Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-33687 PHP HIGH PATCH This Week

The code16/sharp Laravel admin panel package contains a critical file upload vulnerability that allows authenticated users to bypass all file type restrictions by manipulating client-controlled validation rules. Affected versions prior to 9.20.0 accept a user-supplied validation_rule parameter that is passed directly to Laravel's validator, enabling attackers to upload arbitrary files including PHP webshells. With a CVSS score of 8.8, this vulnerability can lead to Remote Code Execution when the storage disk is publicly accessible, though default configurations provide some protection against direct execution.

PHP File Upload RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33661 PHP HIGH PATCH This Week

The yansongda/pay PHP library contains an authentication bypass vulnerability that allows attackers to forge WeChat Pay payment notifications by including a 'Host: localhost' header in HTTP requests. The verify_wechat_sign() function unconditionally skips RSA signature verification when it detects localhost as the hostname, enabling attackers to send fake payment success callbacks that applications may process as legitimate transactions. A proof-of-concept exploit exists demonstrating the attack, though the vendor notes most production environments with properly configured reverse proxies, WAFs, or CDNs will reject forged Host headers, significantly reducing real-world exploitability.

Nginx PHP Authentication Bypass
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-32537 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the nK Visual Portfolio, Photo Gallery & Post Grid WordPress plugin through version 3.5.1, allowing attackers to include and execute arbitrary local files on the server via improper control of filename parameters in PHP include/require statements. An attacker with network access can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other local files stored on the web server. While CVSS and EPSS scores are not publicly available, the vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require) and affects all installations of this plugin running version 3.5.1 or earlier.

PHP LFI Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32531 HIGH PATCH This Week

A Local File Inclusion (LFI) vulnerability exists in Gavias Kunco WordPress theme versions prior to 1.4.5, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. This vulnerability enables information disclosure attacks where sensitive files such as configuration files, source code, or system files could be exposed to unauthenticated or low-privileged attackers. No CVSS score or EPSS data is currently available, but the vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement), a critical class of PHP-based remote/local file inclusion flaws.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-32505 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the CreativeWS Kiddy WordPress theme through version 2.0.8, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. An attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other locally stored data without requiring authentication or special privileges. While no CVSS score or EPSS data is currently available, the vulnerability is actively tracked by multiple security intelligence sources including Patchstack and ENISA, indicating confirmed exploitability.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-32504 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in CreativeWS VintWood WordPress theme versions up to and including 1.1.8, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. No CVSS score, EPSS data, or KEV status is currently available, but the issue is documented across multiple security intelligence sources including Patchstack and ENISA.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-32503 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in CreativeWS Trendustry WordPress theme versions up to 1.1.4, allowing attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. This vulnerability can lead to information disclosure by allowing attackers to read sensitive files on the server without requiring authentication or special privileges. While no CVSS or EPSS scores are currently published, the LFI classification and information disclosure impact indicate this represents a significant security risk for affected installations.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-32500 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in CreativeWS MetaMax theme versions up to and including 1.1.4, allowing attackers to include and execute arbitrary local files through improper handling of PHP include/require statements. An unauthenticated remote attacker can exploit this to disclose sensitive files, read configuration data containing credentials, or potentially achieve remote code execution by including files with executable content. While no CVSS score or EPSS data is currently available, the vulnerability has been confirmed and documented by Patchstack with a direct reference to the affected WordPress theme.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27081 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Rosebud WordPress theme through version 1.4, allowing attackers to include and execute arbitrary local files on the server via improper control of filename parameters in PHP include/require statements. This vulnerability enables information disclosure and potential remote code execution by reading sensitive files or including PHP files from the web root. No active exploitation in the wild has been publicly confirmed, but the vulnerability affects all installations of Rosebud up to and including version 1.4.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27080 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Deston WordPress theme through version 1.0, allowing attackers to read arbitrary files from the server filesystem via improper control of filename parameters in PHP include/require statements. This vulnerability, classified as CWE-98 (PHP Remote File Inclusion), enables information disclosure attacks where sensitive files such as configuration files, database credentials, or source code could be exposed. The vulnerability affects all versions of Deston up to and including 1.0, and has been documented by Patchstack with an EUVD ID (EUVD-2026-15787), though CVSS scoring and KEV status are not yet available.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27079 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Amfissa WordPress theme through version 1.1, allowing attackers to improperly control filenames in PHP include/require statements. This vulnerability enables unauthorized information disclosure by reading arbitrary local files from the affected server. The issue stems from improper input validation on file inclusion parameters and affects all versions of Amfissa up to and including version 1.1.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27078 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Emaurri WordPress theme through version 1.0.1, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure and potential remote code execution depending on file access and PHP configuration. While CVSS and EPSS scores are not available, the attack vector appears to be network-based with low complexity, and the vulnerability has been documented by Patchstack but exploitation status and proof-of-concept availability require verification from primary sources.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27077 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in Mikado-Themes' MultiOffice WordPress theme versions up to and including 1.2, stemming from improper control of filenames in PHP include/require statements. An attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, or other confidential information. No CVSS score, EPSS data, or active exploitation (KEV) status has been assigned to this vulnerability.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27076 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes LuxeDrive WordPress theme (version 1.0 and earlier) that allows attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other system files without requiring special privileges or user interaction. While no CVSS score or EPSS data is currently available, the vulnerability class (CWE-98: Improper Control of Filename for Include/Require Statement) indicates a high-severity condition with straightforward exploitation mechanics.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27075 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Belfort WordPress theme version 1.0 and earlier, allowing attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. While classified as a Remote File Inclusion vulnerability in the CVE description, the actual impact is Local File Inclusion, enabling information disclosure through the reading of sensitive files such as configuration files, database credentials, and source code. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability's nature suggests moderate to high real-world risk given the prevalence of WordPress themes and the ease of exploitation.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27048 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in Elated-Themes' The Aisle Core WordPress plugin through version 2.0.5, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. No CVSS score, EPSS data, or active KEV status is currently available, but the vulnerability has been publicly documented by Patchstack and assigned EUVD-2026-15765.

PHP LFI Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27047 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in Mikado-Themes Curly Core plugin for WordPress through version 2.1.6, allowing improper control of filenames in PHP include/require statements. Attackers can exploit this to read arbitrary local files from the affected server, potentially disclosing sensitive configuration files, database credentials, and other confidential data. No CVSS score or EPSS data is currently available, and KEV/active exploitation status is unknown, but the vulnerability has been documented by Patchstack with a public reference URL.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25464 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in TieLabs Jannah WordPress theme through version 7.6.3, stemming from improper control of filename parameters in PHP include/require statements. An attacker can exploit this vulnerability to read arbitrary local files from the affected server, potentially disclosing sensitive configuration files, credentials, or source code. No CVSS score, EPSS data, or active KEV listing is currently available, but the LFI classification and information disclosure impact indicate moderate to high real-world risk depending on server configuration and file permissions.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25458 HIGH This Week

The Select-Themes Moments WordPress theme versions 2.2 and earlier contain a Local File Inclusion (LFI) vulnerability that allows attackers to improperly control filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, source code, or other confidential information. While no CVSS score or EPSS data is currently available and no active KEV listing is confirmed, the vulnerability is catalogued by Patchstack and has been assigned EUVD-2026-15740, indicating documented exploitation potential.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25457 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Select-Themes Mixtape WordPress theme through version 2.1, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure and potential remote code execution depending on file accessibility. While no CVSS score or EPSS data is currently available, the LFI classification and PHP nature of the vulnerability indicate moderate to high exploitability with network-based attack vectors.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25382 HIGH PATCH This Week

A Local File Inclusion (LFI) vulnerability exists in jwsthemes IdealAuto WordPress theme versions prior to 3.8.6, where improper control of filenames in PHP include/require statements allows attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, and other system files. This vulnerability has been documented by Patchstack and tracked under EUVD-2026-15701; no CVSS score is currently assigned, though the tags indicate it enables information disclosure through PHP-based file inclusion.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25381 HIGH PATCH This Week

A Local File Inclusion (LFI) vulnerability exists in the JWSThemes LoveDate WordPress theme through version 3.8.5, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability affects all versions of LoveDate prior to 3.8.6, and an attacker can exploit this to disclose sensitive information such as configuration files, database credentials, and other system files without requiring authentication or special privileges.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25380 HIGH PATCH This Week

A PHP Local File Inclusion (LFI) vulnerability exists in jwsthemes Feedy theme versions prior to 2.1.5, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement) and was reported by Patchstack, affecting WordPress installations using the vulnerable Feedy theme.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25379 HIGH PATCH This Week

A Local File Inclusion (LFI) vulnerability exists in jwsthemes StreamVid WordPress theme versions prior to 6.8.6, where improper control of filename parameters in PHP include/require statements allows attackers to read arbitrary files from the server. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA tracking ID EUVD-2026-15696. While no CVSS score or EPSS data is currently published, the LFI classification indicates potential for sensitive information disclosure including configuration files, source code, and credentials.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25366 CRITICAL Act Now

A Code Injection vulnerability exists in the Themeisle Woody ad snippets plugin (insert-php) through version 2.7.1 that allows unauthenticated attackers to execute arbitrary PHP code on affected WordPress installations. The vulnerability stems from improper control of code generation, classified as CWE-94, enabling remote code execution (RCE). Patchstack has documented this issue, and affected installations should be patched immediately as the attack vector appears to be network-accessible with low complexity.

PHP Code Injection RCE
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-25017 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the NaturaLife Extensions WordPress plugin (versions up to 2.1) due to improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially leading to sensitive information disclosure such as configuration files, database credentials, and application source code. No CVSS score, EPSS data, or active KEV status is available, but the vulnerability is confirmed by Patchstack and tracked under EUVD-2026-15617.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22516 HIGH This Week

AncoraThemes Wizor's investment theme for WordPress versions through 2.12 contains a Local File Inclusion (LFI) vulnerability that allows attackers to include and execute arbitrary local files on the server through improper handling of filename parameters in PHP include/require statements. This vulnerability enables information disclosure and potential remote code execution depending on server configuration and available files. While no CVSS score or EPSS data has been assigned, the vulnerability is tracked in the ENISA EUVD database (EUVD-2026-15532) and was reported by Patchstack, indicating active security research and likely proof-of-concept availability.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22515 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes VegaDays WordPress theme through version 1.2.0, allowing improper control of filenames in PHP include/require statements. Attackers can leverage this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, and other confidential data. While no CVSS score or EPSS data is currently available and KEV status is unknown, the vulnerability is classified as an information disclosure issue with a straightforward exploitation path typical of LFI vulnerabilities in WordPress themes.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22514 HIGH This Week

This is a Local File Inclusion (LFI) vulnerability in AncoraThemes Unica WordPress theme versions up to and including 1.4.1, where improper control of filenames in PHP include/require statements allows attackers to read arbitrary local files from the affected server. An unauthenticated remote attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other sensitive data stored on the server. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA EUVD tracking ID EUVD-2026-15528.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22513 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes Triompher WordPress theme versions up to and including 1.1.0, caused by improper control of filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the server, leading to information disclosure of sensitive data such as configuration files, database credentials, and other system files. No CVSS score, EPSS data, or known exploitation in the wild (KEV status) has been published, but the vulnerability is confirmed and documented by Patchstack with an available reference.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22512 HIGH This Week

A security vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22511 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes NeoBeat WordPress theme through version 1.2, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability enables information disclosure attacks where an attacker can access sensitive files such as configuration files, database credentials, and source code without requiring authentication or special privileges. This is a CWE-98 vulnerability that transforms what was initially reported as PHP Remote File Inclusion (RFI) into a confirmed Local File Inclusion attack vector.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22509 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Gioia WordPress theme through version 1.4, allowing improper control of filenames in PHP include/require statements. Attackers can leverage this vulnerability to read sensitive local files from the affected web server, potentially disclosing configuration files, database credentials, or other confidential information. The vulnerability affects all installations of Gioia version 1.4 and earlier, with no CVSS or EPSS scoring data currently available, though the CWE-98 classification and LFI nature suggest moderate to high practical risk.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22508 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the AncoraThemes Dentalux WordPress theme through version 3.3, allowing attackers to include and execute arbitrary local files on the server. This vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or execute malicious code without requiring authentication. While no CVSS score or EPSS probability is currently available, the LFI classification and information disclosure tags indicate this poses a significant risk for unauthorized file access and potential remote code execution.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22506 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Amoli WordPress theme version 1.0 and earlier, stemming from improper control of filenames in PHP include/require statements. An attacker can exploit this weakness to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, or other confidential information. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA EUVD identifier EUVD-2026-15514.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22504 HIGH This Week

A security vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22503 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the ThemeREX Nelson WordPress theme through version 1.2.0, allowing attackers to read arbitrary files from the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure attacks without authentication. While no CVSS score or EPSS data is currently available, the LFI classification and public disclosure via Patchstack indicate this is a genuine security concern affecting WordPress installations using vulnerable Nelson theme versions.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22502 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes Mr. Cobbler WordPress theme through version 1.1.9, stemming from improper control of filenames in PHP include/require statements (CWE-98). An attacker can exploit this vulnerability to disclose sensitive local files from the affected server by manipulating include parameters. While no CVSS score or EPSS data is currently available and KEV status is unknown, the vulnerability is classified as high-severity due to its information disclosure impact and the ease with which LFI vulnerabilities are typically exploited.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22499 HIGH This Week

This vulnerability is a Local File Inclusion (LFI) flaw in the Elated-Themes Lella WordPress theme that allows improper control of filename parameters in PHP include/require statements, enabling attackers to read arbitrary files from the affected server. The vulnerability affects Lella theme versions through 1.2, and while CVSS and EPSS scores are not available, the nature of LFI vulnerabilities typically permits information disclosure of sensitive files such as configuration files, database credentials, and source code. No KEV status or public proof-of-concept has been confirmed in this intelligence dataset, but the vulnerability was reported by Patchstack, a reputable WordPress security researcher.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22498 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Laurent WordPress theme (versions up to 3.1) due to improper control of filenames in PHP include/require statements, allowing attackers to read arbitrary files from the affected server. This vulnerability, reported by Patchstack and tracked as EUVD-2026-15503, enables information disclosure attacks without requiring authentication or special privileges. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP) and affects all installations of Laurent theme version 3.1 and earlier.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22496 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the AncoraThemes Hypnotherapy WordPress theme through version 1.2.10, allowing attackers to read arbitrary files from the affected server by manipulating filename parameters in PHP include/require statements. This vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement) and enables information disclosure attacks. The vulnerability has been documented by Patchstack and assigned EUVD ID EUVD-2026-15502, though no CVSS score or CVSS vector has been formally assigned, and active exploitation status remains unconfirmed in public intelligence.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22495 HIGH This Week

AncoraThemes Greenville WordPress theme versions up to and including 1.3.2 contain a Local File Inclusion (LFI) vulnerability resulting from improper control of filenames in PHP include/require statements (CWE-98). An attacker can exploit this vulnerability to read arbitrary files from the affected server, leading to information disclosure of sensitive configuration files, source code, and other locally stored data. No CVSS score, EPSS probability, or KEV status have been assigned at this time, though the vulnerability has been formally documented by Patchstack and assigned an ENISA EUVD ID.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22494 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the ThemeREX Good Homes WordPress theme through version 1.3.13, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling unauthenticated attackers to disclose sensitive information or achieve remote code execution by accessing system files. No CVSS score, EPSS data, or active KEV designation was reported, but the LFI classification and information disclosure impact indicate this requires prompt patching.

PHP LFI Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22493 HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Gaspard WordPress theme through version 1.3, stemming from improper control of filenames in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive information such as configuration files, database credentials, or other sensitive data. The vulnerability affects all versions up to and including 1.3, and while no CVSS score or EPSS data is currently published, the LFI classification and information disclosure impact indicate this requires prompt remediation.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-4815 HIGH PATCH This Week

Unauthenticated attackers can exploit SQL injection in Support Board v3.7.7's AJAX endpoint to fully compromise the application database through the calls[0][message_ids][] parameter, enabling complete data exfiltration and manipulation. The vulnerability requires only low privileges and network access, with no user interaction needed, making it trivially exploitable in multi-tenant environments. A patch is available and should be applied immediately given the HIGH severity rating and complete database access impact.

SQLi PHP
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-4816 MEDIUM PATCH This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Support Board v3.7.7 that allows unauthenticated attackers to inject malicious JavaScript code via the 'search' parameter in the '/supportboard/include/articles.php' endpoint. Successful exploitation enables attackers to steal session cookies, perform unauthorized actions on behalf of victims, or harvest sensitive user data through victim browsers. A vendor patch is available, and the vulnerability has been officially reported by INCIBE, indicating moderate real-world attention.

XSS PHP
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-4784 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 PHP application allows unauthenticated remote attackers to execute arbitrary database queries through the serviceId parameter in /checkcheckout.php. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4783 LOW POC Monitor

SQL injection in the College Management System 1.0 parameter handler allows authenticated attackers to manipulate the course_code argument in /admin/add-single-student-results.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and valid credentials but can compromise data confidentiality and integrity.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4781 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the sid parameter in update_purchase.php, enabling unauthorized database queries and potential data exfiltration. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4780 LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the update_out_standing.php file's sid parameter that allows authenticated remote attackers to execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects PHP-based deployments and has a CVSS score of 5.3.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4779 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in update_customer_details.php allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations using PHP-based deployments of this system should restrict access to the vulnerable component until a fix is released.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4778 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the sid parameter in update_category.php. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers with valid credentials can leverage this weakness to compromise database integrity and extract sensitive information.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4777 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0's view_supplier.php POST parameter handler allows authenticated attackers to execute arbitrary SQL queries through the searchtxt parameter. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability affects PHP-based installations and currently lacks an available patch.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-23923 MEDIUM PATCH This Month

An unauthenticated remote code execution vulnerability exists in Zabbix's Frontend 'validate' action that permits blind instantiation of arbitrary PHP classes without authentication. The vulnerability affects Zabbix products across multiple versions as indicated by the CPE wildcard notation, and while the immediate impact appears limited by environment-specific constraints, successful exploitation could lead to information disclosure or arbitrary code execution depending on available PHP classes in the deployment context. No CVSS score, EPSS data, or KEV status is currently published, but the attack vector is unauthenticated and likely has low complexity, suggesting meaningful real-world risk.

PHP Information Disclosure Suse
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-23921 HIGH PATCH This Week

A blind SQL injection vulnerability exists in Zabbix's API service layer (include/classes/api/CApiService.php) via the sortfield parameter that allows low-privilege users with API access to execute arbitrary SQL SELECT queries without direct result exfiltration. An attacker can leverage time-based blind SQL injection techniques to extract sensitive data such as session identifiers and administrator credentials, potentially leading to full administrative compromise of the Zabbix monitoring infrastructure. No CVSS score, EPSS data, or KEV status has been published, but the vulnerability's reliance on blind techniques and low-privilege requirement suggests moderate real-world exploitability.

PHP SQLi Suse
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33399 HIGH PATCH This Week

An incomplete Server-Side Request Forgery (SSRF) mitigation in Wallos, a self-hostable subscription tracker, allows authenticated attackers to bypass security controls and force the application to make requests to internal or private IP addresses. Wallos versions prior to 4.7.0 are affected. The vulnerability occurs because SSRF validation was added to test notification endpoints but not the corresponding save endpoints, enabling attackers to store malicious URLs that execute without validation when the cron job runs. No active exploitation (KEV) or public POC is currently documented.

SSRF PHP
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-33407 HIGH PATCH This Week

Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in the endpoints/logos/search.php endpoint prior to version 4.7.0. The vulnerability allows unauthenticated attackers to hijack HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling them to redirect outbound requests to arbitrary domains by manipulating DNS resolution through user-supplied search terms. This attack requires no special privileges and can be executed remotely over the network, making it a significant risk for exposed Wallos instances.

SSRF PHP
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-33157 PHP HIGH PATCH This Week

A Remote Code Execution vulnerability exists in Craft CMS versions 4.x and 5.x that bypasses previous security patches for behavior injection attacks. An authenticated user with control panel access can exploit an unsanitized fieldLayouts parameter in the ElementIndexesController to inject malicious Yii2 behaviors and achieve arbitrary code execution. While no active exploitation (KEV) is documented, a patch is available and the vulnerability requires only low-privilege authenticated access, making it a significant risk for deployments with multiple control panel users.

PHP RCE
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-30932 PHP HIGH PATCH GHSA This Week

Froxlor, a web hosting control panel, contains an injection vulnerability in its DNS zone management API that allows authenticated customers with DNS privileges to inject BIND zone file directives (such as $INCLUDE) through unvalidated content fields in LOC, RP, SSHFP, and TLSA DNS record types. Attackers can leverage this to read arbitrary world-readable files on the server, disrupt DNS services, or inject unauthorized DNS records. A proof-of-concept exploit is publicly available demonstrating file inclusion attacks, and patches have been released by the vendor in version 2.3.5.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25647 HIGH POC This Week

PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2019-25643 HIGH POC This Week

eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25642 HIGH POC This Week

Unauthenticated SQL injection in Bootstrapy CMS allows remote attackers to extract sensitive database information or cause denial of service through multiple POST parameters in forum and contact modules. The vulnerability affects forum-thread.php (thread_id), contact-submit.php (subject), and post-new-submit.php (post-id) endpoints. Public exploit code exists via Exploit-DB #46590, though EPSS probability remains low at 0.06% (19th percentile), suggesting limited real-world exploitation despite ease of attack (AV:N/AC:L/PR:N). SSVC framework confirms proof-of-concept availability and automated exploitation potential with partial technical impact.

PHP SQLi Denial Of Service Bootstrap
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25641 HIGH POC This Week

Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25640 HIGH POC This Week

SQL injection in Inout Article Base CMS allows remote unauthenticated attackers to extract sensitive database information or cause denial of service through malicious XOR-based and time-based SQL payloads injected via 'p' and 'u' parameters in GET requests to portalLogin.php. Public exploit code demonstrates the attack (Exploit-DB 46593), though EPSS scoring indicates low probability of widespread exploitation (0.06%, 19th percentile). No vendor patch has been identified, and the vendor website reference provides no security advisory, leaving deployments at continued risk.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25639 HIGH POC This Week

Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25638 HIGH POC This Week

Meeplace Business Review Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25636 HIGH POC This Week

Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25632 MEDIUM POC This Month

phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fm_current_dir, and filename parameters. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2019-25630 HIGH POC This Week

PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP RCE File Upload
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-4632 MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the Name parameter in /sms/user/index.php?view=add, potentially enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4626 LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in projectworlds Lawyer Management System version 1.0 within the /lawyer_booking.php file, where the Description parameter fails to sanitize user input before rendering. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. A proof-of-concept exploit has been publicly disclosed on GitHub, and the vulnerability carries a CVSS score of 3.5 with evidence of public exploitation.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4625 MEDIUM POC This Month

SourceCodester Online Admission System 1.0 contains a SQL injection vulnerability in the /programmes.php file's program parameter that allows unauthenticated remote attackers to execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The flaw enables attackers to potentially read, modify, or delete sensitive admission system data.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4624 MEDIUM POC This Month

SQL injection in SourceCodester Online Library Management System 1.0 allows unauthenticated remote attackers to manipulate the searchField parameter in /home.php, enabling data exfiltration, modification, and potential service disruption. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4623 MEDIUM POC PATCH This Month

A Server-Side Request Forgery (SSRF) vulnerability exists in DefaultFuction Jeson-Customer-Relationship-Management-System affecting versions up to commit 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. The vulnerability resides in the /api/System.php file where the 'url' parameter can be manipulated to force the server to make arbitrary requests. A publicly disclosed proof-of-concept exploit is available on GitHub, and patches have been released by the vendor.

PHP SSRF
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4617 MEDIUM POC This Month

SourceCodester Patients Waiting Area Queue Management System 1.0 contains an improper authorization flaw in the ValidateToken function of the Patient Check-In Module that allows unauthenticated remote attackers to bypass access controls. Public exploit code is available for this vulnerability, and no patch has been released. The attack requires no user interaction and could enable unauthorized access to patient check-in functionality.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4615 MEDIUM This Month

SQL injection in SourceCodester Online Catering Reservation 1.0 via the rcode parameter in /search.php allows unauthenticated remote attackers to manipulate database queries with no user interaction required. The vulnerability enables attackers to read, modify, or delete sensitive data, and public exploit code is readily available. PHP-based deployments of this catering reservation system are actively targeted due to the ease of exploitation and lack of available patches.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4614 LOW Monitor

SQL injection in the Parameter Handler of itsourcecode sanitize or validate this input 1.0 allows authenticated remote attackers to manipulate the subject_code argument in /admin/subjects.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-29840 MEDIUM This Month

JiZhiCMS v2.5.6 and earlier contains a stored cross-site scripting (XSS) vulnerability in the user release function that allows authenticated attackers to inject malicious scripts through improper HTML sanitization. The vulnerability exists because the application filters <script> tags but fails to recursively remove dangerous event handlers (such as onerror) from other HTML elements like <img> tags, enabling persistent XSS attacks. A proof-of-concept has been published on GitHub, and while no CVSS score or EPSS data is currently available, the low barrier to exploitation (authenticated access via POST parameter) and persistent nature of the attack present meaningful risk to affected installations.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-29839 HIGH This Week

DedeCMS v5.7.118 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /sys_task_add.php endpoint that allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An attacker can craft a malicious webpage or email that, when visited by an authenticated DedeCMS administrator, will execute unwanted administrative tasks such as adding or modifying system tasks. While no CVSS score, EPSS data, or active KEV listing is currently available, a public proof-of-concept exists on GitHub demonstrating the vulnerability's exploitability.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30655 MEDIUM This Month

SQL injection in the password reset function of ESICLivre v0.2.2 and earlier allows unauthenticated attackers to extract sensitive data by manipulating the cpfcnpj parameter. The vulnerability requires no user interaction and can be exploited remotely over the network, though no patch is currently available.

SQLi PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30662 PHP MEDIUM This Month

ConcreteCMS version 9.4.7 contains a memory exhaustion vulnerability in the File Manager's download functionality that allows authenticated attackers to trigger a Denial of Service condition. The vulnerability exists in the 'download' method of 'concrete/controllers/backend/file.php', where improper memory management during zip archive creation using ZipArchive::addFromString combined with file_get_contents loads entire file contents into PHP memory without streaming or size validation. An attacker with valid authentication credentials can exploit this by requesting bulk downloads of large files, exhausting available PHP memory and causing the PHP-FPM process to crash with a SIGSEGV signal, rendering the web application unavailable with HTTP 500 errors.

PHP Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-33290 MEDIUM This Month

WPGraphQL prior to version 2.10.0 allows authenticated low-privileged users to bypass comment moderation controls and self-approve their own comments without possessing the moderate_comments capability. The vulnerability exploits owner-based authorization logic in the updateComment mutation, enabling non-moderator users to transition comment status to APPROVE, HOLD, SPAM, or TRASH states directly. A proof-of-concept demonstrating this authorization bypass in WPGraphQL 2.9.1 has been published, and while the EPSS score of 0.03% indicates low statistical likelihood of exploitation, the attack vector is network-based with low complexity and requires only low-level user privileges (including custom roles with zero capabilities).

WordPress PHP Docker Node.js Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4021 HIGH This Week

The Contest Gallery plugin for WordPress contains an authentication bypass vulnerability that allows unaattacked attackers to take over administrator accounts and gain complete site control. All versions up to and including 28.1.5 are affected when the non-default RegMailOptional=1 setting is enabled. The vulnerability exploits MySQL type coercion by registering with specially crafted email addresses to overwrite admin activation keys, then using an unauthenticated login endpoint to authenticate as the target user. With a CVSS score of 8.1 and high attack complexity (AC:H), this represents a critical risk for sites using the vulnerable configuration.

WordPress PHP Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-3533 HIGH This Week

The Jupiter X Core plugin for WordPress contains an unrestricted file upload vulnerability allowing authenticated users with Subscriber-level privileges or higher to upload dangerous file types including .phar, .svg, .dfxp, and .xhtml files. This stems from missing authorization checks in the import_popup_templates() function and insufficient file type validation in the upload_files() function. Successful exploitation leads to Remote Code Execution on Apache servers with mod_php configured to execute .phar files, or Stored Cross-Site Scripting attacks via malicious SVG and other file types on any server configuration.

Apache WordPress PHP File Upload RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-4001 CRITICAL Act Now

The Woocommerce Custom Product Addons Pro plugin for WordPress contains a critical remote code execution vulnerability caused by unsafe use of PHP's eval() function when processing custom pricing formulas. All versions up to and including 5.4.1 are affected, allowing unauthenticated attackers to execute arbitrary PHP code on the server by submitting malicious input to WCPA text fields configured with custom pricing formulas. With a CVSS score of 9.8, this represents a maximum severity issue requiring immediate attention, though EPSS and KEV status data are not provided in the available intelligence.

Code Injection WordPress PHP RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4613 MEDIUM POC This Month

SQL injection in SourceCodester E-Commerce Site 1.0 through the Search parameter in /products.php enables unauthenticated remote attackers to read, modify, and delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available, putting all installations at immediate risk.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4612 MEDIUM POC This Month

SQL injection in the Free Hotel Reservation System 1.0 admin panel allows unauthenticated remote attackers to manipulate the account_id parameter and execute arbitrary SQL queries with potential for data theft, modification, and system disruption. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-33486 PHP MEDIUM PATCH This Month

This vulnerability in Roadiz's DownloadedFile::fromUrl() method allows authenticated users with ROLE_ACCESS_DOCUMENTS to read arbitrary files from the server via PHP stream wrapper abuse, specifically by injecting file:// URIs into media import workflows. An attacker can extract sensitive files including .env configuration files, database credentials, and system files, achieving complete confidentiality compromise of the application and potentially the underlying infrastructure. A proof-of-concept exists demonstrating exploitation through malicious Podcast RSS feeds, and a patch is available from the vendor.

PHP SSRF Microsoft Privilege Escalation
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-4596 LOW POC Monitor

A stored or reflected cross-site scripting (XSS) vulnerability exists in projectworlds Lawyer Management System version 1.0, specifically in the /lawyers.php file where the first_Name parameter is inadequately sanitized. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially stealing session tokens or performing unauthorized actions. A public proof-of-concept exploit is available, and exploitation requires only low complexity with user interaction (UI:R), though the attack vector is network-accessible and does not require high privileges.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-33548 PHP HIGH PATCH This Week

MantisBT version 2.28.0 contains a stored cross-site scripting (XSS) vulnerability in the Timeline view of my_view_page.php where tag names are improperly escaped when retrieved from the History table, allowing attackers to inject arbitrary HTML and potentially execute JavaScript if Content Security Policy permits. This affects users viewing issues with renamed or deleted tags, and version 2.28.1 contains the patch. No CVSS score or EPSS data is currently available, but the vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and carries moderate to high risk in environments without strict CSP enforcement.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.1%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The code16/sharp Laravel admin panel package contains a critical file upload vulnerability that allows authenticated users to bypass all file type restrictions by manipulating client-controlled validation rules. Affected versions prior to 9.20.0 accept a user-supplied validation_rule parameter that is passed directly to Laravel's validator, enabling attackers to upload arbitrary files including PHP webshells. With a CVSS score of 8.8, this vulnerability can lead to Remote Code Execution when the storage disk is publicly accessible, though default configurations provide some protection against direct execution.

PHP File Upload RCE
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

The yansongda/pay PHP library contains an authentication bypass vulnerability that allows attackers to forge WeChat Pay payment notifications by including a 'Host: localhost' header in HTTP requests. The verify_wechat_sign() function unconditionally skips RSA signature verification when it detects localhost as the hostname, enabling attackers to send fake payment success callbacks that applications may process as legitimate transactions. A proof-of-concept exploit exists demonstrating the attack, though the vendor notes most production environments with properly configured reverse proxies, WAFs, or CDNs will reject forged Host headers, significantly reducing real-world exploitability.

Nginx PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the nK Visual Portfolio, Photo Gallery & Post Grid WordPress plugin through version 3.5.1, allowing attackers to include and execute arbitrary local files on the server via improper control of filename parameters in PHP include/require statements. An attacker with network access can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other local files stored on the web server. While CVSS and EPSS scores are not publicly available, the vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require) and affects all installations of this plugin running version 3.5.1 or earlier.

PHP LFI Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A Local File Inclusion (LFI) vulnerability exists in Gavias Kunco WordPress theme versions prior to 1.4.5, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. This vulnerability enables information disclosure attacks where sensitive files such as configuration files, source code, or system files could be exposed to unauthenticated or low-privileged attackers. No CVSS score or EPSS data is currently available, but the vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement), a critical class of PHP-based remote/local file inclusion flaws.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the CreativeWS Kiddy WordPress theme through version 2.0.8, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. An attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other locally stored data without requiring authentication or special privileges. While no CVSS score or EPSS data is currently available, the vulnerability is actively tracked by multiple security intelligence sources including Patchstack and ENISA, indicating confirmed exploitability.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in CreativeWS VintWood WordPress theme versions up to and including 1.1.8, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. No CVSS score, EPSS data, or KEV status is currently available, but the issue is documented across multiple security intelligence sources including Patchstack and ENISA.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in CreativeWS Trendustry WordPress theme versions up to 1.1.4, allowing attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. This vulnerability can lead to information disclosure by allowing attackers to read sensitive files on the server without requiring authentication or special privileges. While no CVSS or EPSS scores are currently published, the LFI classification and information disclosure impact indicate this represents a significant security risk for affected installations.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in CreativeWS MetaMax theme versions up to and including 1.1.4, allowing attackers to include and execute arbitrary local files through improper handling of PHP include/require statements. An unauthenticated remote attacker can exploit this to disclose sensitive files, read configuration data containing credentials, or potentially achieve remote code execution by including files with executable content. While no CVSS score or EPSS data is currently available, the vulnerability has been confirmed and documented by Patchstack with a direct reference to the affected WordPress theme.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Rosebud WordPress theme through version 1.4, allowing attackers to include and execute arbitrary local files on the server via improper control of filename parameters in PHP include/require statements. This vulnerability enables information disclosure and potential remote code execution by reading sensitive files or including PHP files from the web root. No active exploitation in the wild has been publicly confirmed, but the vulnerability affects all installations of Rosebud up to and including version 1.4.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Deston WordPress theme through version 1.0, allowing attackers to read arbitrary files from the server filesystem via improper control of filename parameters in PHP include/require statements. This vulnerability, classified as CWE-98 (PHP Remote File Inclusion), enables information disclosure attacks where sensitive files such as configuration files, database credentials, or source code could be exposed. The vulnerability affects all versions of Deston up to and including 1.0, and has been documented by Patchstack with an EUVD ID (EUVD-2026-15787), though CVSS scoring and KEV status are not yet available.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Amfissa WordPress theme through version 1.1, allowing attackers to improperly control filenames in PHP include/require statements. This vulnerability enables unauthorized information disclosure by reading arbitrary local files from the affected server. The issue stems from improper input validation on file inclusion parameters and affects all versions of Amfissa up to and including version 1.1.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Emaurri WordPress theme through version 1.0.1, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure and potential remote code execution depending on file access and PHP configuration. While CVSS and EPSS scores are not available, the attack vector appears to be network-based with low complexity, and the vulnerability has been documented by Patchstack but exploitation status and proof-of-concept availability require verification from primary sources.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in Mikado-Themes' MultiOffice WordPress theme versions up to and including 1.2, stemming from improper control of filenames in PHP include/require statements. An attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, or other confidential information. No CVSS score, EPSS data, or active exploitation (KEV) status has been assigned to this vulnerability.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes LuxeDrive WordPress theme (version 1.0 and earlier) that allows attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other system files without requiring special privileges or user interaction. While no CVSS score or EPSS data is currently available, the vulnerability class (CWE-98: Improper Control of Filename for Include/Require Statement) indicates a high-severity condition with straightforward exploitation mechanics.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Belfort WordPress theme version 1.0 and earlier, allowing attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. While classified as a Remote File Inclusion vulnerability in the CVE description, the actual impact is Local File Inclusion, enabling information disclosure through the reading of sensitive files such as configuration files, database credentials, and source code. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability's nature suggests moderate to high real-world risk given the prevalence of WordPress themes and the ease of exploitation.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in Elated-Themes' The Aisle Core WordPress plugin through version 2.0.5, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. No CVSS score, EPSS data, or active KEV status is currently available, but the vulnerability has been publicly documented by Patchstack and assigned EUVD-2026-15765.

PHP LFI Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in Mikado-Themes Curly Core plugin for WordPress through version 2.1.6, allowing improper control of filenames in PHP include/require statements. Attackers can exploit this to read arbitrary local files from the affected server, potentially disclosing sensitive configuration files, database credentials, and other confidential data. No CVSS score or EPSS data is currently available, and KEV/active exploitation status is unknown, but the vulnerability has been documented by Patchstack with a public reference URL.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in TieLabs Jannah WordPress theme through version 7.6.3, stemming from improper control of filename parameters in PHP include/require statements. An attacker can exploit this vulnerability to read arbitrary local files from the affected server, potentially disclosing sensitive configuration files, credentials, or source code. No CVSS score, EPSS data, or active KEV listing is currently available, but the LFI classification and information disclosure impact indicate moderate to high real-world risk depending on server configuration and file permissions.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

The Select-Themes Moments WordPress theme versions 2.2 and earlier contain a Local File Inclusion (LFI) vulnerability that allows attackers to improperly control filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, source code, or other confidential information. While no CVSS score or EPSS data is currently available and no active KEV listing is confirmed, the vulnerability is catalogued by Patchstack and has been assigned EUVD-2026-15740, indicating documented exploitation potential.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Select-Themes Mixtape WordPress theme through version 2.1, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure and potential remote code execution depending on file accessibility. While no CVSS score or EPSS data is currently available, the LFI classification and PHP nature of the vulnerability indicate moderate to high exploitability with network-based attack vectors.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A Local File Inclusion (LFI) vulnerability exists in jwsthemes IdealAuto WordPress theme versions prior to 3.8.6, where improper control of filenames in PHP include/require statements allows attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, and other system files. This vulnerability has been documented by Patchstack and tracked under EUVD-2026-15701; no CVSS score is currently assigned, though the tags indicate it enables information disclosure through PHP-based file inclusion.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A Local File Inclusion (LFI) vulnerability exists in the JWSThemes LoveDate WordPress theme through version 3.8.5, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability affects all versions of LoveDate prior to 3.8.6, and an attacker can exploit this to disclose sensitive information such as configuration files, database credentials, and other system files without requiring authentication or special privileges.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A PHP Local File Inclusion (LFI) vulnerability exists in jwsthemes Feedy theme versions prior to 2.1.5, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement) and was reported by Patchstack, affecting WordPress installations using the vulnerable Feedy theme.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A Local File Inclusion (LFI) vulnerability exists in jwsthemes StreamVid WordPress theme versions prior to 6.8.6, where improper control of filename parameters in PHP include/require statements allows attackers to read arbitrary files from the server. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA tracking ID EUVD-2026-15696. While no CVSS score or EPSS data is currently published, the LFI classification indicates potential for sensitive information disclosure including configuration files, source code, and credentials.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

A Code Injection vulnerability exists in the Themeisle Woody ad snippets plugin (insert-php) through version 2.7.1 that allows unauthenticated attackers to execute arbitrary PHP code on affected WordPress installations. The vulnerability stems from improper control of code generation, classified as CWE-94, enabling remote code execution (RCE). Patchstack has documented this issue, and affected installations should be patched immediately as the attack vector appears to be network-accessible with low complexity.

PHP Code Injection RCE
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the NaturaLife Extensions WordPress plugin (versions up to 2.1) due to improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially leading to sensitive information disclosure such as configuration files, database credentials, and application source code. No CVSS score, EPSS data, or active KEV status is available, but the vulnerability is confirmed by Patchstack and tracked under EUVD-2026-15617.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Wizor's investment theme for WordPress versions through 2.12 contains a Local File Inclusion (LFI) vulnerability that allows attackers to include and execute arbitrary local files on the server through improper handling of filename parameters in PHP include/require statements. This vulnerability enables information disclosure and potential remote code execution depending on server configuration and available files. While no CVSS score or EPSS data has been assigned, the vulnerability is tracked in the ENISA EUVD database (EUVD-2026-15532) and was reported by Patchstack, indicating active security research and likely proof-of-concept availability.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes VegaDays WordPress theme through version 1.2.0, allowing improper control of filenames in PHP include/require statements. Attackers can leverage this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, and other confidential data. While no CVSS score or EPSS data is currently available and KEV status is unknown, the vulnerability is classified as an information disclosure issue with a straightforward exploitation path typical of LFI vulnerabilities in WordPress themes.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

This is a Local File Inclusion (LFI) vulnerability in AncoraThemes Unica WordPress theme versions up to and including 1.4.1, where improper control of filenames in PHP include/require statements allows attackers to read arbitrary local files from the affected server. An unauthenticated remote attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other sensitive data stored on the server. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA EUVD tracking ID EUVD-2026-15528.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes Triompher WordPress theme versions up to and including 1.1.0, caused by improper control of filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the server, leading to information disclosure of sensitive data such as configuration files, database credentials, and other system files. No CVSS score, EPSS data, or known exploitation in the wild (KEV status) has been published, but the vulnerability is confirmed and documented by Patchstack with an available reference.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A security vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes NeoBeat WordPress theme through version 1.2, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability enables information disclosure attacks where an attacker can access sensitive files such as configuration files, database credentials, and source code without requiring authentication or special privileges. This is a CWE-98 vulnerability that transforms what was initially reported as PHP Remote File Inclusion (RFI) into a confirmed Local File Inclusion attack vector.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Gioia WordPress theme through version 1.4, allowing improper control of filenames in PHP include/require statements. Attackers can leverage this vulnerability to read sensitive local files from the affected web server, potentially disclosing configuration files, database credentials, or other confidential information. The vulnerability affects all installations of Gioia version 1.4 and earlier, with no CVSS or EPSS scoring data currently available, though the CWE-98 classification and LFI nature suggest moderate to high practical risk.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the AncoraThemes Dentalux WordPress theme through version 3.3, allowing attackers to include and execute arbitrary local files on the server. This vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or execute malicious code without requiring authentication. While no CVSS score or EPSS probability is currently available, the LFI classification and information disclosure tags indicate this poses a significant risk for unauthorized file access and potential remote code execution.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Amoli WordPress theme version 1.0 and earlier, stemming from improper control of filenames in PHP include/require statements. An attacker can exploit this weakness to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, or other confidential information. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA EUVD identifier EUVD-2026-15514.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A security vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the ThemeREX Nelson WordPress theme through version 1.2.0, allowing attackers to read arbitrary files from the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure attacks without authentication. While no CVSS score or EPSS data is currently available, the LFI classification and public disclosure via Patchstack indicate this is a genuine security concern affecting WordPress installations using vulnerable Nelson theme versions.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes Mr. Cobbler WordPress theme through version 1.1.9, stemming from improper control of filenames in PHP include/require statements (CWE-98). An attacker can exploit this vulnerability to disclose sensitive local files from the affected server by manipulating include parameters. While no CVSS score or EPSS data is currently available and KEV status is unknown, the vulnerability is classified as high-severity due to its information disclosure impact and the ease with which LFI vulnerabilities are typically exploited.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

This vulnerability is a Local File Inclusion (LFI) flaw in the Elated-Themes Lella WordPress theme that allows improper control of filename parameters in PHP include/require statements, enabling attackers to read arbitrary files from the affected server. The vulnerability affects Lella theme versions through 1.2, and while CVSS and EPSS scores are not available, the nature of LFI vulnerabilities typically permits information disclosure of sensitive files such as configuration files, database credentials, and source code. No KEV status or public proof-of-concept has been confirmed in this intelligence dataset, but the vulnerability was reported by Patchstack, a reputable WordPress security researcher.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Laurent WordPress theme (versions up to 3.1) due to improper control of filenames in PHP include/require statements, allowing attackers to read arbitrary files from the affected server. This vulnerability, reported by Patchstack and tracked as EUVD-2026-15503, enables information disclosure attacks without requiring authentication or special privileges. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP) and affects all installations of Laurent theme version 3.1 and earlier.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the AncoraThemes Hypnotherapy WordPress theme through version 1.2.10, allowing attackers to read arbitrary files from the affected server by manipulating filename parameters in PHP include/require statements. This vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement) and enables information disclosure attacks. The vulnerability has been documented by Patchstack and assigned EUVD ID EUVD-2026-15502, though no CVSS score or CVSS vector has been formally assigned, and active exploitation status remains unconfirmed in public intelligence.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Greenville WordPress theme versions up to and including 1.3.2 contain a Local File Inclusion (LFI) vulnerability resulting from improper control of filenames in PHP include/require statements (CWE-98). An attacker can exploit this vulnerability to read arbitrary files from the affected server, leading to information disclosure of sensitive configuration files, source code, and other locally stored data. No CVSS score, EPSS probability, or KEV status have been assigned at this time, though the vulnerability has been formally documented by Patchstack and assigned an ENISA EUVD ID.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the ThemeREX Good Homes WordPress theme through version 1.3.13, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling unauthenticated attackers to disclose sensitive information or achieve remote code execution by accessing system files. No CVSS score, EPSS data, or active KEV designation was reported, but the LFI classification and information disclosure impact indicate this requires prompt patching.

PHP LFI Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Gaspard WordPress theme through version 1.3, stemming from improper control of filenames in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive information such as configuration files, database credentials, or other sensitive data. The vulnerability affects all versions up to and including 1.3, and while no CVSS score or EPSS data is currently published, the LFI classification and information disclosure impact indicate this requires prompt remediation.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated attackers can exploit SQL injection in Support Board v3.7.7's AJAX endpoint to fully compromise the application database through the calls[0][message_ids][] parameter, enabling complete data exfiltration and manipulation. The vulnerability requires only low privileges and network access, with no user interaction needed, making it trivially exploitable in multi-tenant environments. A patch is available and should be applied immediately given the HIGH severity rating and complete database access impact.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Support Board v3.7.7 that allows unauthenticated attackers to inject malicious JavaScript code via the 'search' parameter in the '/supportboard/include/articles.php' endpoint. Successful exploitation enables attackers to steal session cookies, perform unauthorized actions on behalf of victims, or harvest sensitive user data through victim browsers. A vendor patch is available, and the vulnerability has been officially reported by INCIBE, indicating moderate real-world attention.

XSS PHP
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 PHP application allows unauthenticated remote attackers to execute arbitrary database queries through the serviceId parameter in /checkcheckout.php. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in the College Management System 1.0 parameter handler allows authenticated attackers to manipulate the course_code argument in /admin/add-single-student-results.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and valid credentials but can compromise data confidentiality and integrity.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the sid parameter in update_purchase.php, enabling unauthorized database queries and potential data exfiltration. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the update_out_standing.php file's sid parameter that allows authenticated remote attackers to execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects PHP-based deployments and has a CVSS score of 5.3.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in update_customer_details.php allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations using PHP-based deployments of this system should restrict access to the vulnerable component until a fix is released.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the sid parameter in update_category.php. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers with valid credentials can leverage this weakness to compromise database integrity and extract sensitive information.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0's view_supplier.php POST parameter handler allows authenticated attackers to execute arbitrary SQL queries through the searchtxt parameter. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability affects PHP-based installations and currently lacks an available patch.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

An unauthenticated remote code execution vulnerability exists in Zabbix's Frontend 'validate' action that permits blind instantiation of arbitrary PHP classes without authentication. The vulnerability affects Zabbix products across multiple versions as indicated by the CPE wildcard notation, and while the immediate impact appears limited by environment-specific constraints, successful exploitation could lead to information disclosure or arbitrary code execution depending on available PHP classes in the deployment context. No CVSS score, EPSS data, or KEV status is currently published, but the attack vector is unauthenticated and likely has low complexity, suggesting meaningful real-world risk.

PHP Information Disclosure Suse
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

A blind SQL injection vulnerability exists in Zabbix's API service layer (include/classes/api/CApiService.php) via the sortfield parameter that allows low-privilege users with API access to execute arbitrary SQL SELECT queries without direct result exfiltration. An attacker can leverage time-based blind SQL injection techniques to extract sensitive data such as session identifiers and administrator credentials, potentially leading to full administrative compromise of the Zabbix monitoring infrastructure. No CVSS score, EPSS data, or KEV status has been published, but the vulnerability's reliance on blind techniques and low-privilege requirement suggests moderate real-world exploitability.

PHP SQLi Suse
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

An incomplete Server-Side Request Forgery (SSRF) mitigation in Wallos, a self-hostable subscription tracker, allows authenticated attackers to bypass security controls and force the application to make requests to internal or private IP addresses. Wallos versions prior to 4.7.0 are affected. The vulnerability occurs because SSRF validation was added to test notification endpoints but not the corresponding save endpoints, enabling attackers to store malicious URLs that execute without validation when the cron job runs. No active exploitation (KEV) or public POC is currently documented.

SSRF PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in the endpoints/logos/search.php endpoint prior to version 4.7.0. The vulnerability allows unauthenticated attackers to hijack HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling them to redirect outbound requests to arbitrary domains by manipulating DNS resolution through user-supplied search terms. This attack requires no special privileges and can be executed remotely over the network, making it a significant risk for exposed Wallos instances.

SSRF PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

A Remote Code Execution vulnerability exists in Craft CMS versions 4.x and 5.x that bypasses previous security patches for behavior injection attacks. An authenticated user with control panel access can exploit an unsanitized fieldLayouts parameter in the ElementIndexesController to inject malicious Yii2 behaviors and achieve arbitrary code execution. While no active exploitation (KEV) is documented, a patch is available and the vulnerability requires only low-privilege authenticated access, making it a significant risk for deployments with multiple control panel users.

PHP RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Froxlor, a web hosting control panel, contains an injection vulnerability in its DNS zone management API that allows authenticated customers with DNS privileges to inject BIND zone file directives (such as $INCLUDE) through unvalidated content fields in LOC, RP, SSHFP, and TLSA DNS record types. Attackers can leverage this to read arbitrary world-readable files on the server, disrupt DNS services, or inject unauthorized DNS records. A proof-of-concept exploit is publicly available demonstrating file inclusion attacks, and patches have been released by the vendor in version 2.3.5.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Unauthenticated SQL injection in Bootstrapy CMS allows remote attackers to extract sensitive database information or cause denial of service through multiple POST parameters in forum and contact modules. The vulnerability affects forum-thread.php (thread_id), contact-submit.php (subject), and post-new-submit.php (post-id) endpoints. Public exploit code exists via Exploit-DB #46590, though EPSS probability remains low at 0.06% (19th percentile), suggesting limited real-world exploitation despite ease of attack (AV:N/AC:L/PR:N). SSVC framework confirms proof-of-concept availability and automated exploitation potential with partial technical impact.

PHP SQLi Denial Of Service +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection in Inout Article Base CMS allows remote unauthenticated attackers to extract sensitive database information or cause denial of service through malicious XOR-based and time-based SQL payloads injected via 'p' and 'u' parameters in GET requests to portalLogin.php. Public exploit code demonstrates the attack (Exploit-DB 46593), though EPSS scoring indicates low probability of widespread exploitation (0.06%, 19th percentile). No vendor patch has been identified, and the vendor website reference provides no security advisory, leaving deployments at continued risk.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Meeplace Business Review Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fm_current_dir, and filename parameters. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the Name parameter in /sms/user/index.php?view=add, potentially enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in projectworlds Lawyer Management System version 1.0 within the /lawyer_booking.php file, where the Description parameter fails to sanitize user input before rendering. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. A proof-of-concept exploit has been publicly disclosed on GitHub, and the vulnerability carries a CVSS score of 3.5 with evidence of public exploitation.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SourceCodester Online Admission System 1.0 contains a SQL injection vulnerability in the /programmes.php file's program parameter that allows unauthenticated remote attackers to execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The flaw enables attackers to potentially read, modify, or delete sensitive admission system data.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Online Library Management System 1.0 allows unauthenticated remote attackers to manipulate the searchField parameter in /home.php, enabling data exfiltration, modification, and potential service disruption. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

A Server-Side Request Forgery (SSRF) vulnerability exists in DefaultFuction Jeson-Customer-Relationship-Management-System affecting versions up to commit 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. The vulnerability resides in the /api/System.php file where the 'url' parameter can be manipulated to force the server to make arbitrary requests. A publicly disclosed proof-of-concept exploit is available on GitHub, and patches have been released by the vendor.

PHP SSRF
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SourceCodester Patients Waiting Area Queue Management System 1.0 contains an improper authorization flaw in the ValidateToken function of the Patient Check-In Module that allows unauthenticated remote attackers to bypass access controls. Public exploit code is available for this vulnerability, and no patch has been released. The attack requires no user interaction and could enable unauthorized access to patient check-in functionality.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Online Catering Reservation 1.0 via the rcode parameter in /search.php allows unauthenticated remote attackers to manipulate database queries with no user interaction required. The vulnerability enables attackers to read, modify, or delete sensitive data, and public exploit code is readily available. PHP-based deployments of this catering reservation system are actively targeted due to the ease of exploitation and lack of available patches.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in the Parameter Handler of itsourcecode sanitize or validate this input 1.0 allows authenticated remote attackers to manipulate the subject_code argument in /admin/subjects.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

JiZhiCMS v2.5.6 and earlier contains a stored cross-site scripting (XSS) vulnerability in the user release function that allows authenticated attackers to inject malicious scripts through improper HTML sanitization. The vulnerability exists because the application filters <script> tags but fails to recursively remove dangerous event handlers (such as onerror) from other HTML elements like <img> tags, enabling persistent XSS attacks. A proof-of-concept has been published on GitHub, and while no CVSS score or EPSS data is currently available, the low barrier to exploitation (authenticated access via POST parameter) and persistent nature of the attack present meaningful risk to affected installations.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

DedeCMS v5.7.118 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /sys_task_add.php endpoint that allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An attacker can craft a malicious webpage or email that, when visited by an authenticated DedeCMS administrator, will execute unwanted administrative tasks such as adding or modifying system tasks. While no CVSS score, EPSS data, or active KEV listing is currently available, a public proof-of-concept exists on GitHub demonstrating the vulnerability's exploitability.

PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the password reset function of ESICLivre v0.2.2 and earlier allows unauthenticated attackers to extract sensitive data by manipulating the cpfcnpj parameter. The vulnerability requires no user interaction and can be exploited remotely over the network, though no patch is currently available.

SQLi PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

ConcreteCMS version 9.4.7 contains a memory exhaustion vulnerability in the File Manager's download functionality that allows authenticated attackers to trigger a Denial of Service condition. The vulnerability exists in the 'download' method of 'concrete/controllers/backend/file.php', where improper memory management during zip archive creation using ZipArchive::addFromString combined with file_get_contents loads entire file contents into PHP memory without streaming or size validation. An attacker with valid authentication credentials can exploit this by requesting bulk downloads of large files, exhausting available PHP memory and causing the PHP-FPM process to crash with a SIGSEGV signal, rendering the web application unavailable with HTTP 500 errors.

PHP Denial Of Service
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

WPGraphQL prior to version 2.10.0 allows authenticated low-privileged users to bypass comment moderation controls and self-approve their own comments without possessing the moderate_comments capability. The vulnerability exploits owner-based authorization logic in the updateComment mutation, enabling non-moderator users to transition comment status to APPROVE, HOLD, SPAM, or TRASH states directly. A proof-of-concept demonstrating this authorization bypass in WPGraphQL 2.9.1 has been published, and while the EPSS score of 0.03% indicates low statistical likelihood of exploitation, the attack vector is network-based with low complexity and requires only low-level user privileges (including custom roles with zero capabilities).

WordPress PHP Docker +2
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

The Contest Gallery plugin for WordPress contains an authentication bypass vulnerability that allows unaattacked attackers to take over administrator accounts and gain complete site control. All versions up to and including 28.1.5 are affected when the non-default RegMailOptional=1 setting is enabled. The vulnerability exploits MySQL type coercion by registering with specially crafted email addresses to overwrite admin activation keys, then using an unauthenticated login endpoint to authenticate as the target user. With a CVSS score of 8.1 and high attack complexity (AC:H), this represents a critical risk for sites using the vulnerable configuration.

WordPress PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The Jupiter X Core plugin for WordPress contains an unrestricted file upload vulnerability allowing authenticated users with Subscriber-level privileges or higher to upload dangerous file types including .phar, .svg, .dfxp, and .xhtml files. This stems from missing authorization checks in the import_popup_templates() function and insufficient file type validation in the upload_files() function. Successful exploitation leads to Remote Code Execution on Apache servers with mod_php configured to execute .phar files, or Stored Cross-Site Scripting attacks via malicious SVG and other file types on any server configuration.

Apache WordPress PHP +3
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

The Woocommerce Custom Product Addons Pro plugin for WordPress contains a critical remote code execution vulnerability caused by unsafe use of PHP's eval() function when processing custom pricing formulas. All versions up to and including 5.4.1 are affected, allowing unauthenticated attackers to execute arbitrary PHP code on the server by submitting malicious input to WCPA text fields configured with custom pricing formulas. With a CVSS score of 9.8, this represents a maximum severity issue requiring immediate attention, though EPSS and KEV status data are not provided in the available intelligence.

Code Injection WordPress PHP +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester E-Commerce Site 1.0 through the Search parameter in /products.php enables unauthenticated remote attackers to read, modify, and delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available, putting all installations at immediate risk.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Free Hotel Reservation System 1.0 admin panel allows unauthenticated remote attackers to manipulate the account_id parameter and execute arbitrary SQL queries with potential for data theft, modification, and system disruption. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

This vulnerability in Roadiz's DownloadedFile::fromUrl() method allows authenticated users with ROLE_ACCESS_DOCUMENTS to read arbitrary files from the server via PHP stream wrapper abuse, specifically by injecting file:// URIs into media import workflows. An attacker can extract sensitive files including .env configuration files, database credentials, and system files, achieving complete confidentiality compromise of the application and potentially the underlying infrastructure. A proof-of-concept exists demonstrating exploitation through malicious Podcast RSS feeds, and a patch is available from the vendor.

PHP SSRF Microsoft +1
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A stored or reflected cross-site scripting (XSS) vulnerability exists in projectworlds Lawyer Management System version 1.0, specifically in the /lawyers.php file where the first_Name parameter is inadequately sanitized. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially stealing session tokens or performing unauthorized actions. A public proof-of-concept exploit is available, and exploitation requires only low complexity with user interaction (UI:R), though the attack vector is network-accessible and does not require high privileges.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

MantisBT version 2.28.0 contains a stored cross-site scripting (XSS) vulnerability in the Timeline view of my_view_page.php where tag names are improperly escaped when retrieved from the History table, allowing attackers to inject arbitrary HTML and potentially execute JavaScript if Content Security Policy permits. This affects users viewing issues with renamed or deleted tags, and version 2.28.1 contains the patch. No CVSS score or EPSS data is currently available, but the vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and carries moderate to high risk in environments without strict CSP enforcement.

PHP XSS
NVD GitHub VulDB
Prev Page 26 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy