin repository. No EPSS or KEV data available, indicating no widespread exploitation detected at time of analysis.

Privilege Escalation WordPress PHP
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in User Verification by PickPlugins for WordPress allows remote unauthenticated attackers to log in as any user with a verified email - including administrators - by submitting the string 'true' as the OTP code. The vulnerability stems from a loose PHP comparison operator (==) in the OTP validation logic, which treats the boolean true as equal to any non-zero numeric OTP value. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents complete system compromise risk for WordPress sites running vulnerable versions (≤2.0.46). Fixed in version 2.0.47 per Wordfence advisory and WordPress plugin repository changeset 3519113.

PHP WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in itsourcecode Courier Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /edit_staff.php, potentially leading to unauthorized database access and data disclosure. The vulnerability has a CVSS score of 5.5 with a publicly available exploit, indicating moderate real-world risk despite the low confidentiality impact rating.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting (XSS) in GSVoIP web panel version 2.0.90 allows remote attackers to inject arbitrary JavaScript via the `msg` parameter in the `/painel/gateways.php/error` endpoint. The vulnerability requires user interaction (clicking a malicious link) but can lead to session hijacking, credential theft, or malware distribution. No authentication is required, and public exploit code exists.

PHP XSS
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in WP Editor plugin through version 1.2.9.2 enables remote attackers to inject arbitrary PHP code into plugin and theme files. The vulnerability requires administrator interaction (clicking a malicious link) but no authentication for the attacker, allowing complete website compromise through file overwrite. EPSS data not available; no confirmed active exploitation at time of analysis. Patch available in changeset 3480577.

CSRF PHP WordPress
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload in MacCMS Pro up to version 2022.1.3 allows authenticated high-privilege administrators to upload arbitrary files via the plugin installation handler at /admin/addon/add.html, potentially enabling remote code execution. Publicly available exploit code exists, and the vendor has not responded to early disclosure despite contact.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Electronic Judging System 1.0 allows remote attackers to manipulate the Username parameter in /intrams/login.php, leading to unauthorized data access and modification. The vulnerability requires no authentication and can be exploited over the network with low complexity. Publicly available exploit code exists, and the CVSS 4.0 vector indicates confidentiality and integrity impact on the affected application.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in code-projects Gym Management System 1.0 allows authenticated high-privilege users to manipulate the edit_exercise parameter in /admin/edit_exercises.php, enabling remote database queries with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists; CVSS 4.7 reflects low real-world risk due to high-privilege requirement (PR:H), though the vulnerability remains remotely accessible without user interaction.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in /ajax.php?action=save_customer. CVSS 7.3 with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), elevating immediate risk for exposed installations. EPSS data not available, but the combination of network vector, zero authentication, and public POC indicates high probability of opportunistic scanning and exploitation.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to extract database contents, modify records, or execute unauthorized queries via the ID parameter in /ajax.php?action=delete_customer. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation against exposed instances. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication requirement, though EPSS data unavailable and not currently listed in CISA KEV, suggesting limited widespread exploitation despite POC availability.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Advanced School Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the checkEmail endpoint in commonController.php, potentially exposing or modifying database contents. Publicly available exploit code exists and the vulnerability requires only network access with no authentication, making it a practical exploitation risk for exposed instances.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH POC This Week

Client-side remote code execution affects MixPHP Framework 2.x through 2.2.17 when sync-invoke clients connect to attacker-controlled servers. The vulnerability enables malicious servers to execute arbitrary code on connecting clients through unsafe deserialization of server responses (CWE-502). EPSS data unavailable, but SSVC indicates no confirmed exploitation and non-automatable attack complexity aligns with CVSS AC:H rating. Primary risk exists in scenarios where MixPHP clients connect to untrusted external services or where server infrastructure could be compromised.

PHP Deserialization
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in MixPHP Framework 2.x through 2.2.17 allows unauthenticated remote attackers to read or modify database contents via a crafted data array passed to the data function in BuildHelper.php. The vulnerability has an automatable exploitation path per CISA SSVC but no public exploit code or active KEV listing identified at analysis time. CVSS 6.5 (medium) reflects network-accessible SQL injection with partial confidentiality and integrity impact but no availability impact.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in MixPHP Framework versions 2.0 through 2.2.17 allows unauthenticated remote attackers to execute arbitrary SQL queries by supplying crafted array parameters to the joinOn function in BuildHelper.php. The vulnerability has a CVSS score of 6.5 with network-accessible exploitation requiring no authentication or user interaction. SSVC signals indicate exploitation is automatable, though no active exploitation in the wild has been reported at time of analysis.

PHP SQLi N A
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in MixPHP Framework 2.x through 2.2.17 allows local attackers to execute malicious PHP closures via unauthenticated TCP connections to the sync-invoke server. The vulnerability stems from unsafe deserialization of untrusted data on localhost-bound port 127.0.0.1, where Server.php directly passes socket data to Opis\Closure\unserialize() and executes the result without authentication or signature verification. Exploitation requires local network access or SSRF capability against the application server. No public exploit code identified at time of analysis, but the attack mechanism is straightforward for attackers with PHP deserialization knowledge.

PHP Deserialization RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Authenticated admin users in V2Board through version 1.7.4 can exploit unsanitized sort parameters in the user management interface to disclose sensitive database information including password hashes and authentication tokens through ORDER BY-based information disclosure. The vulnerability requires admin privileges and does not enable data modification or service disruption, but allows attackers with administrative access to extract confidential user data by analyzing sort order patterns.

PHP Information Disclosure SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

V2Board through version 1.7.4 exposes sensitive server authentication tokens via GET parameters in the UniProxy API endpoint, causing tokens to be recorded in web server access logs, browser history, HTTP Referer headers, and intermediary proxies. An attacker who obtains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic passing through that node.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Stored cross-site scripting in V2Board through version 1.7.4 allows authenticated administrators to inject arbitrary JavaScript into the custom_html theme configuration field via the saveThemeConfig API, which is rendered unescaped in the dashboard.blade.php template and executed in the browsers of all site visitors, enabling cookie theft, session hijacking, and phishing attacks.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Code injection in Bootstrap CMS 0.9.0-alpha page creation handler allows authenticated remote attackers to inject arbitrary code via the body parameter in resources/views/pages/show.blade.php, with publicly available exploit code and a CVSS score of 2.1 reflecting low confidentiality/integrity impact. The vulnerability affects an unmaintained product with an inactive code repository, limiting real-world exposure but enabling opportunistic exploitation of legacy deployments.

PHP Code Injection
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Hotel Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the room_type parameter in /index.php/reservation/check. CVSS 7.3 indicates medium-to-high severity with confidentiality, integrity, and availability impacts. Publicly available exploit code (GitHub) significantly lowers the barrier to exploitation. EPSS data unavailable, but public POC availability and remote unauthenticated attack vector suggest elevated real-world risk for internet-exposed installations of this PHP-based hotel management system.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

LinkStack up to version 4.8.6 contains an authorization bypass vulnerability in the saveLink function of UserController.php that allows authenticated attackers to modify links belonging to other users via insecure direct object references (IDOR). The vulnerability affects the Management Endpoint and enables remote attackers with valid credentials to manipulate or delete arbitrary user links, with publicly available exploit code and an unmerged patch awaiting acceptance.

Authentication Bypass PHP
NVD VulDB GitHub
Prev Page 17 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy