Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-7117 LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to manipulate the id and token parameters in 370project/approve.php, enabling unauthorized database queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists and CVSS score of 6.3 reflects the attack's network accessibility despite requiring low-level authentication.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7116 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Employee Management System 1.0 allows remote attackers to inject malicious scripts via manipulation of the file 370project/mark.php. The vulnerability requires user interaction (UI:R) but can be exploited over the network without authentication. Publicly available exploit code exists and the flaw has moderate impact on integrity (CVSS 4.3).

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7115 LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to manipulate the ID argument in 370project/delete.php, leading to unauthorized database queries with limited confidentiality and integrity impact. Publicly available exploit code exists; CVSS 5.3 reflects moderate risk limited by authentication requirement and restricted data access scope.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7114 LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in 370project/edit.php, potentially leading to unauthorized data access or modification. The vulnerability requires valid user credentials (PR:L per CVSS vector) and has publicly available exploit code; however, the limited scope (VC:L, VI:L, VA:L) and requirement for authentication reduce real-world risk compared to the base CVSS score of 5.3.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7103 LOW Monitor

Weak cryptographic hash usage in code-projects Chat System 1.0 allows remote attackers to compromise password security through the MD5 Hash Handler in update_user.php. The vulnerability stems from use of MD5 for password hashing, a cryptographically broken algorithm that enables rapid offline cracking of password hashes. Publicly disclosed exploit code exists, though exploitation requires high attack complexity. The vulnerability impacts password confidentiality with low direct severity but creates substantial downstream risks for user account compromise.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-7095 LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts via the ID parameter in 370project/edit.php. The vulnerability requires user interaction (link click) but has publicly available exploit code and a moderate CVSS score of 4.3, indicating limited but real integrity impact through client-side script execution.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7090 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Chat System 1.0 allows high-privilege remote attackers to inject malicious scripts via the msg parameter in /admin/send_message.php, affecting the Chat Interface component. The vulnerability requires admin-level authentication and user interaction (viewing the crafted message), but publicly available exploit code exists and the issue is actively being leveraged. With a CVSS score of 2.4, the impact is limited to integrity violations with no confidentiality or availability loss, but the presence of public POC and active exploitation elevates practical risk despite low severity metrics.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7089 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in code-projects Home Service System 1.0 allows remote attackers to inject malicious scripts via the fname and lname parameters in the /booking.php Appointment Booking component. User interaction is required for exploitation. A public exploit is available, and the vulnerability carries moderate risk (CVSS 4.3) with integrity impact through malicious script execution in victim browsers.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7088 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in /ajax.php?action=save_receiving. Publicly available exploit code (GitHub PoC) enables immediate weaponization. CVSS 7.3 reflects network-accessible attack with no authentication required, enabling confidentiality/integrity/availability impact across database operations. EPSS data not provided, but public exploit availability significantly elevates real-world risk for unpatched installations of this open-source PHP application.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7087 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the ID parameter in /ajax.php?action=save_sales endpoint. Publicly available exploit code exists (GitHub POC), enabling low-complexity attacks with no authentication barriers. EPSS data not available, but public exploit significantly lowers attacker skill threshold. CVSS 7.3 reflects network-exploitable vulnerability with moderate confidentiality, integrity, and availability impacts.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7083 LOW Monitor

SQL injection in likeadmin_php up to version 1.9.6 allows high-privilege remote attackers to manipulate SQL queries through the queryResult function in the dataTable Admin API component, potentially exposing or modifying sensitive database content. Public exploit code exists and the vendor has not yet responded to early notification, elevating risk despite the CVSS score of 5.1 reflecting high-privilege authentication requirements.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7077 MEDIUM POC This Month

SQL injection in itsourcecode Courier Management System 1.0 via the ID parameter in /edit_parcel.php allows remote unauthenticated attackers to query, modify, or delete database contents. The CVSS 6.9 score reflects low confidentiality and integrity impact; however, the vulnerability is remotely exploitable with no authentication required and publicly available exploit code exists, making it a practical attack vector against exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7076 MEDIUM POC This Month

SQL injection in itsourcecode Courier Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via manipulation of the ID parameter in /edit_branch.php. The vulnerability has publicly disclosed exploit code available and affects confidentiality, integrity, and availability of the underlying database.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7075 MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 allows remote unauthenticated attackers to manipulate the address parameter in /locations.php, enabling arbitrary database queries with confidentiality and integrity impact. Publicly available exploit code exists, increasing real-world risk despite the moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7074 MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 allows remote unauthenticated attackers to manipulate the code parameter in /execute1.php, enabling database query manipulation and potential data exfiltration or modification. Publicly available exploit code exists, increasing real-world risk despite the moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7073 MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 via the code parameter in /execute.php allows remote unauthenticated attackers to execute arbitrary SQL queries and potentially access or modify database contents. The vulnerability has a publicly available exploit and is confirmed to have a low confidentiality, integrity, and availability impact according to CVSS v4.0 scoring.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7072 MEDIUM POC This Month

Remote SQL injection in CodePanda Source canteen_management_system 1.0 allows unauthenticated attackers to manipulate the Username parameter in /api/login.php, enabling arbitrary database queries. Public exploit code is available. The vulnerability affects confidentiality and integrity with low impact scope, making it a practical attack vector for credential harvesting or data exfiltration from the canteen management database.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2021-36438 MEDIUM This Month

SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7063 MEDIUM POC This Month

SQL injection in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the pwd parameter in /370project/process/eprocess.php. CVSS 7.3 (High) with network vector and no prerequisites. Publicly available exploit code exists on GitHub, enabling immediate weaponization. No vendor-released patch identified at time of analysis. EPSS data unavailable; not listed in CISA KEV, suggesting targeted rather than widespread exploitation despite public POC.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7044 LOW POC Monitor

Unrestricted file upload in GreenCMS up to version 2.3 allows authenticated remote attackers to upload arbitrary files via the themeadd function in the custom admin module, potentially enabling remote code execution or content manipulation. Publicly available exploit code exists and the vulnerability affects only end-of-life versions of the product.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7043 LOW POC Monitor

Unrestricted file upload in GreenCMS up to version 2.3 via the pluginAddLocal function in /index.php?m=admin&c=custom&a=pluginadd allows authenticated remote attackers to upload arbitrary files, leading to potential remote code execution. The vulnerability affects only unsupported legacy versions. Publicly available exploit code exists, and the CVSS vector confirms network-accessible exploitation requiring low privileges.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7028 LOW POC Monitor

SQL injection in CodeAstro Online Job Portal 1.0 allows authenticated admin users to manipulate the ID parameter in /admin/jobs-admins/delete-jobs.php, enabling remote SQL injection attacks against the database. The vulnerability requires high-level admin privileges (PR:H) but has a publicly available exploit and low attack complexity (AC:L), permitting remote attackers with admin access to read, modify, or delete sensitive database records. Exploitation is confirmed by public proof-of-concept code.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7025 MEDIUM POC This Month

Server-side request forgery in Typecho's Pingback Service (versions up to 1.3.0) allows remote unauthenticated attackers to force the server to make arbitrary HTTP requests to internal or external resources. The vulnerability resides in Service::sendPingHandle() function where attacker-controlled X-Pingback and link parameters bypass validation. Public exploit code exists (documented in researcher blog post), enabling immediate weaponization. CVSS 7.3 reflects network-accessible attack with no authentication required. EPSS data not available, but public POC significantly elevates real-world risk. Vendor non-responsive to early disclosure.

PHP SSRF
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7002 MEDIUM This Month

SQL injection in KLiK SocialMediaWebsite 1.0.1 and earlier allows remote unauthenticated attackers to execute arbitrary SQL commands via the c_id parameter in /includes/get_message_ajax.php. The vulnerability targets the private message handling component and permits unauthorized database access, modification, and potential data exfiltration. CVSS 7.3 reflects network-accessible, low-complexity exploitation requiring no authentication or user interaction, with partial impact to confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, suggesting limited observed exploitation despite the accessible attack surface.

PHP SQLi
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-6983 LOW POC Monitor

Server-side request forgery (SSRF) in Pagekit up to version 1.0.18 allows authenticated high-privilege administrators to manipulate the url parameter in the /index.php/admin/system/update/download endpoint, enabling them to force the server to make arbitrary HTTP requests to internal or external systems. Publicly available exploit code exists, and the vendor did not respond to early disclosure efforts.

PHP SSRF
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6982 PHP MEDIUM PATCH This Month

SQL injection in ShowDoc API Page Sort Endpoint allows authenticated remote attackers to manipulate the pages parameter and execute arbitrary SQL queries with limited confidentiality, integrity, and availability impact. Affected versions include 2.10.10, 3.6.2, and 3.8.0; vendor has released patch v3.8.1 but explicitly stated no backports will be provided for older versions.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-6978 LOW POC Monitor

SQL injection in JiZhiCMS up to version 2.5.6 allows authenticated high-privileged administrators to execute arbitrary SQL queries via the sqls parameter in the /index.php/admins/Sys/addcache.html endpoint. The vulnerability is remotely exploitable and publicly available exploit code exists, though the low CVSS score (4.7) reflects the requirement for high-level administrative authentication, limiting real-world attack surface.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-41498 PHP LOW PATCH GHSA Monitor

Kimai's Team API endpoints fail to validate entity-level ownership due to incorrect Symfony IsGranted attribute syntax, allowing users with the edit_team permission to modify any team regardless of membership. The vulnerability arises because API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing the TeamVoter to abstain and fall back to role-only permission checks. In default configurations this is unexploitable since only admins hold edit_team permission, but if administrators grant edit_team to lower-privilege roles (such as ROLE_TEAMLEAD) via the permissions UI, those users can modify team memberships, customer assignments, project assignments, and activity assignments for any team without authorization. No public exploit code or active exploitation has been identified.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-11762 MEDIUM This Month

HubSpot All-In-One Marketing plugin for WordPress (versions up to 11.3.32) exposes sensitive information via the class-adminconstants.php file, allowing authenticated users with Contributor-level access or higher to retrieve a complete list of installed plugins and their versions. This information disclosure enables reconnaissance for follow-on attacks targeting vulnerable plugins, though exploitation requires valid WordPress authentication and contributor-level privileges.

Information Disclosure PHP WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6810 MEDIUM This Month

Insecure Direct Object Reference in Booking Calendar Contact Form plugin for WordPress (all versions up to 1.2.63) allows authenticated attackers with Subscriber-level privileges to hijack other users' calendars and access associated user data by exploiting missing validation on user-controlled keys in the dex_bccf_admin_int_calendar_list.inc.php file. The CVSS score of 5.3 reflects network-accessible exploitation without user interaction, though the vulnerability requires valid WordPress authentication at Subscriber level or higher.

PHP WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5347 MEDIUM This Month

Unauthenticated attackers can modify the custom post type slug for the HM Books Gallery plugin in WordPress versions up to 4.8.0 by submitting a crafted POST request to the admin_init hook, bypassing all capability and nonce checks. This vulnerability allows modification of the 'wbg_cpt_slug' option without authentication, changing the URL structure for all book entries, breaking existing links, and degrading SEO rankings. No public exploit code or active exploitation has been identified at the time of analysis.

PHP WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5364 HIGH This Week

Remote code execution in Drag and Drop File Upload for Contact Form 7 plugin (≤1.1.3) allows unauthenticated attackers to upload arbitrary PHP files via a sanitization bypass vulnerability. The flaw exploits a race condition where file extension validation occurs on unsanitized input while the file saves with a sanitized extension, enabling special characters like '$' to be stripped mid-process. Exploitability is constrained by .htaccess restrictions and filename randomization, reducing real-world risk despite the 8.1 CVSS score. EPSS data not available; no active exploitation or POC publicly confirmed at time of analysis.

PHP WordPress File Upload RCE
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-5488 MEDIUM This Month

ExactMetrics Google Analytics Dashboard for WordPress versions up to 9.1.2 allow authenticated subscribers to retrieve Google Ads access tokens and reset Google Ads integration settings through missing authorization checks in AJAX handlers. Although a nonce is verified, two AJAX endpoints (get_ads_access_token and reset_experience) lack the capability checks present in similar endpoints, enabling attackers with subscriber-level access to perform administrative actions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects network-accessible unauthenticated exploitation, but the description indicates authenticated subscriber access is required, creating a discrepancy between reported CVSS and actual attack prerequisites.

PHP Google Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41229 PHP CRITICAL PATCH GHSA Act Now

Remote code execution in Froxlor server administration software versions prior to 2.3.6 allows authenticated administrators with change_serversettings permission to inject arbitrary PHP code through an unescaped MySQL server configuration parameter. The vulnerability enables persistent code execution on every subsequent HTTP request as the web server user due to improper input sanitization in PhpHelper::parseArrayToString(). Vendor patch available in version 2.3.6. CVSS score of 9.1 reflects the critical impact despite requiring high-privilege authentication, with scope change indicating the attacker can break out of the application's security context.

PHP Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-41228 PHP CRITICAL PATCH GHSA Act Now

Authenticated customers can achieve remote code execution in Froxlor server administration software versions prior to 2.3.6 through path traversal in the API's language parameter. By injecting malicious path traversal sequences into the `def_language` field via the `Customers.update` or `Admins.update` API endpoints, authenticated users can force the application to execute arbitrary PHP code as the web server user on subsequent requests. This vulnerability carries a CVSS score of 9.9 with scope change, indicating potential for full system compromise beyond the vulnerable component. Vendor-released patch version 2.3.6 addresses the vulnerability by implementing proper validation of language parameters against available language files.

PHP Path Traversal LFI RCE
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-34413 HIGH POC PATCH Act Now

Unauthenticated attackers can execute remote code and read arbitrary files in Xerte Online Toolkits 3.15 and earlier via a missing authentication flaw in the elFinder connector endpoint. The vulnerability stems from a logic error where HTTP redirects for unauthenticated requests fail to terminate PHP execution, allowing full server-side processing of file operations. Attackers can create directories, upload files, rename, duplicate, overwrite, and delete files in project media directories without authentication. When chained with path traversal and extension blocklist bypasses, this enables complete system compromise. VulnCheck identified the flaw, and vendor patches are available via three GitHub commits addressing versions 3.13.0 through 3.15.0.

PHP Path Traversal Authentication Bypass RCE Xerteonlinetoolkits
NVD GitHub
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-34415 CRITICAL POC PATCH Act Now

Remote code execution in Xerte Online Toolkits 3.15 and earlier allows unauthenticated attackers to upload and execute arbitrary PHP code by chaining an incomplete file extension filter bypass (.php4 extension) with authentication bypass and path traversal vulnerabilities in the elFinder connector endpoint. Attackers can achieve complete server compromise by uploading malicious PHP files, renaming them with the .php4 extension to evade filtering, and executing operating system commands. Vendor-released patches available via three GitHub commits (02661be, 17e4f94, 507d55c). No public exploit code or active exploitation confirmed at time of analysis, though the attack chain is straightforward for skilled attackers.

PHP Authentication Bypass Path Traversal Xerteonlinetoolkits
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-34414 HIGH POC PATCH Act Now

Path traversal in Xerte Online Toolkits' elFinder connector allows authenticated attackers to move files to arbitrary filesystem locations, enabling application file overwrites, stored XSS, or chained remote code execution. Affects versions 3.15 and earlier through unsanitized rename operations at /editor/elfinder/php/connector.php. Vendor patches available via GitHub commits 02661be, 507d55c, and 17e4f94. CVSS 7.1 with low attack complexity and low privileges required. No public exploitation confirmed (SSVC: exploitation=none), but attack is not automatable per CISA framework.

RCE PHP XSS Path Traversal Xerteonlinetoolkits
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-41459 MEDIUM POC PATCH This Month

Xerte Online Toolkits versions 3.15 and earlier expose the server-side filesystem root path through an unauthenticated GET request to the /setup page, allowing remote attackers to retrieve sensitive path information rendered in HTML responses. This information disclosure enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php, potentially leading to unauthorized file access or further system compromise.

PHP Information Disclosure Path Traversal Xerteonlinetoolkits
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-41203 PHP CRITICAL PATCH GHSA Act Now

Remote code execution in ci4ms content management system allows authenticated backend users with theme creation permissions to write arbitrary PHP files via Zip Slip path traversal. A working proof-of-concept demonstrates uploading a malicious theme archive containing path-traversal entries (../../public/shell.php) that bypass extraction directory boundaries, placing executable code under the web root. Vendor-released patch available in version 0.31.5.0. No CISA KEV listing or EPSS data available, but publicly disclosed PoC significantly lowers exploitation barrier for attackers with valid credentials.

RCE PHP Python Path Traversal
NVD GitHub
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-41202 PHP CRITICAL PATCH GHSA Act Now

Remote code execution in ci4ms (CodeIgniter 4 Management System) versions prior to 0.31.5.0 allows authenticated backend users with backup creation permissions to write PHP webshells to the public web root via Zip Slip path traversal during backup restoration. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code exists. CVSS 9.4 (Critical) aligns with the real-world risk, as exploitation requires only low-privilege authentication and the affected route is exempt from CSRF protection, enabling drive-by attacks against logged-in administrators. Vendor-released patch version 0.31.5.0 addresses the flaw by implementing path validation during ZIP extraction.

RCE PHP Python Path Traversal
NVD GitHub
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-32885 Go MEDIUM PATCH GHSA This Month

Path traversal in DDEV versions prior to 1.25.2 allows remote attackers to write files outside intended extraction directories when downloading and extracting archives from remote sources. The vulnerability affects the Untar() and Unzip() functions in pkg/archive/archive.go, which lack path validation during extraction. Exploitation requires user interaction (UI:R) to trigger archive extraction but can achieve high integrity impact through arbitrary file write. A proof-of-concept exists, and CISA SSVC framework rates this as exploitable with partial technical impact.

Node.js PHP Path Traversal
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2018-25270 CRITICAL POC Act Now

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass RCE
NVD Exploit-DB GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-4138 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in the DX Unanswered Comments WordPress plugin versions up to 1.7 allows unauthenticated attackers to modify critical plugin settings (authors list and comment count) by tricking a site administrator into clicking a malicious link, due to missing nonce validation in the settings form handler. The CVSS 4.3 score reflects low severity with integrity impact limited to plugin configuration rather than data or code execution, but successful exploitation could alter site functionality if an attacker controls which comments are flagged as unanswered.

PHP CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4117 MEDIUM This Month

Authenticated users with Subscriber-level access can modify the CalJ Shabbat Times plugin's API key and clear its cache due to missing authorization checks in the CalJSettingsPage class constructor. The vulnerability affects all versions up to and including 1.5, with no special network or interaction requirements beyond valid WordPress authentication. While CVSS 5.3 reflects moderate integrity impact, the practical risk depends on whether WordPress sites allow Subscriber-level registrations and whether the plugin's API key provides sensitive access to external services.

PHP Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4132 HIGH This Week

Arbitrary file write in HTTP Headers plugin for WordPress versions ≤1.19.2 enables authenticated administrators to achieve remote code execution by manipulating htpasswd file path configuration and injecting PHP code via unsanitized username input. Administrators can set a malicious file path (e.g., webroot/shell.php) through 'hh_htpasswd_path' option and inject executable code via the 'hh_www_authenticate_user' field, which is written directly to disk without validation. Wordfence disclosure includes direct source code references showing the vulnerable apache_auth_credentials() and update_auth_credentials() functions. No public exploit code or active exploitation confirmed at time of analysis.

PHP WordPress RCE
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-4121 MEDIUM This Month

The Kcaptcha WordPress plugin versions up to 1.0.1 fails to validate nonces on the settings page, allowing unauthenticated attackers to modify CAPTCHA configuration (enable/disable on login, registration, lost password, and comment forms) via cross-site request forgery if a site administrator can be tricked into clicking a malicious link. The vulnerability requires user interaction (administrator click) but carries a CVSS score of 4.3 with integrity impact; no public exploit code or active exploitation has been identified at the time of analysis.

PHP CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4074 MEDIUM This Month

Stored Cross-Site Scripting in the Quran Live Multilanguage WordPress plugin versions up to 1.0.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes ('cheikh' and 'lang'). The vulnerability exploits insufficient input validation in the quran_live_render() function and direct output of user-supplied values into inline <script> blocks without escaping, enabling injection of arbitrary web scripts that execute whenever a user accesses the compromised page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4142 MEDIUM This Month

Stored cross-site scripting in the Sentence To SEO WordPress plugin (versions up to 1.0) allows authenticated administrators to inject arbitrary JavaScript into the plugin settings page via the 'Permanent keywords' field. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to break out of a textarea element and inject malicious scripts that execute when other users access the settings page. This requires administrator-level privileges and does not affect unauthenticated users.

XSS WordPress PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-4128 MEDIUM This Month

TP Restore Categories And Taxonomies WordPress plugin versions up to 1.0.1 lack capability checks in the delete_term() AJAX handler, allowing authenticated Subscriber-level users to permanently delete taxonomy terms from backup tables by reusing a nonce exposed to all authenticated users. The vulnerability bypasses authorization despite nonce validation, enabling low-privileged attackers to cause data loss via a simple crafted AJAX request.

PHP Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4131 MEDIUM This Month

WP Responsive Popup + Optin plugin for WordPress versions up to 1.4 is vulnerable to Cross-Site Request Forgery (CSRF) allowing unauthenticated attackers to modify all plugin settings, including the 'wpo_image_url' parameter, by tricking site administrators into clicking a malicious link. The vulnerability exists because the settings form in wpo_admin_page.php lacks WordPress nonce generation and verification functions. Exploitation requires administrator interaction but can alter critical plugin configuration with broader impact across the site.

PHP CSRF WordPress
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41062 PHP MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the **full URL string** including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix.

PHP Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-41061 PHP MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the database and rendered without HTML escaping via `echo Video::getCleanDuration()` on trending pages, playlist pages, and video gallery thumbnails, resulting in stored cross-site scripting. Commit bcba324644df8b4ed1f891462455f1cd26822a45 contains a fix.

XSS PHP
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41060 PHP HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration. Commit a0156a6398362086390d949190f9d52a823000ba fixes the issue.

PHP SSRF
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-41057 PHP HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data. Commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 contains a fix.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41056 PHP HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` - the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.

PHP Cors Misconfiguration Information Disclosure
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40935 PHP MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-40929 PHP MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.

PHP CSRF
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40928 PHP MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently cast/flip the victim's like/dislike on any comment (`objects/comments_like.json.php`), post a comment authored by the victim on any video, with attacker-chosen text (`objects/commentAddNew.json.php`), and/or delete assets from any category (`objects/categoryDeleteAssets.json.php`) when the victim has category management rights. Each endpoint is reachable from a browser via a simple `<img src="…">` tag or form submission, so exploitation only requires the victim to load an attacker-controlled HTML resource. Commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c contains a fix.

PHP CSRF
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40926 PHP HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints - `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` - enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.

PHP CSRF
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41304 PHP HIGH GHSA This Week

Remote code execution in AVideo versions 29.0 and below allows unauthenticated attackers to execute arbitrary shell commands on the server via command injection in the CloneSite plugin's cloneServer.json.php endpoint. Attackers exploit unsanitized user input in the 'url' parameter that gets directly concatenated into a wget command executed through PHP's exec() function. With CVSS 8.9 (AV:N/AC:L/PR:N/UI:N) and proof-of-concept exploitation confirmed (E:P), this represents a critical risk requiring immediate patching. Fix available in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb.

PHP Command Injection RCE
NVD GitHub
CVSS 4.0
8.9
EPSS
1.3%
CVE-2026-41064 PHP CRITICAL GHSA Act Now

Remote code execution in WWBN AVideo up to version 29.0 allows unauthenticated attackers to execute arbitrary system commands via unsanitized URL parameters in test.php. This vulnerability stems from an incomplete fix that sanitized wget calls but left file_get_contents and curl code paths exploitable through regex bypass (accepting strings like 'httpevil[.]com'). CVSS 9.3 with Critical scope change reflects the severity. Upstream fix available in commit 78bccae but no tagged release version confirmed at time of analysis. EPSS data not provided; no CISA KEV listing identified.

PHP Command Injection
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-40925 PHP HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-40909 PHP HIGH GHSA This Week

Path traversal in WWBN AVideo 29.0 and earlier allows authenticated administrators (or CSRF-tricked admins) to write arbitrary PHP files anywhere on the server filesystem, achieving remote code execution. The locale save endpoint fails to sanitize the 'flag' parameter used in file path construction and lacks CSRF protection despite SameSite=None cookies, enabling straightforward exploitation by lower-privilege attackers who chain CSRF against admin sessions. Upstream fix committed to GitHub (57f89ffb) but released patched version not independently confirmed. CVSS 8.7 reflects high impact but requires privileged access - real-world risk depends heavily on admin session hijacking opportunities.

PHP Path Traversal CSRF RCE
NVD GitHub
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-40908 PHP MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-40907 PHP MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-40569 CRITICAL PATCH Act Now

Mass assignment vulnerability in FreeScout versions before 1.8.213 allows authenticated administrators to covertly exfiltrate all outgoing emails and inject malicious content into email communications. By exploiting unfiltered parameter binding in mailbox connection settings endpoints, an attacker with admin credentials can silently set auto_bcc to forward copies of every outgoing email, redirect SMTP traffic through attacker-controlled servers, inject tracking pixels or phishing links into signatures, and enable malicious auto-replies-all invisible to other administrators. The CVSS score of 9.0 reflects high confidentiality and integrity impact with changed scope, though exploitation requires high-privilege (admin) access. No public exploit code or CISA KEV listing identified, but the vulnerability is particularly dangerous in multi-admin deployments and when combined with session compromise vectors like XSS (noted in tags), as it provides persistent email surveillance beyond initial access.

PHP Authentication Bypass XSS
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-40568 HIGH PATCH This Week

Stored cross-site scripting in FreeScout versions prior to 1.8.213 allows authenticated users with mailbox signature permissions to inject arbitrary JavaScript that executes automatically whenever any agent or administrator opens a conversation in the affected mailbox. The vulnerability stems from inadequate HTML sanitization (blocklisting only four tags: script, form, iframe, object) that permits event handlers on elements like <img>, <svg>, and <details>. Exploitation requires only low-privilege authenticated access (ACCESS_PERM_SIGNATURE permission) and triggers without user interaction (CVSS UI:N), enabling session hijacking under certain CSP bypass conditions, phishing overlays, email exfiltration via mass assignment, and self-propagating worm behavior across all mailboxes. EPSS data not provided; no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch available in version 1.8.213.

XSS PHP
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-40566 MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in FreeScout versions before 1.8.213 allows authenticated administrators to probe internal networks and fingerprint services via unvalidated IMAP and SMTP connection test functionality. Three AJAX actions in MailboxesController pass attacker-controlled server hostnames and ports directly to fsockopen() and protocol clients without IP validation, hostname restrictions, or internal-range blocklists, enabling port scanning and service banner disclosure through IMAP debug logs and AJAX responses. The vulnerability requires admin authentication but affects confidentiality of internal infrastructure.

PHP SSRF
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-40565 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in FreeScout prior to version 1.8.213 allows remote attackers to inject arbitrary HTML attributes into email message bodies by embedding unescaped double-quote characters in URLs. When the linkify() function converts plain-text URLs to anchor tags without proper escaping, attackers can break out of the href attribute and inject malicious JavaScript or event handlers. This requires user interaction (UI:R) to view a crafted email, but once viewed, the injected script executes in the context of the victim's session with potential for account compromise or data theft.

XSS PHP
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-41011 MEDIUM This Month

HTML injection vulnerability in PHP Point of Sale v19.4 allows unauthenticated remote attackers to render arbitrary HTML in victims' browsers via the '/reports/generate/specific_customer' endpoint, affecting the 'start_date_formatted' and 'end_date_formatted' parameters. User interaction is required (victim must visit a crafted link), limiting impact to stored/reflected XSS scenarios. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS PHP
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-41029 CRITICAL PATCH Act Now

SQL injection in Zeon Academy Pro allows remote unauthenticated attackers to execute arbitrary SQL commands via the 'phonenumber' parameter in /private/continue-upload.php, enabling full database compromise including data exfiltration, modification, and deletion. The vulnerability is exploitable over the network without authentication (CVSS:4.0 9.3 Critical, AV:N/PR:N), representing a complete compromise of database confidentiality and integrity. Patch available from vendor per INCIBE-CERT advisory, though specific fixed version not disclosed in public references.

PHP SQLi
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-10354 MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in Semantic MediaWiki 5.0.2 allows unauthenticated remote attackers to inject malicious JavaScript via the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. A victim visiting an attacker-crafted URL executes arbitrary JavaScript in their browser, enabling session cookie theft or unauthorized actions on behalf of the user. User interaction (clicking the link) is required. No public exploit code or active exploitation has been identified at time of analysis.

XSS PHP
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-30452 MEDIUM This Month

Textpattern CMS 4.9.0 allows authenticated low-privilege users to modify articles owned by higher-privilege users by manipulating the article ID parameter in the duplicate-and-save workflow, bypassing authorization checks in the article management system. The vulnerability affects only authenticated users with existing CMS access and requires no user interaction or special network access. No public exploit code or active exploitation has been identified, though the EPSS score of 0.02% suggests minimal real-world attack probability despite the moderate CVSS 6.5 score.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31019 PHP HIGH GHSA This Week

Remote code execution in Dolibarr ERP 22.0.4 and earlier allows authenticated users with PHP content editing permissions to execute arbitrary OS commands on the server. The vulnerability stems from a bypassable blacklist-based filter for dangerous PHP functions in the Website module. Attack complexity is low (CVSS AV:N/AC:L/PR:L), requiring only valid low-privilege credentials. Public proof-of-concept code exists on GitHub, though CISA has not confirmed active exploitation. EPSS data is unavailable, but SSVC assessment indicates total technical impact with no current exploitation evidence.

PHP Command Injection RCE N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31018 PHP HIGH GHSA This Week

Authenticated users with restricted HTML/JavaScript editing permissions in Dolibarr ERP & CRM 22.0.4 and earlier can escalate privileges to execute arbitrary PHP code via the Website module. The vulnerability exploits inconsistent permission enforcement across input parameters during website page creation, allowing low-privileged authenticated users to bypass intended restrictions and inject PHP code. Public proof-of-concept exists on GitHub (PhDg1410), though no active exploitation is confirmed by CISA KEV. EPSS data unavailable, but the CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability when exploited by authenticated insiders or compromised accounts.

PHP Code Injection RCE N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-37748 HIGH This Week

Remote code execution in Visitor Management System 1.0 allows authenticated administrators to upload PHP webshells via two unvalidated file upload endpoints (admin_user_insert.php and update_1.php). The move_uploaded_file() function lacks MIME type, extension, and content validation, enabling direct server compromise. Public proof-of-concept exists (SSVC exploitation: POC). EPSS data not available, but the combination of network-accessible attack vector (AV:N) and total technical impact (SSVC) against a specific niche product suggests targeted exploitation risk rather than widespread automated attacks.

PHP File Upload RCE
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-6249 HIGH PATCH This Week

Remote code execution in Vvveb CMS 1.0.8 allows authenticated attackers with low privileges to upload PHP webshells disguised with .phtml extensions, bypassing file type restrictions to achieve full server compromise. The vulnerability stems from inadequate file upload validation in the media handler, enabling malicious files in publicly accessible directories. Upstream fix available via GitHub commit; EPSS data unavailable, no CISA KEV listing at time of analysis.

PHP File Upload RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-5478 HIGH This Week

Path traversal in Everest Forms (WordPress plugin) allows unauthenticated attackers to read and delete arbitrary files on the server through malicious form submissions containing crafted old_files parameters. Vulnerable versions ≤3.4.4 use regex-based path resolution without canonicalization, enabling attackers to traverse directories, exfiltrate wp-config.php via email attachments (exposing database credentials and authentication salts), and trigger automatic deletion of targeted files post-email. CVSS 8.1 (AV:N/AC:H) reflects the remote vector with high attack complexity. EPSS and KEV status not provided; proof-of-concept details available in Wordfence advisory and plugin source code references.

PHP Denial Of Service Path Traversal WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-6257 CRITICAL Act Now

Remote code execution in Vvveb CMS v1.0.8 allows authenticated administrators to execute arbitrary system commands as www-data via a two-stage file upload attack. Attackers exploit a logic flaw in the media management file rename handler that fails to block .php and .htaccess extensions, enabling MIME type manipulation followed by PHP code execution. VulnCheck published an advisory and GitHub commit 6fb8eaa confirms upstream fix. No EPSS data available; no active exploitation confirmed at time of analysis.

Apache File Upload RCE PHP
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-6248 HIGH This Week

Arbitrary file deletion in wpForo Forum plugin versions ≤3.0.5 allows authenticated attackers with subscriber-level privileges to delete critical WordPress files including wp-config.php, enabling remote code execution. The vulnerability chains two flaws: unvalidated file paths in custom profile fields and insufficient path sanitization before file deletion. Exploitation requires the wpForo User Custom Fields addon with at least one file-type custom field configured. CVSS 8.1 (High) with network attack vector, low complexity, and low privilege requirements. EPSS data and active exploitation status not available in current intelligence.

PHP Path Traversal WordPress RCE
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-25524 PHP HIGH PATCH GHSA This Week

Remote code execution in OpenMage Magento LTS versions prior to 20.17.0 allows unauthenticated attackers to execute arbitrary code by uploading malicious phar archives disguised as images and triggering PHP deserialization via phar:// stream wrappers. The attack requires high complexity (AC:H) to exploit successfully. EPSS data not available, but exploitation requires specific conditions around file upload and path manipulation. Vendor patch available in version 20.17.0, confirmed by GitHub security advisory GHSA-fg79-cr9c-7369.

PHP Adobe Deserialization RCE
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-6652 LOW POC Monitor

Improper neutralization of directives in dynamically evaluated code in Pagekit CMS up to version 1.0.18 allows high-privileged remote attackers to inject and execute arbitrary PHP code through the StringStorage Template Handler's evaluate function in app/modules/view/src/PhpEngine.php. The vulnerability requires administrator-level access but enables information disclosure, code injection, and potential system compromise. Publicly available exploit code exists; the vendor has not responded to disclosure efforts.

PHP Information Disclosure Code Injection
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-39918 CRITICAL PATCH Act Now

Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP code through the installation endpoint's subdir parameter, which is written directly into env.php without sanitization. The vulnerability enables complete system compromise as the web server user with no authentication required. Publicly available patch exists (version 1.0.8.1) with detailed fix commit reference.

PHP Code Injection RCE Vvveb
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-6650 LOW POC Monitor

Z-BlogPHP 1.7.5 allows authenticated remote attackers with administrative privileges to upload arbitrary files via the App::UnPack function in the ZBA File Handler component (/zb_users/plugin/AppCentre/app_upload.php), bypassing file upload restrictions and potentially enabling remote code execution. Public exploit code exists, and the vendor has not responded to early disclosure attempts.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6633 LOW POC Monitor

Stored cross-site scripting (XSS) in Yifang CMS up to version 2.0.5 allows authenticated attackers to inject malicious scripts via the Account parameter in the Extended Management Module's RBAC admin component, affecting stored data integrity with user interaction required. The vulnerability has publicly available proof-of-concept code, though the CVSS score of 3.5 reflects its limited scope (no confidentiality or availability impact, information disclosure only). The vendor has not responded to early disclosure efforts.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6602 MEDIUM POC This Month

Unrestricted file upload in rickxy Hospital Management System allows remote unauthenticated attackers to upload malicious files via the /backend/admin/his_admin_account.php endpoint, leading to potential remote code execution, data exfiltration, or system compromise. Public exploit code exists (GitHub), significantly lowering exploitation barrier. The product uses rolling releases with no fixed versioning, complicating patch tracking. CVSS 7.3 with EPSS not provided, but publicly available POC elevates real-world risk.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6595 MEDIUM POC This Month

SQL injection in ProjectsAndPrograms School Management System allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the bus_id parameter in buslocation.php. The vulnerability affects all versions up to commit 6b6fae5, with publicly available exploit code (EPSS not provided). Vendor was notified but did not respond, leaving the product vulnerable at time of analysis. The rolling release model means no fixed version number exists.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-39112 MEDIUM This Month

Stored cross-site scripting (XSS) in Apartment Visitors Management System v1.1 allows authenticated attackers to inject malicious JavaScript via the visname parameter in visitors-form.php, which executes when other users view the injected data in manage-newvisitors.php or visitor-detail.php. The vulnerability requires user interaction (victim visiting affected pages) and valid authentication but can escalate privileges, steal session tokens, or perform actions on behalf of administrative users viewing visitor records.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39109 CRITICAL Act Now

SQL injection in Apartment Visitors Management System V1.1's login form allows remote unauthenticated attackers to bypass authentication and extract database contents via the username parameter. The vulnerability scores 9.4 CVSS with network attack vector and low complexity. Public exploit code exists (SSVC confirms POC status), making this immediately exploitable. EPSS data unavailable, but SSVC framework rates it as automatable with partial technical impact, indicating high practical risk for internet-exposed installations.

PHP SQLi N A
NVD GitHub VulDB
CVSS 3.1
9.4
EPSS
0.2%
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to manipulate the id and token parameters in 370project/approve.php, enabling unauthorized database queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists and CVSS score of 6.3 reflects the attack's network accessibility despite requiring low-level authentication.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting (XSS) in code-projects Employee Management System 1.0 allows remote attackers to inject malicious scripts via manipulation of the file 370project/mark.php. The vulnerability requires user interaction (UI:R) but can be exploited over the network without authentication. Publicly available exploit code exists and the flaw has moderate impact on integrity (CVSS 4.3).

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to manipulate the ID argument in 370project/delete.php, leading to unauthorized database queries with limited confidentiality and integrity impact. Publicly available exploit code exists; CVSS 5.3 reflects moderate risk limited by authentication requirement and restricted data access scope.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in 370project/edit.php, potentially leading to unauthorized data access or modification. The vulnerability requires valid user credentials (PR:L per CVSS vector) and has publicly available exploit code; however, the limited scope (VC:L, VI:L, VA:L) and requirement for authentication reduce real-world risk compared to the base CVSS score of 5.3.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW Monitor

Weak cryptographic hash usage in code-projects Chat System 1.0 allows remote attackers to compromise password security through the MD5 Hash Handler in update_user.php. The vulnerability stems from use of MD5 for password hashing, a cryptographically broken algorithm that enables rapid offline cracking of password hashes. Publicly disclosed exploit code exists, though exploitation requires high attack complexity. The vulnerability impacts password confidentiality with low direct severity but creates substantial downstream risks for user account compromise.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts via the ID parameter in 370project/edit.php. The vulnerability requires user interaction (link click) but has publicly available exploit code and a moderate CVSS score of 4.3, indicating limited but real integrity impact through client-side script execution.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Chat System 1.0 allows high-privilege remote attackers to inject malicious scripts via the msg parameter in /admin/send_message.php, affecting the Chat Interface component. The vulnerability requires admin-level authentication and user interaction (viewing the crafted message), but publicly available exploit code exists and the issue is actively being leveraged. With a CVSS score of 2.4, the impact is limited to integrity violations with no confidentiality or availability loss, but the presence of public POC and active exploitation elevates practical risk despite low severity metrics.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting (XSS) vulnerability in code-projects Home Service System 1.0 allows remote attackers to inject malicious scripts via the fname and lname parameters in the /booking.php Appointment Booking component. User interaction is required for exploitation. A public exploit is available, and the vulnerability carries moderate risk (CVSS 4.3) with integrity impact through malicious script execution in victim browsers.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in /ajax.php?action=save_receiving. Publicly available exploit code (GitHub PoC) enables immediate weaponization. CVSS 7.3 reflects network-accessible attack with no authentication required, enabling confidentiality/integrity/availability impact across database operations. EPSS data not provided, but public exploit availability significantly elevates real-world risk for unpatched installations of this open-source PHP application.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the ID parameter in /ajax.php?action=save_sales endpoint. Publicly available exploit code exists (GitHub POC), enabling low-complexity attacks with no authentication barriers. EPSS data not available, but public exploit significantly lowers attacker skill threshold. CVSS 7.3 reflects network-exploitable vulnerability with moderate confidentiality, integrity, and availability impacts.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in likeadmin_php up to version 1.9.6 allows high-privilege remote attackers to manipulate SQL queries through the queryResult function in the dataTable Admin API component, potentially exposing or modifying sensitive database content. Public exploit code exists and the vendor has not yet responded to early notification, elevating risk despite the CVSS score of 5.1 reflecting high-privilege authentication requirements.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Courier Management System 1.0 via the ID parameter in /edit_parcel.php allows remote unauthenticated attackers to query, modify, or delete database contents. The CVSS 6.9 score reflects low confidentiality and integrity impact; however, the vulnerability is remotely exploitable with no authentication required and publicly available exploit code exists, making it a practical attack vector against exposed instances.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Courier Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via manipulation of the ID parameter in /edit_branch.php. The vulnerability has publicly disclosed exploit code available and affects confidentiality, integrity, and availability of the underlying database.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 allows remote unauthenticated attackers to manipulate the address parameter in /locations.php, enabling arbitrary database queries with confidentiality and integrity impact. Publicly available exploit code exists, increasing real-world risk despite the moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 allows remote unauthenticated attackers to manipulate the code parameter in /execute1.php, enabling database query manipulation and potential data exfiltration or modification. Publicly available exploit code exists, increasing real-world risk despite the moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 via the code parameter in /execute.php allows remote unauthenticated attackers to execute arbitrary SQL queries and potentially access or modify database contents. The vulnerability has a publicly available exploit and is confirmed to have a low confidentiality, integrity, and availability impact according to CVSS v4.0 scoring.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Remote SQL injection in CodePanda Source canteen_management_system 1.0 allows unauthenticated attackers to manipulate the Username parameter in /api/login.php, enabling arbitrary database queries. Public exploit code is available. The vulnerability affects confidentiality and integrity with low impact scope, making it a practical attack vector for credential harvesting or data exfiltration from the canteen management database.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the pwd parameter in /370project/process/eprocess.php. CVSS 7.3 (High) with network vector and no prerequisites. Publicly available exploit code exists on GitHub, enabling immediate weaponization. No vendor-released patch identified at time of analysis. EPSS data unavailable; not listed in CISA KEV, suggesting targeted rather than widespread exploitation despite public POC.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in GreenCMS up to version 2.3 allows authenticated remote attackers to upload arbitrary files via the themeadd function in the custom admin module, potentially enabling remote code execution or content manipulation. Publicly available exploit code exists and the vulnerability affects only end-of-life versions of the product.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in GreenCMS up to version 2.3 via the pluginAddLocal function in /index.php?m=admin&c=custom&a=pluginadd allows authenticated remote attackers to upload arbitrary files, leading to potential remote code execution. The vulnerability affects only unsupported legacy versions. Publicly available exploit code exists, and the CVSS vector confirms network-accessible exploitation requiring low privileges.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in CodeAstro Online Job Portal 1.0 allows authenticated admin users to manipulate the ID parameter in /admin/jobs-admins/delete-jobs.php, enabling remote SQL injection attacks against the database. The vulnerability requires high-level admin privileges (PR:H) but has a publicly available exploit and low attack complexity (AC:L), permitting remote attackers with admin access to read, modify, or delete sensitive database records. Exploitation is confirmed by public proof-of-concept code.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery in Typecho's Pingback Service (versions up to 1.3.0) allows remote unauthenticated attackers to force the server to make arbitrary HTTP requests to internal or external resources. The vulnerability resides in Service::sendPingHandle() function where attacker-controlled X-Pingback and link parameters bypass validation. Public exploit code exists (documented in researcher blog post), enabling immediate weaponization. CVSS 7.3 reflects network-accessible attack with no authentication required. EPSS data not available, but public POC significantly elevates real-world risk. Vendor non-responsive to early disclosure.

PHP SSRF
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in KLiK SocialMediaWebsite 1.0.1 and earlier allows remote unauthenticated attackers to execute arbitrary SQL commands via the c_id parameter in /includes/get_message_ajax.php. The vulnerability targets the private message handling component and permits unauthorized database access, modification, and potential data exfiltration. CVSS 7.3 reflects network-accessible, low-complexity exploitation requiring no authentication or user interaction, with partial impact to confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, suggesting limited observed exploitation despite the accessible attack surface.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Server-side request forgery (SSRF) in Pagekit up to version 1.0.18 allows authenticated high-privilege administrators to manipulate the url parameter in the /index.php/admin/system/update/download endpoint, enabling them to force the server to make arbitrary HTTP requests to internal or external systems. Publicly available exploit code exists, and the vendor did not respond to early disclosure efforts.

PHP SSRF
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

SQL injection in ShowDoc API Page Sort Endpoint allows authenticated remote attackers to manipulate the pages parameter and execute arbitrary SQL queries with limited confidentiality, integrity, and availability impact. Affected versions include 2.10.10, 3.6.2, and 3.8.0; vendor has released patch v3.8.1 but explicitly stated no backports will be provided for older versions.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in JiZhiCMS up to version 2.5.6 allows authenticated high-privileged administrators to execute arbitrary SQL queries via the sqls parameter in the /index.php/admins/Sys/addcache.html endpoint. The vulnerability is remotely exploitable and publicly available exploit code exists, though the low CVSS score (4.7) reflects the requirement for high-level administrative authentication, limiting real-world attack surface.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Kimai's Team API endpoints fail to validate entity-level ownership due to incorrect Symfony IsGranted attribute syntax, allowing users with the edit_team permission to modify any team regardless of membership. The vulnerability arises because API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing the TeamVoter to abstain and fall back to role-only permission checks. In default configurations this is unexploitable since only admins hold edit_team permission, but if administrators grant edit_team to lower-privilege roles (such as ROLE_TEAMLEAD) via the permissions UI, those users can modify team memberships, customer assignments, project assignments, and activity assignments for any team without authorization. No public exploit code or active exploitation has been identified.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

HubSpot All-In-One Marketing plugin for WordPress (versions up to 11.3.32) exposes sensitive information via the class-adminconstants.php file, allowing authenticated users with Contributor-level access or higher to retrieve a complete list of installed plugins and their versions. This information disclosure enables reconnaissance for follow-on attacks targeting vulnerable plugins, though exploitation requires valid WordPress authentication and contributor-level privileges.

Information Disclosure PHP WordPress +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Insecure Direct Object Reference in Booking Calendar Contact Form plugin for WordPress (all versions up to 1.2.63) allows authenticated attackers with Subscriber-level privileges to hijack other users' calendars and access associated user data by exploiting missing validation on user-controlled keys in the dex_bccf_admin_int_calendar_list.inc.php file. The CVSS score of 5.3 reflects network-accessible exploitation without user interaction, though the vulnerability requires valid WordPress authentication at Subscriber level or higher.

PHP WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can modify the custom post type slug for the HM Books Gallery plugin in WordPress versions up to 4.8.0 by submitting a crafted POST request to the admin_init hook, bypassing all capability and nonce checks. This vulnerability allows modification of the 'wbg_cpt_slug' option without authentication, changing the URL structure for all book entries, breaking existing links, and degrading SEO rankings. No public exploit code or active exploitation has been identified at the time of analysis.

PHP WordPress Authentication Bypass
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Remote code execution in Drag and Drop File Upload for Contact Form 7 plugin (≤1.1.3) allows unauthenticated attackers to upload arbitrary PHP files via a sanitization bypass vulnerability. The flaw exploits a race condition where file extension validation occurs on unsanitized input while the file saves with a sanitized extension, enabling special characters like '$' to be stripped mid-process. Exploitability is constrained by .htaccess restrictions and filename randomization, reducing real-world risk despite the 8.1 CVSS score. EPSS data not available; no active exploitation or POC publicly confirmed at time of analysis.

PHP WordPress File Upload +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

ExactMetrics Google Analytics Dashboard for WordPress versions up to 9.1.2 allow authenticated subscribers to retrieve Google Ads access tokens and reset Google Ads integration settings through missing authorization checks in AJAX handlers. Although a nonce is verified, two AJAX endpoints (get_ads_access_token and reset_experience) lack the capability checks present in similar endpoints, enabling attackers with subscriber-level access to perform administrative actions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects network-accessible unauthenticated exploitation, but the description indicates authenticated subscriber access is required, creating a discrepancy between reported CVSS and actual attack prerequisites.

PHP Google Authentication Bypass +1
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution in Froxlor server administration software versions prior to 2.3.6 allows authenticated administrators with change_serversettings permission to inject arbitrary PHP code through an unescaped MySQL server configuration parameter. The vulnerability enables persistent code execution on every subsequent HTTP request as the web server user due to improper input sanitization in PhpHelper::parseArrayToString(). Vendor patch available in version 2.3.6. CVSS score of 9.1 reflects the critical impact despite requiring high-privilege authentication, with scope change indicating the attacker can break out of the application's security context.

PHP Code Injection RCE
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Authenticated customers can achieve remote code execution in Froxlor server administration software versions prior to 2.3.6 through path traversal in the API's language parameter. By injecting malicious path traversal sequences into the `def_language` field via the `Customers.update` or `Admins.update` API endpoints, authenticated users can force the application to execute arbitrary PHP code as the web server user on subsequent requests. This vulnerability carries a CVSS score of 9.9 with scope change, indicating potential for full system compromise beyond the vulnerable component. Vendor-released patch version 2.3.6 addresses the vulnerability by implementing proper validation of language parameters against available language files.

PHP Path Traversal LFI +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH Act Now

Unauthenticated attackers can execute remote code and read arbitrary files in Xerte Online Toolkits 3.15 and earlier via a missing authentication flaw in the elFinder connector endpoint. The vulnerability stems from a logic error where HTTP redirects for unauthenticated requests fail to terminate PHP execution, allowing full server-side processing of file operations. Attackers can create directories, upload files, rename, duplicate, overwrite, and delete files in project media directories without authentication. When chained with path traversal and extension blocklist bypasses, this enables complete system compromise. VulnCheck identified the flaw, and vendor patches are available via three GitHub commits addressing versions 3.13.0 through 3.15.0.

PHP Path Traversal Authentication Bypass +2
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Remote code execution in Xerte Online Toolkits 3.15 and earlier allows unauthenticated attackers to upload and execute arbitrary PHP code by chaining an incomplete file extension filter bypass (.php4 extension) with authentication bypass and path traversal vulnerabilities in the elFinder connector endpoint. Attackers can achieve complete server compromise by uploading malicious PHP files, renaming them with the .php4 extension to evade filtering, and executing operating system commands. Vendor-released patches available via three GitHub commits (02661be, 17e4f94, 507d55c). No public exploit code or active exploitation confirmed at time of analysis, though the attack chain is straightforward for skilled attackers.

PHP Authentication Bypass Path Traversal +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH Act Now

Path traversal in Xerte Online Toolkits' elFinder connector allows authenticated attackers to move files to arbitrary filesystem locations, enabling application file overwrites, stored XSS, or chained remote code execution. Affects versions 3.15 and earlier through unsanitized rename operations at /editor/elfinder/php/connector.php. Vendor patches available via GitHub commits 02661be, 507d55c, and 17e4f94. CVSS 7.1 with low attack complexity and low privileges required. No public exploitation confirmed (SSVC: exploitation=none), but attack is not automatable per CISA framework.

RCE PHP XSS +2
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Xerte Online Toolkits versions 3.15 and earlier expose the server-side filesystem root path through an unauthenticated GET request to the /setup page, allowing remote attackers to retrieve sensitive path information rendered in HTML responses. This information disclosure enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php, potentially leading to unauthorized file access or further system compromise.

PHP Information Disclosure Path Traversal +1
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in ci4ms content management system allows authenticated backend users with theme creation permissions to write arbitrary PHP files via Zip Slip path traversal. A working proof-of-concept demonstrates uploading a malicious theme archive containing path-traversal entries (../../public/shell.php) that bypass extraction directory boundaries, placing executable code under the web root. Vendor-released patch available in version 0.31.5.0. No CISA KEV listing or EPSS data available, but publicly disclosed PoC significantly lowers exploitation barrier for attackers with valid credentials.

RCE PHP Python +1
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in ci4ms (CodeIgniter 4 Management System) versions prior to 0.31.5.0 allows authenticated backend users with backup creation permissions to write PHP webshells to the public web root via Zip Slip path traversal during backup restoration. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code exists. CVSS 9.4 (Critical) aligns with the real-world risk, as exploitation requires only low-privilege authentication and the affected route is exempt from CSRF protection, enabling drive-by attacks against logged-in administrators. Vendor-released patch version 0.31.5.0 addresses the flaw by implementing path validation during ZIP extraction.

RCE PHP Python +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in DDEV versions prior to 1.25.2 allows remote attackers to write files outside intended extraction directories when downloading and extracting archives from remote sources. The vulnerability affects the Untar() and Unzip() functions in pkg/archive/archive.go, which lack path validation during extraction. Exploitation requires user interaction (UI:R) to trigger archive extraction but can achieve high integrity impact through arbitrary file write. A proof-of-concept exists, and CISA SSVC framework rates this as exploitable with partial technical impact.

Node.js PHP Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass RCE
NVD Exploit-DB GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in the DX Unanswered Comments WordPress plugin versions up to 1.7 allows unauthenticated attackers to modify critical plugin settings (authors list and comment count) by tricking a site administrator into clicking a malicious link, due to missing nonce validation in the settings form handler. The CVSS 4.3 score reflects low severity with integrity impact limited to plugin configuration rather than data or code execution, but successful exploitation could alter site functionality if an attacker controls which comments are flagged as unanswered.

PHP CSRF WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authenticated users with Subscriber-level access can modify the CalJ Shabbat Times plugin's API key and clear its cache due to missing authorization checks in the CalJSettingsPage class constructor. The vulnerability affects all versions up to and including 1.5, with no special network or interaction requirements beyond valid WordPress authentication. While CVSS 5.3 reflects moderate integrity impact, the practical risk depends on whether WordPress sites allow Subscriber-level registrations and whether the plugin's API key provides sensitive access to external services.

PHP Authentication Bypass WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary file write in HTTP Headers plugin for WordPress versions ≤1.19.2 enables authenticated administrators to achieve remote code execution by manipulating htpasswd file path configuration and injecting PHP code via unsanitized username input. Administrators can set a malicious file path (e.g., webroot/shell.php) through 'hh_htpasswd_path' option and inject executable code via the 'hh_www_authenticate_user' field, which is written directly to disk without validation. Wordfence disclosure includes direct source code references showing the vulnerable apache_auth_credentials() and update_auth_credentials() functions. No public exploit code or active exploitation confirmed at time of analysis.

PHP WordPress RCE
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Kcaptcha WordPress plugin versions up to 1.0.1 fails to validate nonces on the settings page, allowing unauthenticated attackers to modify CAPTCHA configuration (enable/disable on login, registration, lost password, and comment forms) via cross-site request forgery if a site administrator can be tricked into clicking a malicious link. The vulnerability requires user interaction (administrator click) but carries a CVSS score of 4.3 with integrity impact; no public exploit code or active exploitation has been identified at the time of analysis.

PHP CSRF WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Quran Live Multilanguage WordPress plugin versions up to 1.0.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes ('cheikh' and 'lang'). The vulnerability exploits insufficient input validation in the quran_live_render() function and direct output of user-supplied values into inline <script> blocks without escaping, enabling injection of arbitrary web scripts that execute whenever a user accesses the compromised page.

XSS WordPress PHP
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored cross-site scripting in the Sentence To SEO WordPress plugin (versions up to 1.0) allows authenticated administrators to inject arbitrary JavaScript into the plugin settings page via the 'Permanent keywords' field. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to break out of a textarea element and inject malicious scripts that execute when other users access the settings page. This requires administrator-level privileges and does not affect unauthenticated users.

XSS WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

TP Restore Categories And Taxonomies WordPress plugin versions up to 1.0.1 lack capability checks in the delete_term() AJAX handler, allowing authenticated Subscriber-level users to permanently delete taxonomy terms from backup tables by reusing a nonce exposed to all authenticated users. The vulnerability bypasses authorization despite nonce validation, enabling low-privileged attackers to cause data loss via a simple crafted AJAX request.

PHP Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

WP Responsive Popup + Optin plugin for WordPress versions up to 1.4 is vulnerable to Cross-Site Request Forgery (CSRF) allowing unauthenticated attackers to modify all plugin settings, including the 'wpo_image_url' parameter, by tricking site administrators into clicking a malicious link. The vulnerability exists because the settings form in wpo_admin_page.php lacks WordPress nonce generation and verification functions. Exploitation requires administrator interaction but can alter critical plugin configuration with broader impact across the site.

PHP CSRF WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the **full URL string** including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix.

PHP Path Traversal
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the database and rendered without HTML escaping via `echo Video::getCleanDuration()` on trending pages, playlist pages, and video gallery thumbnails, resulting in stored cross-site scripting. Commit bcba324644df8b4ed1f891462455f1cd26822a45 contains a fix.

XSS PHP
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration. Commit a0156a6398362086390d949190f9d52a823000ba fixes the issue.

PHP SSRF
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data. Commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 contains a fix.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` - the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.

PHP Cors Misconfiguration Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently cast/flip the victim's like/dislike on any comment (`objects/comments_like.json.php`), post a comment authored by the victim on any video, with attacker-chosen text (`objects/commentAddNew.json.php`), and/or delete assets from any category (`objects/categoryDeleteAssets.json.php`) when the victim has category management rights. Each endpoint is reachable from a browser via a simple `<img src="…">` tag or form submission, so exploitation only requires the victim to load an attacker-controlled HTML resource. Commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c contains a fix.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints - `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` - enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.

PHP CSRF
NVD GitHub
EPSS 1% CVSS 8.9
HIGH This Week

Remote code execution in AVideo versions 29.0 and below allows unauthenticated attackers to execute arbitrary shell commands on the server via command injection in the CloneSite plugin's cloneServer.json.php endpoint. Attackers exploit unsanitized user input in the 'url' parameter that gets directly concatenated into a wget command executed through PHP's exec() function. With CVSS 8.9 (AV:N/AC:L/PR:N/UI:N) and proof-of-concept exploitation confirmed (E:P), this represents a critical risk requiring immediate patching. Fix available in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb.

PHP Command Injection RCE
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in WWBN AVideo up to version 29.0 allows unauthenticated attackers to execute arbitrary system commands via unsanitized URL parameters in test.php. This vulnerability stems from an incomplete fix that sanitized wget calls but left file_get_contents and curl code paths exploitable through regex bypass (accepting strings like 'httpevil[.]com'). CVSS 9.3 with Critical scope change reflects the severity. Upstream fix available in commit 78bccae but no tagged release version confirmed at time of analysis. EPSS data not provided; no CISA KEV listing identified.

PHP Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.

PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Path traversal in WWBN AVideo 29.0 and earlier allows authenticated administrators (or CSRF-tricked admins) to write arbitrary PHP files anywhere on the server filesystem, achieving remote code execution. The locale save endpoint fails to sanitize the 'flag' parameter used in file path construction and lacks CSRF protection despite SameSite=None cookies, enabling straightforward exploitation by lower-privilege attackers who chain CSRF against admin sessions. Upstream fix committed to GitHub (57f89ffb) but released patched version not independently confirmed. CVSS 8.7 reflects high impact but requires privileged access - real-world risk depends heavily on admin session hijacking opportunities.

PHP Path Traversal CSRF +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Mass assignment vulnerability in FreeScout versions before 1.8.213 allows authenticated administrators to covertly exfiltrate all outgoing emails and inject malicious content into email communications. By exploiting unfiltered parameter binding in mailbox connection settings endpoints, an attacker with admin credentials can silently set auto_bcc to forward copies of every outgoing email, redirect SMTP traffic through attacker-controlled servers, inject tracking pixels or phishing links into signatures, and enable malicious auto-replies-all invisible to other administrators. The CVSS score of 9.0 reflects high confidentiality and integrity impact with changed scope, though exploitation requires high-privilege (admin) access. No public exploit code or CISA KEV listing identified, but the vulnerability is particularly dangerous in multi-admin deployments and when combined with session compromise vectors like XSS (noted in tags), as it provides persistent email surveillance beyond initial access.

PHP Authentication Bypass XSS
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored cross-site scripting in FreeScout versions prior to 1.8.213 allows authenticated users with mailbox signature permissions to inject arbitrary JavaScript that executes automatically whenever any agent or administrator opens a conversation in the affected mailbox. The vulnerability stems from inadequate HTML sanitization (blocklisting only four tags: script, form, iframe, object) that permits event handlers on elements like <img>, <svg>, and <details>. Exploitation requires only low-privilege authenticated access (ACCESS_PERM_SIGNATURE permission) and triggers without user interaction (CVSS UI:N), enabling session hijacking under certain CSP bypass conditions, phishing overlays, email exfiltration via mass assignment, and self-propagating worm behavior across all mailboxes. EPSS data not provided; no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch available in version 1.8.213.

XSS PHP
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in FreeScout versions before 1.8.213 allows authenticated administrators to probe internal networks and fingerprint services via unvalidated IMAP and SMTP connection test functionality. Three AJAX actions in MailboxesController pass attacker-controlled server hostnames and ports directly to fsockopen() and protocol clients without IP validation, hostname restrictions, or internal-range blocklists, enabling port scanning and service banner disclosure through IMAP debug logs and AJAX responses. The vulnerability requires admin authentication but affects confidentiality of internal infrastructure.

PHP SSRF
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in FreeScout prior to version 1.8.213 allows remote attackers to inject arbitrary HTML attributes into email message bodies by embedding unescaped double-quote characters in URLs. When the linkify() function converts plain-text URLs to anchor tags without proper escaping, attackers can break out of the href attribute and inject malicious JavaScript or event handlers. This requires user interaction (UI:R) to view a crafted email, but once viewed, the injected script executes in the context of the victim's session with potential for account compromise or data theft.

XSS PHP
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

HTML injection vulnerability in PHP Point of Sale v19.4 allows unauthenticated remote attackers to render arbitrary HTML in victims' browsers via the '/reports/generate/specific_customer' endpoint, affecting the 'start_date_formatted' and 'end_date_formatted' parameters. User interaction is required (victim must visit a crafted link), limiting impact to stored/reflected XSS scenarios. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS PHP
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

SQL injection in Zeon Academy Pro allows remote unauthenticated attackers to execute arbitrary SQL commands via the 'phonenumber' parameter in /private/continue-upload.php, enabling full database compromise including data exfiltration, modification, and deletion. The vulnerability is exploitable over the network without authentication (CVSS:4.0 9.3 Critical, AV:N/PR:N), representing a complete compromise of database confidentiality and integrity. Patch available from vendor per INCIBE-CERT advisory, though specific fixed version not disclosed in public references.

PHP SQLi
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in Semantic MediaWiki 5.0.2 allows unauthenticated remote attackers to inject malicious JavaScript via the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. A victim visiting an attacker-crafted URL executes arbitrary JavaScript in their browser, enabling session cookie theft or unauthorized actions on behalf of the user. User interaction (clicking the link) is required. No public exploit code or active exploitation has been identified at time of analysis.

XSS PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Textpattern CMS 4.9.0 allows authenticated low-privilege users to modify articles owned by higher-privilege users by manipulating the article ID parameter in the duplicate-and-save workflow, bypassing authorization checks in the article management system. The vulnerability affects only authenticated users with existing CMS access and requires no user interaction or special network access. No public exploit code or active exploitation has been identified, though the EPSS score of 0.02% suggests minimal real-world attack probability despite the moderate CVSS 6.5 score.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in Dolibarr ERP 22.0.4 and earlier allows authenticated users with PHP content editing permissions to execute arbitrary OS commands on the server. The vulnerability stems from a bypassable blacklist-based filter for dangerous PHP functions in the Website module. Attack complexity is low (CVSS AV:N/AC:L/PR:L), requiring only valid low-privilege credentials. Public proof-of-concept code exists on GitHub, though CISA has not confirmed active exploitation. EPSS data is unavailable, but SSVC assessment indicates total technical impact with no current exploitation evidence.

PHP Command Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated users with restricted HTML/JavaScript editing permissions in Dolibarr ERP & CRM 22.0.4 and earlier can escalate privileges to execute arbitrary PHP code via the Website module. The vulnerability exploits inconsistent permission enforcement across input parameters during website page creation, allowing low-privileged authenticated users to bypass intended restrictions and inject PHP code. Public proof-of-concept exists on GitHub (PhDg1410), though no active exploitation is confirmed by CISA KEV. EPSS data unavailable, but the CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability when exploited by authenticated insiders or compromised accounts.

PHP Code Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Remote code execution in Visitor Management System 1.0 allows authenticated administrators to upload PHP webshells via two unvalidated file upload endpoints (admin_user_insert.php and update_1.php). The move_uploaded_file() function lacks MIME type, extension, and content validation, enabling direct server compromise. Public proof-of-concept exists (SSVC exploitation: POC). EPSS data not available, but the combination of network-accessible attack vector (AV:N) and total technical impact (SSVC) against a specific niche product suggests targeted exploitation risk rather than widespread automated attacks.

PHP File Upload RCE
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in Vvveb CMS 1.0.8 allows authenticated attackers with low privileges to upload PHP webshells disguised with .phtml extensions, bypassing file type restrictions to achieve full server compromise. The vulnerability stems from inadequate file upload validation in the media handler, enabling malicious files in publicly accessible directories. Upstream fix available via GitHub commit; EPSS data unavailable, no CISA KEV listing at time of analysis.

PHP File Upload RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Path traversal in Everest Forms (WordPress plugin) allows unauthenticated attackers to read and delete arbitrary files on the server through malicious form submissions containing crafted old_files parameters. Vulnerable versions ≤3.4.4 use regex-based path resolution without canonicalization, enabling attackers to traverse directories, exfiltrate wp-config.php via email attachments (exposing database credentials and authentication salts), and trigger automatic deletion of targeted files post-email. CVSS 8.1 (AV:N/AC:H) reflects the remote vector with high attack complexity. EPSS and KEV status not provided; proof-of-concept details available in Wordfence advisory and plugin source code references.

PHP Denial Of Service Path Traversal +1
NVD VulDB
EPSS 0% CVSS 9.2
CRITICAL Act Now

Remote code execution in Vvveb CMS v1.0.8 allows authenticated administrators to execute arbitrary system commands as www-data via a two-stage file upload attack. Attackers exploit a logic flaw in the media management file rename handler that fails to block .php and .htaccess extensions, enabling MIME type manipulation followed by PHP code execution. VulnCheck published an advisory and GitHub commit 6fb8eaa confirms upstream fix. No EPSS data available; no active exploitation confirmed at time of analysis.

Apache File Upload RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary file deletion in wpForo Forum plugin versions ≤3.0.5 allows authenticated attackers with subscriber-level privileges to delete critical WordPress files including wp-config.php, enabling remote code execution. The vulnerability chains two flaws: unvalidated file paths in custom profile fields and insufficient path sanitization before file deletion. Exploitation requires the wpForo User Custom Fields addon with at least one file-type custom field configured. CVSS 8.1 (High) with network attack vector, low complexity, and low privilege requirements. EPSS data and active exploitation status not available in current intelligence.

PHP Path Traversal WordPress +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in OpenMage Magento LTS versions prior to 20.17.0 allows unauthenticated attackers to execute arbitrary code by uploading malicious phar archives disguised as images and triggering PHP deserialization via phar:// stream wrappers. The attack requires high complexity (AC:H) to exploit successfully. EPSS data not available, but exploitation requires specific conditions around file upload and path manipulation. Vendor patch available in version 20.17.0, confirmed by GitHub security advisory GHSA-fg79-cr9c-7369.

PHP Adobe Deserialization +1
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Improper neutralization of directives in dynamically evaluated code in Pagekit CMS up to version 1.0.18 allows high-privileged remote attackers to inject and execute arbitrary PHP code through the StringStorage Template Handler's evaluate function in app/modules/view/src/PhpEngine.php. The vulnerability requires administrator-level access but enables information disclosure, code injection, and potential system compromise. Publicly available exploit code exists; the vendor has not responded to disclosure efforts.

PHP Information Disclosure Code Injection
NVD VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP code through the installation endpoint's subdir parameter, which is written directly into env.php without sanitization. The vulnerability enables complete system compromise as the web server user with no authentication required. Publicly available patch exists (version 1.0.8.1) with detailed fix commit reference.

PHP Code Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Z-BlogPHP 1.7.5 allows authenticated remote attackers with administrative privileges to upload arbitrary files via the App::UnPack function in the ZBA File Handler component (/zb_users/plugin/AppCentre/app_upload.php), bypassing file upload restrictions and potentially enabling remote code execution. Public exploit code exists, and the vendor has not responded to early disclosure attempts.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting (XSS) in Yifang CMS up to version 2.0.5 allows authenticated attackers to inject malicious scripts via the Account parameter in the Extended Management Module's RBAC admin component, affecting stored data integrity with user interaction required. The vulnerability has publicly available proof-of-concept code, though the CVSS score of 3.5 reflects its limited scope (no confidentiality or availability impact, information disclosure only). The vendor has not responded to early disclosure efforts.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unrestricted file upload in rickxy Hospital Management System allows remote unauthenticated attackers to upload malicious files via the /backend/admin/his_admin_account.php endpoint, leading to potential remote code execution, data exfiltration, or system compromise. Public exploit code exists (GitHub), significantly lowering exploitation barrier. The product uses rolling releases with no fixed versioning, complicating patch tracking. CVSS 7.3 with EPSS not provided, but publicly available POC elevates real-world risk.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in ProjectsAndPrograms School Management System allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the bus_id parameter in buslocation.php. The vulnerability affects all versions up to commit 6b6fae5, with publicly available exploit code (EPSS not provided). Vendor was notified but did not respond, leaving the product vulnerable at time of analysis. The rolling release model means no fixed version number exists.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting (XSS) in Apartment Visitors Management System v1.1 allows authenticated attackers to inject malicious JavaScript via the visname parameter in visitors-form.php, which executes when other users view the injected data in manage-newvisitors.php or visitor-detail.php. The vulnerability requires user interaction (victim visiting affected pages) and valid authentication but can escalate privileges, steal session tokens, or perform actions on behalf of administrative users viewing visitor records.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

SQL injection in Apartment Visitors Management System V1.1's login form allows remote unauthenticated attackers to bypass authentication and extract database contents via the username parameter. The vulnerability scores 9.4 CVSS with network attack vector and low complexity. Public exploit code exists (SSVC confirms POC status), making this immediately exploitable. EPSS data unavailable, but SSVC framework rates it as automatable with partial technical impact, indicating high practical risk for internet-exposed installations.

PHP SQLi N A
NVD GitHub VulDB
Prev Page 19 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy