PHP
Monthly
Unrestricted file upload in AREA 17 Twill CMS (versions up to 3.6.0) allows authenticated admin users to upload arbitrary file types via the `qqfilename` parameter in the Media Library Insert Page, creating a direct path to remote code execution on the underlying server. A public proof-of-concept documenting the full exploitation chain from file upload to RCE has been published by Bytium. No vendor patch exists - the vendor was contacted during responsible disclosure and did not respond, leaving all installations on affected versions without an official remediation path.
Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.
SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.
SQL injection in SmartHomeAdatum's users.php Login component exposes the backend database to unauthenticated remote manipulation via a crafted Login argument. All commits up to cf495353d81b680675eb8d9aa14a318aa45ce12c of this PHP-based smart home application are affected, with no patch available and a vendor that did not respond to disclosure. No public exploit code or CISA KEV listing exists at time of analysis, though the CVSS 4.0 vector confirms low-complexity unauthenticated network exploitation.
SQL injection in AMTT Hotel Broadband Operation System 1.0 exposes the `manager/network/switch_status.php` endpoint to database manipulation via an unsanitized `ID` parameter, exploitable by authenticated remote attackers. A public proof-of-concept exploit exists (GitHub issue referenced in VulDB entry), though the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 2.0 reflects the high-privilege authentication barrier (PR:H) that significantly constrains real-world attack surface, limiting this primarily to insider threat or post-compromise escalation scenarios within hotel network management environments.
Cross-site scripting in Akpali9 Attendance-Management-System allows a remote, low-privileged attacker to inject malicious JavaScript via the export_date parameter in absent.php, executing in the browser context of any victim user who interacts with attacker-crafted content. All versions up to commit 70b91fe38f4195b701a45f0edcd4f42d5f64aeee are affected; the project's rolling release model means no discrete patched version exists, and the vendor did not respond to disclosure. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.
Cross-site scripting in igweze Wizgrade's dashboard/studentConductManager.php allows remote, unauthenticated attackers to inject and execute malicious scripts in a victim's browser upon interaction with a crafted request. The vulnerability was publicly disclosed with exploit code available (CVSS 4.0 E:P), and the vendor did not respond to pre-disclosure contact, leaving no official patch or remediation guidance. No active exploitation has been confirmed via CISA KEV, though the public exploit raises the risk of opportunistic targeting of school or academic institutions using this PHP-based student management system.
SQL injection in RafyMrX TOKO-ONLINE-ROTI (up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) allows remote unauthenticated attackers to manipulate database queries via the kode_produk and kd_cs parameters in proses/add.php. The CVSS 4.0 vector confirms no privileges or user interaction are required, and a public exploit (E:P) has been released, lowering the skill threshold for opportunistic attacks. The vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.
SQL injection in TOKO-ONLINE-ROTI's login endpoint exposes all deployments up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 to unauthenticated remote database manipulation via the Username parameter in proses/login.php. A public exploit is available (CVSS 4.0 E:P), and the vendor has not responded to responsible disclosure, meaning no vendor-released patch exists and no remediation guidance has been issued. No public exploit identified at time of analysis as confirmed active exploitation (CISA KEV), but the combination of a fully unauthenticated attack path, low complexity, and available proof-of-concept code elevates real-world risk above the 5.5 base score suggests.
Unrestricted file upload in shiroiAdmin versions 1.1 and 1.3 (PHP admin panel by hcr707305003) exposes the `FileController::upload` function to unauthenticated remote exploitation, enabling attackers to upload arbitrary files - including PHP webshells - to the server without authentication. A public exploit has been disclosed (CVSS 4.0 E:P), and the vendor did not respond to coordinated disclosure. Exploitation conditions are severe: the CVSS 4.0 vector confirms network-accessible, zero-authentication, low-complexity exploitation with no user interaction required.
SQL injection in Aster Telecom Azcall 10/11 exposes a network-reachable administrative endpoint to unauthenticated query manipulation via the nome, perfil, and status HTTP parameters in the store management handler. The CVSS 4.0 vector confirms no authentication or special prerequisites are required (AV:N/AC:L/PR:N/UI:N), and public exploit code is available (E:P). The vendor did not respond to coordinated disclosure, meaning no official patch exists at time of analysis.
SQL injection in IceHRM 35.0.1 and earlier allows authenticated remote attackers to manipulate backend database queries via the `employeeList` parameter in the EmployeeAttendanceReport PHP component, yielding partial confidentiality, integrity, and availability impact. A public proof-of-concept is available via a GitHub issue report, and the IceHRM project has not responded to the disclosure, leaving no vendor patch available. No CISA KEV listing exists, so widespread active exploitation at scale is unconfirmed, but the public PoC and unpatched status materially elevate practical risk for any organization running this software.
Permanent, irreversible deletion of all Starter Template-imported site content in the Solace Extra WordPress plugin (all versions through 1.5.3) is achievable by fully unauthenticated network attackers due to the complete absence of authorization checks on the responsible AJAX handler. The handler is registered via wp_ajax_nopriv_, removing WordPress's authentication gate entirely, while the required nonce is leaked to any Subscriber-level user visiting any wp-admin page - eliminating both authentication and authorization barriers simultaneously. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the Wordfence disclosure includes exact file and line references enabling straightforward reproduction; the official CVSS score of 5.3 significantly understates the destructive impact.
Arbitrary local file disclosure in the Planyo Online Reservation System WordPress plugin (all versions through 3.0) lets unauthenticated remote attackers read any server-side file. The ulap.php AJAX proxy is reachable without WordPress bootstrapping or authentication and validates only the URL host against an allowlist, not the scheme, so a file://localhost/ URL passes the check and is fetched via curl/fopen. Reported by Wordfence with no public exploit identified at time of analysis; sensitive targets include wp-config.php database credentials and /etc/passwd.
Authenticated remote code execution in the Smackcoders WP Ultimate CSV Importer WordPress plugin (versions up to and including 8.0.1) lets a low-privileged Subscriber run arbitrary PHP on the server. Missing capability checks on the install_addon, saveMappedFields, and StartImport AJAX handlers, plus a plugin nonce leaked to any authenticated admin-page viewer, let an attacker install the WooCommerce add-on, persist PHP expressions in the MappedFields parameter, and force their evaluation through eval() in ImportHelpers::get_meta_values(). No public exploit is identified at time of analysis, and the flaw is not in CISA KEV; with an EPSS signal not provided, the CVSS 8.8 and trivial subscriber prerequisite make it a high patch priority.
Local File Inclusion in the LA-Studio Element Kit for Elementor WordPress plugin (all versions through 1.6.1) lets authenticated contributors and above coerce the get_type_template function into including arbitrary server-side .php files, enabling access-control bypass, sensitive data disclosure, and full PHP code execution where an attacker can plant a .php file. Reported by Wordfence with a CVSS 3.1 base score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw stems from wp_normalize_path being relied upon for path safety even though it only canonicalizes separators and never rejects traversal sequences.
Regular-expression denial of service (ReDoS) in the Phalcon PHP framework before 5.15.0 lets remote unauthenticated attackers exhaust server CPU by sending a crafted request URI. Every default MVC application registers a built-in route whose compiled PCRE pattern contains a nested quantifier that Router::handle() evaluates against the raw request path on every request, so a path with repeated slashes followed by decoded newlines triggers catastrophic backtracking. There is no public exploit identified at time of analysis, and the CVSS 4.0 score of 8.7 reflects a high availability impact with no confidentiality or integrity effect.
Authentication-bypass via timing side-channel in Phalcon's Crypt::decrypt (cphalcon PHP framework prior to 5.14.1) allows remote attackers to forge valid HMAC tags and have tampered ciphertext accepted as authentic. Because the HMAC verification uses PHP/Zephir identity comparison that short-circuits on the first mismatching byte, an attacker who can observe response timing can recover a valid tag byte-by-byte and break the encrypt-then-MAC integrity guarantee. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw is confirmed and patched by the vendor in 5.14.1.
Unauthenticated remote code execution in the PrestaShop ps_facetedsearch (layered navigation) module versions 3.0.0 through 4.0.3 allows a single crafted front-office request to fully compromise the shop and its underlying server. The module rebuilds price/weight slider filter values from the request URL and later reads them back through a native unserialize(), enabling PHP object injection whose gadget chain writes a PHP webshell into the module directory. No public exploit is identified at time of analysis, but the flaw is trivially reachable and rated CVSS 10.0.
Authorization bypass in the Eventin WordPress plugin (versions 4.0.26-4.1.15) enables unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash to the payment_complete() REST endpoint. The wp_rest nonce required to reach this endpoint is embedded in the HTML of every public event page, eliminating any credential or session requirement. This is a confirmed regression - the same function and endpoint were previously patched by Arraytics, but the fix was lost in subsequent releases; no public exploit has been identified at time of analysis.
CSS injection in Snipe-IT's superadmin branding configuration (versions prior to 8.6.2) allows arbitrary stylesheet content to persist in the database and render for all authenticated users on every subsequent page load. The template default.blade.php applies HTML entity encoding to the header_color and related color settings before embedding them inside a CSS style block - encoding that is context-incorrect and insufficient to prevent CSS breakout via constructs such as closing braces or url() references. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector (SC:H/SI:H) reflects that, once injected, the payload affects every authenticated user's session regardless of their privilege level, making this a persistent, cross-user impact from a single privileged action.
Stored cross-site scripting in Snipe-IT prior to 8.6.2 enables a low-privilege authenticated user to upload malicious XHTML or XML files that bypass the SVG sanitization gate and execute arbitrary JavaScript in any viewer's browser when the attachment is opened inline. The bypass works because UploadFileRequest only sanitizes SVG content when PHP's finfo extension reports image/svg+xml - uploading XHTML or generic XML evades this check - while UploadedFilesController serves the file same-origin without invoking StorageHelper::allowSafeInline(), completing the injection path. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor released a confirmed fix in version 8.6.2.
Stored cross-site scripting in HestiaCP's DNS record management interface (all versions before 1.9.5) enables authenticated low-privilege users to execute arbitrary JavaScript in the browsers of any panel user who views the DNS record list, including administrators. The flaw in list_dns_rec.php allows injecting a script payload via a crafted DNS record value that breaks out of the data-sort-value HTML attribute due to missing htmlspecialchars() encoding - creating a persistent, privilege-escalating attack path from tenant-level access to admin session compromise. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch (v1.9.5) is available.
Authorization bypass in Simple Machines Forum (SMF) 2.1 before 2.1.8 and 3.0 before 3.0 Alpha 5 lets any authenticated low-privileged member manipulate the attachment moderation queue without the required approve_posts permission. A single-character operator mistake in Sources/Actions/AttachmentApprove.php makes the permission check evaluate to true for everyone, so an ordinary user can approve, reject, or delete pending attachments on any board and enumerate other users' unapproved uploads. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by VulnCheck and a vendor patch is available.
Sensitive configuration exfiltration in Grav CMS before 2.0.2 lets an authenticated page author bypass the Twig sandbox and read the full config tree, including plugin SMTP credentials, API keys, and database passwords. The flaw is an incomplete fix for the earlier GHSA-j274-39qw-32c9 sandbox escape: the redacted 'config' facade is still trivially bypassed through the allow-listed grav.offsetGet('config') call. No public exploit has been identified at time of analysis, though the bypass technique is fully described in the vendor advisory.
Path traversal in phpMyFAQ's PDF export pipeline allows authenticated FAQ editors to read arbitrary server-side files by storing HTML with crafted image paths that exploit a type-juggling flaw in concatenatePaths(). When the substring 'content' is absent from an attacker-controlled path, strpos() returns false, which PHP silently coerces to integer 0, causing the full unsanitized path to pass through to file_get_contents() without canonicalization. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, but the root cause is a low-complexity PHP type-juggling antipattern that is straightforward to weaponize once the attack surface is understood.
Local File Inclusion in the Happyforms WordPress plugin (all versions through 1.26.12) allows authenticated administrators to include and execute arbitrary PHP files on the server via the happyforms_get_form_partial() function, enabling full remote code execution when the attacker can also upload PHP files. The vulnerability is rooted in unsanitized filename handling (CWE-98) within the form template rendering logic, as evidenced by the affected files class-wp-customize-form-manager.php and helper-form-templates.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the Administrator-level access prerequisite substantially limits the realistic attacker population.
Unauthenticated SQL injection in the GEO my WP WordPress plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through the numeric 'distance', 'lat', and 'lng' parameters of the proximity-search feature. Because the values are parsed from the raw query string and only passed through esc_sql() at unquoted numeric positions, payloads such as `1 OR SLEEP(3)` execute directly against the database. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV, but the network, no-auth attack profile makes it a high patching priority.
Stored Cross-Site Scripting in the Animation Addons for Elementor WordPress plugin (all versions through 2.6.3) enables authenticated attackers with Contributor-level access to permanently inject arbitrary JavaScript into pages using the Weather widget. The payload renders unescaped for every subsequent visitor, enabling session hijacking, credential theft, or admin-context privilege escalation without further attacker interaction. No CISA KEV listing and no public exploit code have been identified at time of analysis, but the low attack complexity combined with scope change to victims' browsers makes this a credible risk for multi-author WordPress deployments running this plugin with the Weather widget actively configured.
Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions through 6.4.11) allows authenticated contributors to inject persistent malicious scripts into pages via the Button widget's `custom_attributes` parameter. The root cause is a bypassable sanitization filter (`tp_senitize_js_input()`) in `modules/widgets/tp_button.php` that fails to properly neutralize HTML/JS content before rendering. When an administrator or other privileged user subsequently views an affected page, the stored payload executes in their browser context, enabling session hijacking or unauthorized administrative actions. No public exploit identified at time of analysis; patch is available in version 6.4.12.
Remote code execution in the Post Export Import with Media WordPress plugin (all versions ≤ 1.13.1) is possible because a trailing-dot filename bypass (e.g. 'shell.php.') defeats the extension allow-list in ajax_import_media_start(), letting an administrator-level user smuggle an executable PHP file into the uploads directory during a media import. Reported by Wordfence, the flaw carries CVSS 7.2 and has no public exploit identified at time of analysis; exploitation requires existing administrator (PR:H) access, making it primarily a hardening/defense-in-depth bypass rather than a mass-exploitable entry point.
Remote code execution in the Salon Booking System - Free Version WordPress plugin (all versions ≤ 10.30.32) lets a remote attacker write attacker-controlled PHP into the plugin's web-accessible translate-constants.php file by abusing the unprotected setCustomText AJAX handler. Because the handler lacks proper nonce validation (CWE-352 CSRF), an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link can achieve full server-side code execution. Reported by Wordfence with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Arbitrary OS command execution in Vim prior to 9.2.0736 arises from the bundled PHP omni-completion script (runtime/autoload/phpcomplete.vim), which interpolates an attacker-controlled class or trait name from the edited buffer into a search() pattern executed via win_execute() without escaping. When a victim opens a crafted PHP file and invokes omni-completion, a name containing a single quote breaks out of the search string and the trailing text is honored as Ex commands, letting an attacker run shell commands through :! . There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is fixed and the mechanism is well documented in the vendor advisory.
Stored cross-site scripting in Cotonti Siena 0.9.26 and earlier allows any authenticated user with PFS (Personal File System) access to plant persistent JavaScript payloads by submitting a crafted folder title via the ntitle parameter. The TXT filter in pfs.main.php fails to sanitize HTML before persisting the value, so the payload executes in the browser of every subsequent visitor - including administrators - who views the folder listing. No public exploit has been confirmed beyond a researcher-published proof-of-concept gist, and no vendor patch has been identified at time of analysis.
Cross-site request forgery in Cotonti Siena (versions 0.9.26 and earlier) lets remote attackers alter administrator configuration by luring an authenticated admin into loading an attacker-controlled page that auto-submits a forged POST to the admin.php config update handler, which never calls the CMS's own CSRF validation routine. The highest-value abuse sets the PFS module option pfsfilecheck to 0, disabling the file-extension whitelist so any account with PFS (Personal File Storage) access can upload and execute arbitrary PHP, turning a CSRF into server-side code execution. There is no public exploit identified at time of analysis and it is not on CISA KEV, though a referenced public gist may contain proof-of-concept details; EPSS was not provided.
Stored client-side template injection in Bagisto before v2.4.4 allows any attacker who can register a customer account to execute arbitrary JavaScript in an administrator's browser. The `create.blade.php` template renders customer name fields inside a Vue.js context without the `v-pre` directive, causing Vue.js to evaluate stored template expressions as live code when an administrator opens the Create Order page for the affected customer. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, though the stored nature of the payload and its execution in an admin session context make this a higher real-world priority than the CVSS 4.0 score of 5.1 alone suggests.
Broken authorization in Pimcore's Studio API lets a standard editor-level user create class definitions without administrative rights, because the POST /pimcore-studio/api/class/definition/configuration-view/detail/create endpoint checks the 'objects' permission rather than the 'classes' permission. Because class-definition creation writes new database tables and PHP class files to the server, this permission gap grants low-privileged users significant control over the application's data model and codebase, and absent API-layer UID validation malformed UIDs reach model-layer validation and surface internal exceptions. No public exploit identified at time of analysis; the flaw is fixed in 2025.4.6 and 2026.1.6.
An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.
Arbitrary file disclosure in docuForm GmbH Client v11.11c allows a remote, low-privileged attacker to read sensitive server files through the dfm-menu_report.php component by supplying attacker-controlled path input. The NVD description asserts arbitrary code execution and the vendor gist tags it 'RCE'/'Authentication Bypass', but the concrete described capability is reading configuration files, source code, and system files, with code execution unsubstantiated in the available data. No public exploit is confirmed via a flag, though a third-party gist reference (ZeroBreach-GmbH) is published and likely carries proof-of-concept detail; EPSS is low at 0.35% (27th percentile) and the CVE is not on CISA KEV.
Authenticated remote code execution in docuForm GmbH Client v11.11c lets low-privileged users abuse the report.php file-upload component to run arbitrary code on the server. The flaw combines an authorization-bypass weakness (CWE-639) with unrestricted file upload, so an attacker with any valid account can escalate to full server compromise. No public exploit identified at time of analysis, though a third-party gist referenced in NVD may contain technical write-up material; EPSS is low (0.24%, 15th percentile) and the CVE is not in CISA KEV.
Missing ownership enforcement on Sylius Shop API payment request endpoints allows any caller who possesses a valid payment request UUID hash to read sensitive order data - including customer email, shipping addresses, and order totals - or manipulate post-payment redirect URLs to an attacker-controlled domain. Affected versions span the 2.0.x, 2.1.x, and 2.2.x release lines, with fixes available in 2.0.18, 2.1.15, and 2.2.6 per the vendor advisory GHSA-mr9r-h354-966r. No public exploit code or CISA KEV listing has been identified at time of analysis; real-world exploitability is gated on acquiring the UUID hash out-of-band.
{tokenValue}/payments/{paymentId}` silently accepts and returns HTTP 200 for payment methods the store operator has explicitly excluded from the order's sales channel, while the equivalent checkout endpoint correctly rejects them with HTTP 422. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Order data corruption and permanent deletion in Sylius affects authenticated customers across versions prior to 2.0.18, 2.1.15, and 2.2.6 due to a stale-state race condition in the cart LiveComponent. When an order transitions to STATE_COMPLETED while a customer's cart page remains open in a browser tab, subsequent cart actions - clearing, removing items, or adjusting quantities - are applied to the completed order rather than a fresh cart, irreversibly deleting or mutating finalized order records. No public exploit code has been identified at time of analysis, but the attack is trivially reproducible by any authenticated customer without specialized tooling, as the attacker can deliberately engineer the race condition by completing checkout in one tab while exploiting the stale cart in another.
PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. Publicly available exploit code exists demonstrating the object-injection primitive, but no full end-to-end RCE chain is published and this is not confirmed actively exploited (not in CISA KEV).
{idreaction} and {id} URL path parameters, which are concatenated directly into a LIKE clause. Because YesWiki permits open self-registration, the practical barrier is minimal, and the flaw grants full database read/write - including extraction of yeswiki_users password hashes and emails. Publicly available exploit code exists in the advisory (including a time-based blind variant), but there is no public exploit identified as actively used in the wild and no CISA KEV listing.
Reflected XSS in YesWiki's Bazar widget handler allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by sending a crafted URL containing a double-quote-breaking payload in the `id` GET parameter. The handler at `tools/bazar/handlers/__WidgetHandler.php` performs no authentication or access-control check before rendering the vulnerable template, and `strip_tags()` is misused as an output encoder - it removes tags but leaves double quotes intact, enabling attribute injection across two sinks (`data-formid` and `data-iframeUrl`). A working proof-of-concept was validated on the official doryphore 4.6.5 release; no public exploit identification as KEV-confirmed active exploitation exists at time of analysis, but a complete PoC with exact payloads is publicly available as part of the advisory.
Reflected XSS in YesWiki doryphore 4.6.5 allows an attacker to execute arbitrary JavaScript in a victim's browser by exploiting unescaped output of the `time` GET parameter in the archived-revision edit form at `handlers/page/show.php`. A working proof-of-concept has been published by the reporter and confirmed against the official package; the attack exploits MySQL's DATETIME coercion to accept a malformed timestamp that begins with a real archived revision value yet appends injected markup, causing the archived-revision branch to render and reflect the payload unescaped. No active exploitation has been confirmed by CISA KEV, but the detailed PoC lowers the barrier to weaponization.
Stored XSS in YesWiki's Bazar form module allows a privileged form editor to inject persistent script payloads into field label and hint fields, which execute in the browser context of every subsequent visitor - including unauthenticated guests - who renders an affected form. The vulnerability is a sibling class of an incomplete fix at commit e6b66aa: that commit removed the dangerous |raw('html') filter from two Twig template call sites but left eleven additional sites in range.twig, email.twig, layouts/input.twig, layouts/field.twig, textarea.twig, user.twig, bookmarklet.twig, subscribe.twig, and linked-entry.twig still suppressing Twig's HTML auto-escaping. No active exploitation is confirmed in CISA KEV, but a detailed proof-of-concept with exact payloads, rendered HTML output, and affected line numbers is included in GitHub Security Advisory GHSA-xc7j-3g8q-9vh4, and patch commit 5d1a4d07 is publicly available.
{tag} endpoint. An attacker plants a page whose tag contains a SQL-breakout payload (the INSERT escapes it but stores the literal quote), makes the page non-orphaned via an {{include}} link, then triggers deletePage(), where the stored tag is concatenated unescaped into a DELETE FROM _links WHERE to_tag='$tag' query. A detailed proof-of-concept with confirmed time-based blind extraction exists; the flaw enables reading password hashes, ACLs, and private page bodies, acting as a low-priv-to-admin escalation primitive. No public evidence of active exploitation was identified at time of analysis.
Boolean-based blind SQL injection in YesWiki's public Bazar entry-listing API allows unauthenticated attackers to read arbitrary database contents by abusing numeric query/queries filters. Because numeric field values are escaped with mysqli_real_escape_string but inserted into the SQL statement without quotes or numeric validation, injected boolean expressions (e.g. '100 OR (SELECT COUNT(*) FROM yeswiki_users)>0') are evaluated by the database, turning the public endpoints into a data-exfiltration oracle. A detailed, self-contained proof-of-concept is published in the advisory; a vendor patch (commit f3b0dd0) is available, though the issue is not listed in CISA KEV.
Server-side request forgery in YesWiki's Bazar ActivityPub module (through v4.6.5) lets an unauthenticated remote attacker coerce the server into fetching arbitrary attacker-chosen URLs. The public inbox route parses the HTTP Signature header and issues a server-side GET to the attacker-supplied keyId URL before any signature or URL validation, enabling internal port scanning, service enumeration, and cloud IAM metadata theft (169.254.169.254). Publicly available exploit code exists (a detailed PoC with a working request), and verbose 500 exception/stack-trace responses act as a data oracle; there is no CISA KEV listing.
Signature-verification bypass in YesWiki (v4.6.5 and earlier, ActivityPub-federated Bazar forms) lets an unauthenticated remote attacker forge a valid ActivityPub actor and have Create/Update/Delete activities processed as if properly signed. The flaw stems from HttpSignatureService::verifySignature() using a loose boolean check (!openssl_verify(...)) that treats openssl_verify()'s -1 internal-error return as success. A detailed proof-of-concept exists (publicly available exploit code exists) demonstrating full CRUD on Bazar entries; the issue is not in CISA KEV and no EPSS score was provided.
{{erasespamedcomments}} action, which processes a POST-supplied suppr[] array with no authorization, ownership, or CSRF check. On a default install where default_write_acl='*', an unauthenticated attacker first creates a page containing the action, then submits a cleanup request naming target page tags. A vendor patch commit exists; there is no public exploit identified at time of analysis beyond the fully working PoC included in the advisory.
Stored SQL injection in YesWiki's `recentchanges` action enables arbitrary read of the underlying MySQL database by any user who can save a wiki page - on default installations, this includes unauthenticated visitors. The payload is persisted as wiki page content and executes on every subsequent page load, leaking rows (including admin usernames and password hashes) rendered directly into the HTML response as hyperlinks. A fully working UNION-based proof-of-concept is included in the GitHub security advisory, confirming practical exploitability with no public exploit identified at time of analysis in CISA KEV.
{{ 7 * 7 }} rendering as 49, escalated to an interactive reverse shell); this vulnerability is not in CISA KEV and there is no evidence of active exploitation.
OS command injection in the wnx/laravel-backup-restore Composer package (fixed in v1.9.4) allows an attacker who can get a malicious backup archive restored to run arbitrary shell commands as the Laravel application user. The restore workflow interpolates an unescaped ZIP entry filename from the db-dumps directory directly into shell command strings (mysql, psql, sqlite3, gunzip) executed via Symfony Process::fromShellCommandline(), so shell metacharacters in the filename are interpreted by /bin/sh. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the flaw is trivially exploitable once a crafted archive reaches the restore path.
Authenticated command injection in Coolify (self-hosted PaaS) before 4.0.0-beta.469 allows a logged-in user to run arbitrary shell commands inside deployment containers by supplying malicious health-check parameters. The generate_healthcheck_commands() routine in ApplicationDeploymentJob.php interpolates the health_check_host, health_check_method, and health_check_path values straight into a shell command line, so any user able to configure an application's health check gains OS command execution during deployment. No public exploit identified at time of analysis, but the upstream fix and advisory (GHSA-4fhp-xqqp-w7vv) publicly document the vulnerable code path.
Cross-site scripting in YzmCMS through version 7.5 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript by manipulating the HTTP Host header processed by the `get_url` function in `/yzmphp/yzmphp.php`. The Header Handler component reflects the attacker-controlled `HTTP_HOST` value into generated page output without sanitization, enabling payload execution in a victim's browser upon page visit. A public proof-of-concept exploit has been disclosed; no patch exists and the vendor did not respond to coordinated disclosure, leaving all deployments at or below v7.5 exposed.
Authorization bypass in mettle Sendportal up to version 3.0.1 permits authenticated remote users to circumvent object-level access controls at the Campaign Creation Endpoint, potentially allowing cross-tenant campaign manipulation. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), a class of IDOR flaw where the server trusts a user-supplied identifier to gate resource access without re-verifying ownership. A publicly available exploit exists via GitHub issue #339, and the vendor has not responded to responsible disclosure; no patch is available at time of analysis.
SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows unauthenticated remote attackers to manipulate the Username parameter on /login.php, potentially bypassing authentication or extracting database contents. A publicly available proof-of-concept exploit exists, published via a GitHub issue and documented in VulDB entry 377116. No CISA KEV listing is present, but the combination of network accessibility, no authentication requirement, and a live POC makes this a practical risk for any exposed deployment.
Cross-site request forgery in Admidio's plugin management endpoint (`modules/plugins.php`) enables a remote attacker to trigger destructive plugin operations - including irreversible DROP TABLE SQL execution - against any authenticated administrator who visits an attacker-controlled web page. The endpoint processes install, uninstall, and update operations via unauthenticated GET requests lacking CSRF token validation, and SameSite=Lax cookie behavior causes browsers to automatically include session credentials on top-level GET navigations from cross-origin pages. A working Playwright-based proof-of-concept is publicly available demonstrating the full attack chain; no confirmed active exploitation (CISA KEV) is present at time of analysis.
Remote code execution in Xerte Online Tools (versions before 3.14.6 and before 3.15.5) allows an attacker with access to the tools server settings to repoint the configured antivirus scanner binary path to a PHP interpreter, so that subsequently uploaded PHP content is passed to that interpreter and executed on the server. The input CVSS scores this 9.8 (unauthenticated network vector), but the described attack path hinges on modifying server-side settings, which typically requires administrative access — a contradiction worth flagging. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available.
Arbitrary file upload leading to remote code execution affects the premium Blocksy Companion Pro plugin for WordPress in all versions through 2.1.46, where the Custom Fonts extension's flawed MIME validation lets unauthenticated attackers upload executable PHP files disguised as fonts. The Custom Fonts extension registers a wp_check_filetype_and_ext filter that uses strpos() to approve any filename merely containing '.woff2' or '.ttf' anywhere in the string, so a double-extension payload like shell.woff2.php passes as a legitimate font. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the WPFunnels WordPress plugin (all versions through 3.12.7) allows authenticated administrators to include and execute arbitrary PHP files on the server via the unsanitized `logKey` parameter, yielding full remote code execution when combined with file upload capability. The attack requires administrator-level WordPress credentials and high complexity - specifically the ability to place a PHP file on the server - materially limiting the exploitable population. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a routine-patching priority tier despite its severe potential impact.
SQL injection in code-projects Online Food Order System 1.0 exposes the `/edit_food_items.php` endpoint to unauthenticated remote database manipulation via the `update` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is remotely exploitable without authentication or special conditions, with limited but confirmed impact across confidentiality, integrity, and availability. A public exploit has been released (E:P), making opportunistic targeting realistic despite the niche deployment footprint; no patch or vendor advisory has been identified.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the backend database to unauthenticated remote attackers through the `email` parameter at `/SimpleOnlineLeave/index.php`. Manipulation of this parameter allows an attacker to alter SQL query logic, enabling authentication bypass, database enumeration, and data modification without any credentials or user interaction. A public proof-of-concept exploit has been disclosed via GitHub, significantly lowering the skill barrier for exploitation; the vulnerability is not currently listed in the CISA KEV catalog.
SQL injection in code-projects Interview Management System 1.0 exposes the application to remote, unauthenticated database manipulation via the ID parameter in /inc/classes/View.php. An attacker with network access can read, modify, or partially disrupt data stored in the underlying database with no authentication required and no user interaction needed. A public exploit exists (referenced via GitHub at https://github.com/susususua-AI/CVE/issues/2), though no active exploitation has been confirmed by CISA KEV as of this analysis.
Credential leakage in Composer PHP dependency manager exposes sensitive tokens - such as GitHub Personal Access Tokens embedded in repository URLs - to debug output when the tool is invoked with the -vvv verbosity flag. Affected versions prior to 2.2.29 (LTS branch) and 2.10.2 fail to sanitize username-slot URL credentials (e.g., https://TOKEN@host/) across three components: AuthHelper, Url::sanitize, and ProcessExecutor. An attacker or co-located user with access to terminal output or CI/CD log artifacts could extract valid authentication tokens from this debug output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog.
Arbitrary file write in Composer (the PHP dependency manager) before 2.2.29 and 2.10.2 allows a malicious package served from an untrusted, third-party repository to write attacker-controlled files outside the vendor directory and outside the project root during an install or update. The flaw stems from an invalid package name that is not validated before dependency-resolution results are written to disk (CWE-22 path traversal), and no public exploit has been identified at time of analysis. Exploitation requires the victim to have configured a non-default, untrusted repository (not Packagist.org or Private Packagist) and to run composer install/update, so it is not a default-configuration remote attack.
Path traversal in Composer's binary installation flow allows a malicious PHP package to cause arbitrary host files to be chmod'd world-readable and world-executable. Any user running `composer install`, `composer update`, or `composer require` against a package whose `bin` entry contains `..` path segments is vulnerable - Composer follows the traversal and applies chmod outside the intended package install directory. This is a supply chain attack vector affecting Composer prior to 2.2.29 and 2.10.2; no public exploit or CISA KEV listing is identified at time of analysis, but the impact to developer and CI/CD environments is significant given the confidentiality risk of exposing sensitive host files.
Cookie domain suffix-matching bypass in Guzzle PHP HTTP client (prior to 7.12.3) allows cross-host cookie disclosure, cookie injection, and session fixation when an application makes requests to multiple IP-address-based or bare-numeric-domain hosts within a shared CookieJar session. The SetCookie::matchesDomain() method incorrectly applied suffix-matching logic - valid for FQDN hierarchies - to numeric domain identifiers such as 192.168.0.1, [::1], and bare labels like 1, meaning a cookie set by one numeric host could be forwarded to a structurally related but distinct host. No public exploit has been identified at time of analysis; a vendor-released patch is available in version 7.12.3.
Stored XSS in AVideo's Meet plugin allows an anonymous, unauthenticated attacker to inject arbitrary JavaScript into privileged administrator and host browser sessions by supplying a malicious HTTP User-Agent header when joining any public meeting. The getMeetInfo.json.php endpoint persists the raw User-Agent value in meet_join_log.user_agent, bypassing AVideo's xss_esc() setter and omitting htmlspecialchars() at the output layer in the Participants management panel, where it renders in authenticated host and admin sessions. No vendor patch was available at the time of disclosure; no public exploit code or CISA KEV listing has been identified.
Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.
Remote code execution in the Blocksy Companion Pro WordPress plugin (all versions before 2.1.47) lets unauthenticated attackers upload executable PHP files through the Advanced Reviews feature, taking over the site. The save_attachments function relies on a flawed strpos() substring check inherited from the Custom Fonts extension, so a double-extension filename like shell.woff2.php passes validation while the server executes it as PHP. No public exploit has been identified at time of analysis, but a vendor patch (2.1.47) is available and the flaw was reported by VulnCheck.
The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.
Arbitrary file deletion in the Simple Coherent Form WordPress plugin (all versions up to and including 2.4.13) allows unauthenticated attackers to delete any file the web server can reach, and deleting wp-config.php can cascade into full remote code execution. The plugin's two intended access controls are illusory: the scf_get_id_upload endpoint hands a valid scf_upload_file_removal nonce to any anonymous visitor, and the secondary hash check can be reproduced offline because it derives from a salt hardcoded in the plugin source. There is no public exploit identified at time of analysis, but the flaw carries a high 9.1 CVSS and reflects a genuine unauthenticated-network attack path.
Account takeover in the Eventer WordPress event-manager plugin (all versions through 4.4.2) stems from the plugin writing the password-reset key in cleartext to the `eventer_verification_code` field in `wp_usermeta`; any actor who can read that value can drive the plugin's custom reset action to set an arbitrary password for any user, including administrators. Chained with the companion SQL injection flaw CVE-2026-9700, remote attackers can extract the stored key without authentication and fully hijack accounts. There is no public exploit identified at time of analysis, and exploitation is constrained to sites running PHP 7.4 or earlier, where the reset routine functions.
Remote code execution in Vtiger CRM before 8.4.0 lets an authenticated low-privileged user upload a malicious .phar file through the Documents module and execute arbitrary PHP. The extension denylist in config.inc.php omits .phar, and a stale Apache 2.2-syntax .htaccess is silently ignored on Apache 2.4, so the payload lands in a web-accessible directory reachable by unauthenticated HTTP - the attack begins authenticated but the final execution step is unauthenticated. Publicly available exploit code exists (published by VulnCheck/Jiva Security); no CISA KEV listing and no EPSS score were provided.
Authenticated remote code execution in Vtiger CRM through version 8.4.0 lets an administrator upload a crafted ZIP archive through the ModuleManager import feature and drop executable PHP files directly into the web-root modules/ directory, yielding a persistent web shell. Because Apache resolves and executes those PHP files before Vtiger's routing layer runs, the resulting shell bypasses the application's authentication entirely and survives independently of the attacker's login session. Publicly available exploit code exists (VulnCheck / Jiva Security), though there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.
Arbitrary file write in the AMP for WP - Accelerated Mobile Pages WordPress plugin (versions up to and including 1.1.12) lets authenticated Author-level users, granted permission by an Administrator, upload and unsafely extract a crafted ZIP through the ampforwp_save_local_font() function, planting attacker-controlled files in a web-accessible uploads path. On hosts configured to execute PHP from the uploads directory, this escalates to remote code execution. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; an upstream fix is present in the plugin repository (changeset 3512870).
Arbitrary file read in EGroupware's mail composition module allows any authenticated user with mail access to exfiltrate files readable by the web server process. The vulnerability stems from a defective URI scheme check in `api/src/Mail.php` that correctly rejects `data:` URIs but inadvertently permits `file://` URIs, which PHP's `file_get_contents()` resolves natively against the local filesystem. A publicly available proof-of-concept exists demonstrating `/etc/passwd` extraction via a crafted HTML email body; no active exploitation (CISA KEV) has been confirmed at time of analysis.
Authenticated OS command execution in EGroupware allows an administrator to escalate from web-application access to arbitrary shell commands as the web server user (typically www-data). The flaw lives in the eTemplate engine's Widget::expand_name(), where widget attribute values are passed into a PHP eval() with only double-quotes escaped, leaving backtick shell-execution operators intact; an admin uploads a malicious .xet template to the /etemplates VFS mount to trigger it. A detailed proof-of-concept is published in the vendor's GitHub Security Advisory (publicly available exploit code exists), though there is no evidence of active exploitation.
Remote code execution in EGroupware lets an attacker chain a broken authorization check with an arbitrary file write and an arbitrary file read to fully compromise the server. An authenticated user can forge the participant_role field in a SmallPartMediaRecorder::ajax_upload() request to impersonate a course teacher, then use path traversal to read and overwrite header.inc.php with valid but attacker-controlled PHP, yielding code execution after OPcache refresh or a setup-password change. Where self-registration is enabled the entire chain becomes reachable pre-authentication. No public exploit has been identified, but the advisory documents a complete, reproducible technique.
Arbitrary file deletion in the WordPress Frontend File Manager Plugin (versions up to and including 23.6) lets unauthenticated visitors remove any file on the server when guest upload mode is enabled, because a user-supplied file path is not validated before the delete operation. Removing critical files such as wp-config.php drops the site into its installation/setup routine, which an attacker can chain toward a complete site takeover. No public exploit is identified at time of analysis and EPSS is low (0.15%, 4th percentile), but the unauthenticated network vector and scope-changing impact make this a serious risk for exposed sites running the vulnerable configuration.
Cross-tenant resource access in Coolify (self-hosted PaaS) before 4.0.0-beta.464 lets an authenticated user of one team clone resources into, and access resources owned by, other teams. The cloneTo() Livewire action in ResourceOperations.php checks authorization on the source resource but resolves destination resources with unscoped Eloquent lookups, breaking multi-tenant isolation. Rated CVSS 9.9 with scope change; no public exploit identified at time of analysis, but a fixing commit and vendor advisory are published.
OS command injection in Coolify's self-hosted server/app management platform lets an authenticated user achieve remote code execution on the underlying host via a malicious database import container name. The database import Livewire component passes client-controlled container and server properties into shell commands without locking or validation, so any low-privileged authenticated user can inject arbitrary commands. Rated CVSS 8.8 and fixed in 4.0.0-beta.471; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Coolify's database backup restore file upload endpoint accepts uploads without enforcing any file type or size constraints, enabling an authenticated user to degrade service availability by uploading oversized or unexpected files. All releases prior to 4.0.0-beta.474 are affected per CPE cpe:2.3:a:coollabsio:coolify. No public exploit code exists and the vulnerability is not listed in CISA KEV; with a CVSS score of 3.1 and availability-only impact, this represents a low-priority issue for most operators, especially given the authenticated access requirement.
Path traversal leading to remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated user to abuse insufficient filename sanitization in the PostgreSQL initialization-script generator (generate_init_scripts() in app/Actions/Database/StartPostgresql.php) to write files outside the intended directory and execute commands during database init. Any user with sufficient privileges to provision a PostgreSQL resource can escalate to code execution on the Coolify host. No public exploit identified at time of analysis, though the fix commit and security advisory publicly disclose the vulnerable code path.
Authenticated remote code execution in FOSSBilling 0.6.10 through 0.7.2 lets an admin-privileged user inject arbitrary PHP into config.php via the Config::prettyPrintArrayToPHP() method, which fails to escape single quotes in string configuration values. Because config.php is pulled in through a bare include on every HTTP request, injected code runs persistently on all subsequent requests. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 8.9, elevated by the persistent, server-wide impact once an admin account is abused.
Privilege retention in FOSSBilling before 0.8.0 allows a suspended or deactivated client, staff, or admin to keep full authenticated access because the session identity loaders in src/di.php never re-check account status. Suspending or deactivating a user does not terminate their live session - access persists until the session expires naturally. This is an authenticated (PR:L) session-management flaw with no public exploit identified at time of analysis and no CISA KEV listing; the vendor rates it 8.7 (CVSS 4.0).
Unrestricted file upload in AREA 17 Twill CMS (versions up to 3.6.0) allows authenticated admin users to upload arbitrary file types via the `qqfilename` parameter in the Media Library Insert Page, creating a direct path to remote code execution on the underlying server. A public proof-of-concept documenting the full exploitation chain from file upload to RCE has been published by Bytium. No vendor patch exists - the vendor was contacted during responsible disclosure and did not respond, leaving all installations on affected versions without an official remediation path.
Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.
SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.
SQL injection in SmartHomeAdatum's users.php Login component exposes the backend database to unauthenticated remote manipulation via a crafted Login argument. All commits up to cf495353d81b680675eb8d9aa14a318aa45ce12c of this PHP-based smart home application are affected, with no patch available and a vendor that did not respond to disclosure. No public exploit code or CISA KEV listing exists at time of analysis, though the CVSS 4.0 vector confirms low-complexity unauthenticated network exploitation.
SQL injection in AMTT Hotel Broadband Operation System 1.0 exposes the `manager/network/switch_status.php` endpoint to database manipulation via an unsanitized `ID` parameter, exploitable by authenticated remote attackers. A public proof-of-concept exploit exists (GitHub issue referenced in VulDB entry), though the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 2.0 reflects the high-privilege authentication barrier (PR:H) that significantly constrains real-world attack surface, limiting this primarily to insider threat or post-compromise escalation scenarios within hotel network management environments.
Cross-site scripting in Akpali9 Attendance-Management-System allows a remote, low-privileged attacker to inject malicious JavaScript via the export_date parameter in absent.php, executing in the browser context of any victim user who interacts with attacker-crafted content. All versions up to commit 70b91fe38f4195b701a45f0edcd4f42d5f64aeee are affected; the project's rolling release model means no discrete patched version exists, and the vendor did not respond to disclosure. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.
Cross-site scripting in igweze Wizgrade's dashboard/studentConductManager.php allows remote, unauthenticated attackers to inject and execute malicious scripts in a victim's browser upon interaction with a crafted request. The vulnerability was publicly disclosed with exploit code available (CVSS 4.0 E:P), and the vendor did not respond to pre-disclosure contact, leaving no official patch or remediation guidance. No active exploitation has been confirmed via CISA KEV, though the public exploit raises the risk of opportunistic targeting of school or academic institutions using this PHP-based student management system.
SQL injection in RafyMrX TOKO-ONLINE-ROTI (up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) allows remote unauthenticated attackers to manipulate database queries via the kode_produk and kd_cs parameters in proses/add.php. The CVSS 4.0 vector confirms no privileges or user interaction are required, and a public exploit (E:P) has been released, lowering the skill threshold for opportunistic attacks. The vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.
SQL injection in TOKO-ONLINE-ROTI's login endpoint exposes all deployments up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 to unauthenticated remote database manipulation via the Username parameter in proses/login.php. A public exploit is available (CVSS 4.0 E:P), and the vendor has not responded to responsible disclosure, meaning no vendor-released patch exists and no remediation guidance has been issued. No public exploit identified at time of analysis as confirmed active exploitation (CISA KEV), but the combination of a fully unauthenticated attack path, low complexity, and available proof-of-concept code elevates real-world risk above the 5.5 base score suggests.
Unrestricted file upload in shiroiAdmin versions 1.1 and 1.3 (PHP admin panel by hcr707305003) exposes the `FileController::upload` function to unauthenticated remote exploitation, enabling attackers to upload arbitrary files - including PHP webshells - to the server without authentication. A public exploit has been disclosed (CVSS 4.0 E:P), and the vendor did not respond to coordinated disclosure. Exploitation conditions are severe: the CVSS 4.0 vector confirms network-accessible, zero-authentication, low-complexity exploitation with no user interaction required.
SQL injection in Aster Telecom Azcall 10/11 exposes a network-reachable administrative endpoint to unauthenticated query manipulation via the nome, perfil, and status HTTP parameters in the store management handler. The CVSS 4.0 vector confirms no authentication or special prerequisites are required (AV:N/AC:L/PR:N/UI:N), and public exploit code is available (E:P). The vendor did not respond to coordinated disclosure, meaning no official patch exists at time of analysis.
SQL injection in IceHRM 35.0.1 and earlier allows authenticated remote attackers to manipulate backend database queries via the `employeeList` parameter in the EmployeeAttendanceReport PHP component, yielding partial confidentiality, integrity, and availability impact. A public proof-of-concept is available via a GitHub issue report, and the IceHRM project has not responded to the disclosure, leaving no vendor patch available. No CISA KEV listing exists, so widespread active exploitation at scale is unconfirmed, but the public PoC and unpatched status materially elevate practical risk for any organization running this software.
Permanent, irreversible deletion of all Starter Template-imported site content in the Solace Extra WordPress plugin (all versions through 1.5.3) is achievable by fully unauthenticated network attackers due to the complete absence of authorization checks on the responsible AJAX handler. The handler is registered via wp_ajax_nopriv_, removing WordPress's authentication gate entirely, while the required nonce is leaked to any Subscriber-level user visiting any wp-admin page - eliminating both authentication and authorization barriers simultaneously. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the Wordfence disclosure includes exact file and line references enabling straightforward reproduction; the official CVSS score of 5.3 significantly understates the destructive impact.
Arbitrary local file disclosure in the Planyo Online Reservation System WordPress plugin (all versions through 3.0) lets unauthenticated remote attackers read any server-side file. The ulap.php AJAX proxy is reachable without WordPress bootstrapping or authentication and validates only the URL host against an allowlist, not the scheme, so a file://localhost/ URL passes the check and is fetched via curl/fopen. Reported by Wordfence with no public exploit identified at time of analysis; sensitive targets include wp-config.php database credentials and /etc/passwd.
Authenticated remote code execution in the Smackcoders WP Ultimate CSV Importer WordPress plugin (versions up to and including 8.0.1) lets a low-privileged Subscriber run arbitrary PHP on the server. Missing capability checks on the install_addon, saveMappedFields, and StartImport AJAX handlers, plus a plugin nonce leaked to any authenticated admin-page viewer, let an attacker install the WooCommerce add-on, persist PHP expressions in the MappedFields parameter, and force their evaluation through eval() in ImportHelpers::get_meta_values(). No public exploit is identified at time of analysis, and the flaw is not in CISA KEV; with an EPSS signal not provided, the CVSS 8.8 and trivial subscriber prerequisite make it a high patch priority.
Local File Inclusion in the LA-Studio Element Kit for Elementor WordPress plugin (all versions through 1.6.1) lets authenticated contributors and above coerce the get_type_template function into including arbitrary server-side .php files, enabling access-control bypass, sensitive data disclosure, and full PHP code execution where an attacker can plant a .php file. Reported by Wordfence with a CVSS 3.1 base score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw stems from wp_normalize_path being relied upon for path safety even though it only canonicalizes separators and never rejects traversal sequences.
Regular-expression denial of service (ReDoS) in the Phalcon PHP framework before 5.15.0 lets remote unauthenticated attackers exhaust server CPU by sending a crafted request URI. Every default MVC application registers a built-in route whose compiled PCRE pattern contains a nested quantifier that Router::handle() evaluates against the raw request path on every request, so a path with repeated slashes followed by decoded newlines triggers catastrophic backtracking. There is no public exploit identified at time of analysis, and the CVSS 4.0 score of 8.7 reflects a high availability impact with no confidentiality or integrity effect.
Authentication-bypass via timing side-channel in Phalcon's Crypt::decrypt (cphalcon PHP framework prior to 5.14.1) allows remote attackers to forge valid HMAC tags and have tampered ciphertext accepted as authentic. Because the HMAC verification uses PHP/Zephir identity comparison that short-circuits on the first mismatching byte, an attacker who can observe response timing can recover a valid tag byte-by-byte and break the encrypt-then-MAC integrity guarantee. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw is confirmed and patched by the vendor in 5.14.1.
Unauthenticated remote code execution in the PrestaShop ps_facetedsearch (layered navigation) module versions 3.0.0 through 4.0.3 allows a single crafted front-office request to fully compromise the shop and its underlying server. The module rebuilds price/weight slider filter values from the request URL and later reads them back through a native unserialize(), enabling PHP object injection whose gadget chain writes a PHP webshell into the module directory. No public exploit is identified at time of analysis, but the flaw is trivially reachable and rated CVSS 10.0.
Authorization bypass in the Eventin WordPress plugin (versions 4.0.26-4.1.15) enables unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash to the payment_complete() REST endpoint. The wp_rest nonce required to reach this endpoint is embedded in the HTML of every public event page, eliminating any credential or session requirement. This is a confirmed regression - the same function and endpoint were previously patched by Arraytics, but the fix was lost in subsequent releases; no public exploit has been identified at time of analysis.
CSS injection in Snipe-IT's superadmin branding configuration (versions prior to 8.6.2) allows arbitrary stylesheet content to persist in the database and render for all authenticated users on every subsequent page load. The template default.blade.php applies HTML entity encoding to the header_color and related color settings before embedding them inside a CSS style block - encoding that is context-incorrect and insufficient to prevent CSS breakout via constructs such as closing braces or url() references. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector (SC:H/SI:H) reflects that, once injected, the payload affects every authenticated user's session regardless of their privilege level, making this a persistent, cross-user impact from a single privileged action.
Stored cross-site scripting in Snipe-IT prior to 8.6.2 enables a low-privilege authenticated user to upload malicious XHTML or XML files that bypass the SVG sanitization gate and execute arbitrary JavaScript in any viewer's browser when the attachment is opened inline. The bypass works because UploadFileRequest only sanitizes SVG content when PHP's finfo extension reports image/svg+xml - uploading XHTML or generic XML evades this check - while UploadedFilesController serves the file same-origin without invoking StorageHelper::allowSafeInline(), completing the injection path. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor released a confirmed fix in version 8.6.2.
Stored cross-site scripting in HestiaCP's DNS record management interface (all versions before 1.9.5) enables authenticated low-privilege users to execute arbitrary JavaScript in the browsers of any panel user who views the DNS record list, including administrators. The flaw in list_dns_rec.php allows injecting a script payload via a crafted DNS record value that breaks out of the data-sort-value HTML attribute due to missing htmlspecialchars() encoding - creating a persistent, privilege-escalating attack path from tenant-level access to admin session compromise. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch (v1.9.5) is available.
Authorization bypass in Simple Machines Forum (SMF) 2.1 before 2.1.8 and 3.0 before 3.0 Alpha 5 lets any authenticated low-privileged member manipulate the attachment moderation queue without the required approve_posts permission. A single-character operator mistake in Sources/Actions/AttachmentApprove.php makes the permission check evaluate to true for everyone, so an ordinary user can approve, reject, or delete pending attachments on any board and enumerate other users' unapproved uploads. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by VulnCheck and a vendor patch is available.
Sensitive configuration exfiltration in Grav CMS before 2.0.2 lets an authenticated page author bypass the Twig sandbox and read the full config tree, including plugin SMTP credentials, API keys, and database passwords. The flaw is an incomplete fix for the earlier GHSA-j274-39qw-32c9 sandbox escape: the redacted 'config' facade is still trivially bypassed through the allow-listed grav.offsetGet('config') call. No public exploit has been identified at time of analysis, though the bypass technique is fully described in the vendor advisory.
Path traversal in phpMyFAQ's PDF export pipeline allows authenticated FAQ editors to read arbitrary server-side files by storing HTML with crafted image paths that exploit a type-juggling flaw in concatenatePaths(). When the substring 'content' is absent from an attacker-controlled path, strpos() returns false, which PHP silently coerces to integer 0, causing the full unsanitized path to pass through to file_get_contents() without canonicalization. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, but the root cause is a low-complexity PHP type-juggling antipattern that is straightforward to weaponize once the attack surface is understood.
Local File Inclusion in the Happyforms WordPress plugin (all versions through 1.26.12) allows authenticated administrators to include and execute arbitrary PHP files on the server via the happyforms_get_form_partial() function, enabling full remote code execution when the attacker can also upload PHP files. The vulnerability is rooted in unsanitized filename handling (CWE-98) within the form template rendering logic, as evidenced by the affected files class-wp-customize-form-manager.php and helper-form-templates.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the Administrator-level access prerequisite substantially limits the realistic attacker population.
Unauthenticated SQL injection in the GEO my WP WordPress plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through the numeric 'distance', 'lat', and 'lng' parameters of the proximity-search feature. Because the values are parsed from the raw query string and only passed through esc_sql() at unquoted numeric positions, payloads such as `1 OR SLEEP(3)` execute directly against the database. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV, but the network, no-auth attack profile makes it a high patching priority.
Stored Cross-Site Scripting in the Animation Addons for Elementor WordPress plugin (all versions through 2.6.3) enables authenticated attackers with Contributor-level access to permanently inject arbitrary JavaScript into pages using the Weather widget. The payload renders unescaped for every subsequent visitor, enabling session hijacking, credential theft, or admin-context privilege escalation without further attacker interaction. No CISA KEV listing and no public exploit code have been identified at time of analysis, but the low attack complexity combined with scope change to victims' browsers makes this a credible risk for multi-author WordPress deployments running this plugin with the Weather widget actively configured.
Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions through 6.4.11) allows authenticated contributors to inject persistent malicious scripts into pages via the Button widget's `custom_attributes` parameter. The root cause is a bypassable sanitization filter (`tp_senitize_js_input()`) in `modules/widgets/tp_button.php` that fails to properly neutralize HTML/JS content before rendering. When an administrator or other privileged user subsequently views an affected page, the stored payload executes in their browser context, enabling session hijacking or unauthorized administrative actions. No public exploit identified at time of analysis; patch is available in version 6.4.12.
Remote code execution in the Post Export Import with Media WordPress plugin (all versions ≤ 1.13.1) is possible because a trailing-dot filename bypass (e.g. 'shell.php.') defeats the extension allow-list in ajax_import_media_start(), letting an administrator-level user smuggle an executable PHP file into the uploads directory during a media import. Reported by Wordfence, the flaw carries CVSS 7.2 and has no public exploit identified at time of analysis; exploitation requires existing administrator (PR:H) access, making it primarily a hardening/defense-in-depth bypass rather than a mass-exploitable entry point.
Remote code execution in the Salon Booking System - Free Version WordPress plugin (all versions ≤ 10.30.32) lets a remote attacker write attacker-controlled PHP into the plugin's web-accessible translate-constants.php file by abusing the unprotected setCustomText AJAX handler. Because the handler lacks proper nonce validation (CWE-352 CSRF), an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link can achieve full server-side code execution. Reported by Wordfence with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Arbitrary OS command execution in Vim prior to 9.2.0736 arises from the bundled PHP omni-completion script (runtime/autoload/phpcomplete.vim), which interpolates an attacker-controlled class or trait name from the edited buffer into a search() pattern executed via win_execute() without escaping. When a victim opens a crafted PHP file and invokes omni-completion, a name containing a single quote breaks out of the search string and the trailing text is honored as Ex commands, letting an attacker run shell commands through :! . There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is fixed and the mechanism is well documented in the vendor advisory.
Stored cross-site scripting in Cotonti Siena 0.9.26 and earlier allows any authenticated user with PFS (Personal File System) access to plant persistent JavaScript payloads by submitting a crafted folder title via the ntitle parameter. The TXT filter in pfs.main.php fails to sanitize HTML before persisting the value, so the payload executes in the browser of every subsequent visitor - including administrators - who views the folder listing. No public exploit has been confirmed beyond a researcher-published proof-of-concept gist, and no vendor patch has been identified at time of analysis.
Cross-site request forgery in Cotonti Siena (versions 0.9.26 and earlier) lets remote attackers alter administrator configuration by luring an authenticated admin into loading an attacker-controlled page that auto-submits a forged POST to the admin.php config update handler, which never calls the CMS's own CSRF validation routine. The highest-value abuse sets the PFS module option pfsfilecheck to 0, disabling the file-extension whitelist so any account with PFS (Personal File Storage) access can upload and execute arbitrary PHP, turning a CSRF into server-side code execution. There is no public exploit identified at time of analysis and it is not on CISA KEV, though a referenced public gist may contain proof-of-concept details; EPSS was not provided.
Stored client-side template injection in Bagisto before v2.4.4 allows any attacker who can register a customer account to execute arbitrary JavaScript in an administrator's browser. The `create.blade.php` template renders customer name fields inside a Vue.js context without the `v-pre` directive, causing Vue.js to evaluate stored template expressions as live code when an administrator opens the Create Order page for the affected customer. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, though the stored nature of the payload and its execution in an admin session context make this a higher real-world priority than the CVSS 4.0 score of 5.1 alone suggests.
Broken authorization in Pimcore's Studio API lets a standard editor-level user create class definitions without administrative rights, because the POST /pimcore-studio/api/class/definition/configuration-view/detail/create endpoint checks the 'objects' permission rather than the 'classes' permission. Because class-definition creation writes new database tables and PHP class files to the server, this permission gap grants low-privileged users significant control over the application's data model and codebase, and absent API-layer UID validation malformed UIDs reach model-layer validation and surface internal exceptions. No public exploit identified at time of analysis; the flaw is fixed in 2025.4.6 and 2026.1.6.
An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.
Arbitrary file disclosure in docuForm GmbH Client v11.11c allows a remote, low-privileged attacker to read sensitive server files through the dfm-menu_report.php component by supplying attacker-controlled path input. The NVD description asserts arbitrary code execution and the vendor gist tags it 'RCE'/'Authentication Bypass', but the concrete described capability is reading configuration files, source code, and system files, with code execution unsubstantiated in the available data. No public exploit is confirmed via a flag, though a third-party gist reference (ZeroBreach-GmbH) is published and likely carries proof-of-concept detail; EPSS is low at 0.35% (27th percentile) and the CVE is not on CISA KEV.
Authenticated remote code execution in docuForm GmbH Client v11.11c lets low-privileged users abuse the report.php file-upload component to run arbitrary code on the server. The flaw combines an authorization-bypass weakness (CWE-639) with unrestricted file upload, so an attacker with any valid account can escalate to full server compromise. No public exploit identified at time of analysis, though a third-party gist referenced in NVD may contain technical write-up material; EPSS is low (0.24%, 15th percentile) and the CVE is not in CISA KEV.
Missing ownership enforcement on Sylius Shop API payment request endpoints allows any caller who possesses a valid payment request UUID hash to read sensitive order data - including customer email, shipping addresses, and order totals - or manipulate post-payment redirect URLs to an attacker-controlled domain. Affected versions span the 2.0.x, 2.1.x, and 2.2.x release lines, with fixes available in 2.0.18, 2.1.15, and 2.2.6 per the vendor advisory GHSA-mr9r-h354-966r. No public exploit code or CISA KEV listing has been identified at time of analysis; real-world exploitability is gated on acquiring the UUID hash out-of-band.
{tokenValue}/payments/{paymentId}` silently accepts and returns HTTP 200 for payment methods the store operator has explicitly excluded from the order's sales channel, while the equivalent checkout endpoint correctly rejects them with HTTP 422. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Order data corruption and permanent deletion in Sylius affects authenticated customers across versions prior to 2.0.18, 2.1.15, and 2.2.6 due to a stale-state race condition in the cart LiveComponent. When an order transitions to STATE_COMPLETED while a customer's cart page remains open in a browser tab, subsequent cart actions - clearing, removing items, or adjusting quantities - are applied to the completed order rather than a fresh cart, irreversibly deleting or mutating finalized order records. No public exploit code has been identified at time of analysis, but the attack is trivially reproducible by any authenticated customer without specialized tooling, as the attacker can deliberately engineer the race condition by completing checkout in one tab while exploiting the stale cart in another.
PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. Publicly available exploit code exists demonstrating the object-injection primitive, but no full end-to-end RCE chain is published and this is not confirmed actively exploited (not in CISA KEV).
{idreaction} and {id} URL path parameters, which are concatenated directly into a LIKE clause. Because YesWiki permits open self-registration, the practical barrier is minimal, and the flaw grants full database read/write - including extraction of yeswiki_users password hashes and emails. Publicly available exploit code exists in the advisory (including a time-based blind variant), but there is no public exploit identified as actively used in the wild and no CISA KEV listing.
Reflected XSS in YesWiki's Bazar widget handler allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by sending a crafted URL containing a double-quote-breaking payload in the `id` GET parameter. The handler at `tools/bazar/handlers/__WidgetHandler.php` performs no authentication or access-control check before rendering the vulnerable template, and `strip_tags()` is misused as an output encoder - it removes tags but leaves double quotes intact, enabling attribute injection across two sinks (`data-formid` and `data-iframeUrl`). A working proof-of-concept was validated on the official doryphore 4.6.5 release; no public exploit identification as KEV-confirmed active exploitation exists at time of analysis, but a complete PoC with exact payloads is publicly available as part of the advisory.
Reflected XSS in YesWiki doryphore 4.6.5 allows an attacker to execute arbitrary JavaScript in a victim's browser by exploiting unescaped output of the `time` GET parameter in the archived-revision edit form at `handlers/page/show.php`. A working proof-of-concept has been published by the reporter and confirmed against the official package; the attack exploits MySQL's DATETIME coercion to accept a malformed timestamp that begins with a real archived revision value yet appends injected markup, causing the archived-revision branch to render and reflect the payload unescaped. No active exploitation has been confirmed by CISA KEV, but the detailed PoC lowers the barrier to weaponization.
Stored XSS in YesWiki's Bazar form module allows a privileged form editor to inject persistent script payloads into field label and hint fields, which execute in the browser context of every subsequent visitor - including unauthenticated guests - who renders an affected form. The vulnerability is a sibling class of an incomplete fix at commit e6b66aa: that commit removed the dangerous |raw('html') filter from two Twig template call sites but left eleven additional sites in range.twig, email.twig, layouts/input.twig, layouts/field.twig, textarea.twig, user.twig, bookmarklet.twig, subscribe.twig, and linked-entry.twig still suppressing Twig's HTML auto-escaping. No active exploitation is confirmed in CISA KEV, but a detailed proof-of-concept with exact payloads, rendered HTML output, and affected line numbers is included in GitHub Security Advisory GHSA-xc7j-3g8q-9vh4, and patch commit 5d1a4d07 is publicly available.
{tag} endpoint. An attacker plants a page whose tag contains a SQL-breakout payload (the INSERT escapes it but stores the literal quote), makes the page non-orphaned via an {{include}} link, then triggers deletePage(), where the stored tag is concatenated unescaped into a DELETE FROM _links WHERE to_tag='$tag' query. A detailed proof-of-concept with confirmed time-based blind extraction exists; the flaw enables reading password hashes, ACLs, and private page bodies, acting as a low-priv-to-admin escalation primitive. No public evidence of active exploitation was identified at time of analysis.
Boolean-based blind SQL injection in YesWiki's public Bazar entry-listing API allows unauthenticated attackers to read arbitrary database contents by abusing numeric query/queries filters. Because numeric field values are escaped with mysqli_real_escape_string but inserted into the SQL statement without quotes or numeric validation, injected boolean expressions (e.g. '100 OR (SELECT COUNT(*) FROM yeswiki_users)>0') are evaluated by the database, turning the public endpoints into a data-exfiltration oracle. A detailed, self-contained proof-of-concept is published in the advisory; a vendor patch (commit f3b0dd0) is available, though the issue is not listed in CISA KEV.
Server-side request forgery in YesWiki's Bazar ActivityPub module (through v4.6.5) lets an unauthenticated remote attacker coerce the server into fetching arbitrary attacker-chosen URLs. The public inbox route parses the HTTP Signature header and issues a server-side GET to the attacker-supplied keyId URL before any signature or URL validation, enabling internal port scanning, service enumeration, and cloud IAM metadata theft (169.254.169.254). Publicly available exploit code exists (a detailed PoC with a working request), and verbose 500 exception/stack-trace responses act as a data oracle; there is no CISA KEV listing.
Signature-verification bypass in YesWiki (v4.6.5 and earlier, ActivityPub-federated Bazar forms) lets an unauthenticated remote attacker forge a valid ActivityPub actor and have Create/Update/Delete activities processed as if properly signed. The flaw stems from HttpSignatureService::verifySignature() using a loose boolean check (!openssl_verify(...)) that treats openssl_verify()'s -1 internal-error return as success. A detailed proof-of-concept exists (publicly available exploit code exists) demonstrating full CRUD on Bazar entries; the issue is not in CISA KEV and no EPSS score was provided.
{{erasespamedcomments}} action, which processes a POST-supplied suppr[] array with no authorization, ownership, or CSRF check. On a default install where default_write_acl='*', an unauthenticated attacker first creates a page containing the action, then submits a cleanup request naming target page tags. A vendor patch commit exists; there is no public exploit identified at time of analysis beyond the fully working PoC included in the advisory.
Stored SQL injection in YesWiki's `recentchanges` action enables arbitrary read of the underlying MySQL database by any user who can save a wiki page - on default installations, this includes unauthenticated visitors. The payload is persisted as wiki page content and executes on every subsequent page load, leaking rows (including admin usernames and password hashes) rendered directly into the HTML response as hyperlinks. A fully working UNION-based proof-of-concept is included in the GitHub security advisory, confirming practical exploitability with no public exploit identified at time of analysis in CISA KEV.
{{ 7 * 7 }} rendering as 49, escalated to an interactive reverse shell); this vulnerability is not in CISA KEV and there is no evidence of active exploitation.
OS command injection in the wnx/laravel-backup-restore Composer package (fixed in v1.9.4) allows an attacker who can get a malicious backup archive restored to run arbitrary shell commands as the Laravel application user. The restore workflow interpolates an unescaped ZIP entry filename from the db-dumps directory directly into shell command strings (mysql, psql, sqlite3, gunzip) executed via Symfony Process::fromShellCommandline(), so shell metacharacters in the filename are interpreted by /bin/sh. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the flaw is trivially exploitable once a crafted archive reaches the restore path.
Authenticated command injection in Coolify (self-hosted PaaS) before 4.0.0-beta.469 allows a logged-in user to run arbitrary shell commands inside deployment containers by supplying malicious health-check parameters. The generate_healthcheck_commands() routine in ApplicationDeploymentJob.php interpolates the health_check_host, health_check_method, and health_check_path values straight into a shell command line, so any user able to configure an application's health check gains OS command execution during deployment. No public exploit identified at time of analysis, but the upstream fix and advisory (GHSA-4fhp-xqqp-w7vv) publicly document the vulnerable code path.
Cross-site scripting in YzmCMS through version 7.5 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript by manipulating the HTTP Host header processed by the `get_url` function in `/yzmphp/yzmphp.php`. The Header Handler component reflects the attacker-controlled `HTTP_HOST` value into generated page output without sanitization, enabling payload execution in a victim's browser upon page visit. A public proof-of-concept exploit has been disclosed; no patch exists and the vendor did not respond to coordinated disclosure, leaving all deployments at or below v7.5 exposed.
Authorization bypass in mettle Sendportal up to version 3.0.1 permits authenticated remote users to circumvent object-level access controls at the Campaign Creation Endpoint, potentially allowing cross-tenant campaign manipulation. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), a class of IDOR flaw where the server trusts a user-supplied identifier to gate resource access without re-verifying ownership. A publicly available exploit exists via GitHub issue #339, and the vendor has not responded to responsible disclosure; no patch is available at time of analysis.
SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows unauthenticated remote attackers to manipulate the Username parameter on /login.php, potentially bypassing authentication or extracting database contents. A publicly available proof-of-concept exploit exists, published via a GitHub issue and documented in VulDB entry 377116. No CISA KEV listing is present, but the combination of network accessibility, no authentication requirement, and a live POC makes this a practical risk for any exposed deployment.
Cross-site request forgery in Admidio's plugin management endpoint (`modules/plugins.php`) enables a remote attacker to trigger destructive plugin operations - including irreversible DROP TABLE SQL execution - against any authenticated administrator who visits an attacker-controlled web page. The endpoint processes install, uninstall, and update operations via unauthenticated GET requests lacking CSRF token validation, and SameSite=Lax cookie behavior causes browsers to automatically include session credentials on top-level GET navigations from cross-origin pages. A working Playwright-based proof-of-concept is publicly available demonstrating the full attack chain; no confirmed active exploitation (CISA KEV) is present at time of analysis.
Remote code execution in Xerte Online Tools (versions before 3.14.6 and before 3.15.5) allows an attacker with access to the tools server settings to repoint the configured antivirus scanner binary path to a PHP interpreter, so that subsequently uploaded PHP content is passed to that interpreter and executed on the server. The input CVSS scores this 9.8 (unauthenticated network vector), but the described attack path hinges on modifying server-side settings, which typically requires administrative access — a contradiction worth flagging. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available.
Arbitrary file upload leading to remote code execution affects the premium Blocksy Companion Pro plugin for WordPress in all versions through 2.1.46, where the Custom Fonts extension's flawed MIME validation lets unauthenticated attackers upload executable PHP files disguised as fonts. The Custom Fonts extension registers a wp_check_filetype_and_ext filter that uses strpos() to approve any filename merely containing '.woff2' or '.ttf' anywhere in the string, so a double-extension payload like shell.woff2.php passes as a legitimate font. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the WPFunnels WordPress plugin (all versions through 3.12.7) allows authenticated administrators to include and execute arbitrary PHP files on the server via the unsanitized `logKey` parameter, yielding full remote code execution when combined with file upload capability. The attack requires administrator-level WordPress credentials and high complexity - specifically the ability to place a PHP file on the server - materially limiting the exploitable population. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a routine-patching priority tier despite its severe potential impact.
SQL injection in code-projects Online Food Order System 1.0 exposes the `/edit_food_items.php` endpoint to unauthenticated remote database manipulation via the `update` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is remotely exploitable without authentication or special conditions, with limited but confirmed impact across confidentiality, integrity, and availability. A public exploit has been released (E:P), making opportunistic targeting realistic despite the niche deployment footprint; no patch or vendor advisory has been identified.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the backend database to unauthenticated remote attackers through the `email` parameter at `/SimpleOnlineLeave/index.php`. Manipulation of this parameter allows an attacker to alter SQL query logic, enabling authentication bypass, database enumeration, and data modification without any credentials or user interaction. A public proof-of-concept exploit has been disclosed via GitHub, significantly lowering the skill barrier for exploitation; the vulnerability is not currently listed in the CISA KEV catalog.
SQL injection in code-projects Interview Management System 1.0 exposes the application to remote, unauthenticated database manipulation via the ID parameter in /inc/classes/View.php. An attacker with network access can read, modify, or partially disrupt data stored in the underlying database with no authentication required and no user interaction needed. A public exploit exists (referenced via GitHub at https://github.com/susususua-AI/CVE/issues/2), though no active exploitation has been confirmed by CISA KEV as of this analysis.
Credential leakage in Composer PHP dependency manager exposes sensitive tokens - such as GitHub Personal Access Tokens embedded in repository URLs - to debug output when the tool is invoked with the -vvv verbosity flag. Affected versions prior to 2.2.29 (LTS branch) and 2.10.2 fail to sanitize username-slot URL credentials (e.g., https://TOKEN@host/) across three components: AuthHelper, Url::sanitize, and ProcessExecutor. An attacker or co-located user with access to terminal output or CI/CD log artifacts could extract valid authentication tokens from this debug output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog.
Arbitrary file write in Composer (the PHP dependency manager) before 2.2.29 and 2.10.2 allows a malicious package served from an untrusted, third-party repository to write attacker-controlled files outside the vendor directory and outside the project root during an install or update. The flaw stems from an invalid package name that is not validated before dependency-resolution results are written to disk (CWE-22 path traversal), and no public exploit has been identified at time of analysis. Exploitation requires the victim to have configured a non-default, untrusted repository (not Packagist.org or Private Packagist) and to run composer install/update, so it is not a default-configuration remote attack.
Path traversal in Composer's binary installation flow allows a malicious PHP package to cause arbitrary host files to be chmod'd world-readable and world-executable. Any user running `composer install`, `composer update`, or `composer require` against a package whose `bin` entry contains `..` path segments is vulnerable - Composer follows the traversal and applies chmod outside the intended package install directory. This is a supply chain attack vector affecting Composer prior to 2.2.29 and 2.10.2; no public exploit or CISA KEV listing is identified at time of analysis, but the impact to developer and CI/CD environments is significant given the confidentiality risk of exposing sensitive host files.
Cookie domain suffix-matching bypass in Guzzle PHP HTTP client (prior to 7.12.3) allows cross-host cookie disclosure, cookie injection, and session fixation when an application makes requests to multiple IP-address-based or bare-numeric-domain hosts within a shared CookieJar session. The SetCookie::matchesDomain() method incorrectly applied suffix-matching logic - valid for FQDN hierarchies - to numeric domain identifiers such as 192.168.0.1, [::1], and bare labels like 1, meaning a cookie set by one numeric host could be forwarded to a structurally related but distinct host. No public exploit has been identified at time of analysis; a vendor-released patch is available in version 7.12.3.
Stored XSS in AVideo's Meet plugin allows an anonymous, unauthenticated attacker to inject arbitrary JavaScript into privileged administrator and host browser sessions by supplying a malicious HTTP User-Agent header when joining any public meeting. The getMeetInfo.json.php endpoint persists the raw User-Agent value in meet_join_log.user_agent, bypassing AVideo's xss_esc() setter and omitting htmlspecialchars() at the output layer in the Participants management panel, where it renders in authenticated host and admin sessions. No vendor patch was available at the time of disclosure; no public exploit code or CISA KEV listing has been identified.
Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.
Remote code execution in the Blocksy Companion Pro WordPress plugin (all versions before 2.1.47) lets unauthenticated attackers upload executable PHP files through the Advanced Reviews feature, taking over the site. The save_attachments function relies on a flawed strpos() substring check inherited from the Custom Fonts extension, so a double-extension filename like shell.woff2.php passes validation while the server executes it as PHP. No public exploit has been identified at time of analysis, but a vendor patch (2.1.47) is available and the flaw was reported by VulnCheck.
The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.
Arbitrary file deletion in the Simple Coherent Form WordPress plugin (all versions up to and including 2.4.13) allows unauthenticated attackers to delete any file the web server can reach, and deleting wp-config.php can cascade into full remote code execution. The plugin's two intended access controls are illusory: the scf_get_id_upload endpoint hands a valid scf_upload_file_removal nonce to any anonymous visitor, and the secondary hash check can be reproduced offline because it derives from a salt hardcoded in the plugin source. There is no public exploit identified at time of analysis, but the flaw carries a high 9.1 CVSS and reflects a genuine unauthenticated-network attack path.
Account takeover in the Eventer WordPress event-manager plugin (all versions through 4.4.2) stems from the plugin writing the password-reset key in cleartext to the `eventer_verification_code` field in `wp_usermeta`; any actor who can read that value can drive the plugin's custom reset action to set an arbitrary password for any user, including administrators. Chained with the companion SQL injection flaw CVE-2026-9700, remote attackers can extract the stored key without authentication and fully hijack accounts. There is no public exploit identified at time of analysis, and exploitation is constrained to sites running PHP 7.4 or earlier, where the reset routine functions.
Remote code execution in Vtiger CRM before 8.4.0 lets an authenticated low-privileged user upload a malicious .phar file through the Documents module and execute arbitrary PHP. The extension denylist in config.inc.php omits .phar, and a stale Apache 2.2-syntax .htaccess is silently ignored on Apache 2.4, so the payload lands in a web-accessible directory reachable by unauthenticated HTTP - the attack begins authenticated but the final execution step is unauthenticated. Publicly available exploit code exists (published by VulnCheck/Jiva Security); no CISA KEV listing and no EPSS score were provided.
Authenticated remote code execution in Vtiger CRM through version 8.4.0 lets an administrator upload a crafted ZIP archive through the ModuleManager import feature and drop executable PHP files directly into the web-root modules/ directory, yielding a persistent web shell. Because Apache resolves and executes those PHP files before Vtiger's routing layer runs, the resulting shell bypasses the application's authentication entirely and survives independently of the attacker's login session. Publicly available exploit code exists (VulnCheck / Jiva Security), though there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.
Arbitrary file write in the AMP for WP - Accelerated Mobile Pages WordPress plugin (versions up to and including 1.1.12) lets authenticated Author-level users, granted permission by an Administrator, upload and unsafely extract a crafted ZIP through the ampforwp_save_local_font() function, planting attacker-controlled files in a web-accessible uploads path. On hosts configured to execute PHP from the uploads directory, this escalates to remote code execution. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; an upstream fix is present in the plugin repository (changeset 3512870).
Arbitrary file read in EGroupware's mail composition module allows any authenticated user with mail access to exfiltrate files readable by the web server process. The vulnerability stems from a defective URI scheme check in `api/src/Mail.php` that correctly rejects `data:` URIs but inadvertently permits `file://` URIs, which PHP's `file_get_contents()` resolves natively against the local filesystem. A publicly available proof-of-concept exists demonstrating `/etc/passwd` extraction via a crafted HTML email body; no active exploitation (CISA KEV) has been confirmed at time of analysis.
Authenticated OS command execution in EGroupware allows an administrator to escalate from web-application access to arbitrary shell commands as the web server user (typically www-data). The flaw lives in the eTemplate engine's Widget::expand_name(), where widget attribute values are passed into a PHP eval() with only double-quotes escaped, leaving backtick shell-execution operators intact; an admin uploads a malicious .xet template to the /etemplates VFS mount to trigger it. A detailed proof-of-concept is published in the vendor's GitHub Security Advisory (publicly available exploit code exists), though there is no evidence of active exploitation.
Remote code execution in EGroupware lets an attacker chain a broken authorization check with an arbitrary file write and an arbitrary file read to fully compromise the server. An authenticated user can forge the participant_role field in a SmallPartMediaRecorder::ajax_upload() request to impersonate a course teacher, then use path traversal to read and overwrite header.inc.php with valid but attacker-controlled PHP, yielding code execution after OPcache refresh or a setup-password change. Where self-registration is enabled the entire chain becomes reachable pre-authentication. No public exploit has been identified, but the advisory documents a complete, reproducible technique.
Arbitrary file deletion in the WordPress Frontend File Manager Plugin (versions up to and including 23.6) lets unauthenticated visitors remove any file on the server when guest upload mode is enabled, because a user-supplied file path is not validated before the delete operation. Removing critical files such as wp-config.php drops the site into its installation/setup routine, which an attacker can chain toward a complete site takeover. No public exploit is identified at time of analysis and EPSS is low (0.15%, 4th percentile), but the unauthenticated network vector and scope-changing impact make this a serious risk for exposed sites running the vulnerable configuration.
Cross-tenant resource access in Coolify (self-hosted PaaS) before 4.0.0-beta.464 lets an authenticated user of one team clone resources into, and access resources owned by, other teams. The cloneTo() Livewire action in ResourceOperations.php checks authorization on the source resource but resolves destination resources with unscoped Eloquent lookups, breaking multi-tenant isolation. Rated CVSS 9.9 with scope change; no public exploit identified at time of analysis, but a fixing commit and vendor advisory are published.
OS command injection in Coolify's self-hosted server/app management platform lets an authenticated user achieve remote code execution on the underlying host via a malicious database import container name. The database import Livewire component passes client-controlled container and server properties into shell commands without locking or validation, so any low-privileged authenticated user can inject arbitrary commands. Rated CVSS 8.8 and fixed in 4.0.0-beta.471; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Coolify's database backup restore file upload endpoint accepts uploads without enforcing any file type or size constraints, enabling an authenticated user to degrade service availability by uploading oversized or unexpected files. All releases prior to 4.0.0-beta.474 are affected per CPE cpe:2.3:a:coollabsio:coolify. No public exploit code exists and the vulnerability is not listed in CISA KEV; with a CVSS score of 3.1 and availability-only impact, this represents a low-priority issue for most operators, especially given the authenticated access requirement.
Path traversal leading to remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated user to abuse insufficient filename sanitization in the PostgreSQL initialization-script generator (generate_init_scripts() in app/Actions/Database/StartPostgresql.php) to write files outside the intended directory and execute commands during database init. Any user with sufficient privileges to provision a PostgreSQL resource can escalate to code execution on the Coolify host. No public exploit identified at time of analysis, though the fix commit and security advisory publicly disclose the vulnerable code path.
Authenticated remote code execution in FOSSBilling 0.6.10 through 0.7.2 lets an admin-privileged user inject arbitrary PHP into config.php via the Config::prettyPrintArrayToPHP() method, which fails to escape single quotes in string configuration values. Because config.php is pulled in through a bare include on every HTTP request, injected code runs persistently on all subsequent requests. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 8.9, elevated by the persistent, server-wide impact once an admin account is abused.
Privilege retention in FOSSBilling before 0.8.0 allows a suspended or deactivated client, staff, or admin to keep full authenticated access because the session identity loaders in src/di.php never re-check account status. Suspending or deactivating a user does not terminate their live session - access persists until the session expires naturally. This is an authenticated (PR:L) session-management flaw with no public exploit identified at time of analysis and no CISA KEV listing; the vendor rates it 8.7 (CVSS 4.0).