Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-33517 PHP HIGH PATCH This Week

MantisBT version 2.28.0 contains a Stored/Reflected Cross-Site Scripting (XSS) vulnerability in the tag deletion confirmation dialog (tag_delete.php) due to improper HTML escaping of tag names in the confirmation message. An authenticated attacker can inject malicious HTML and JavaScript code that executes in the browser of any user viewing the confirmation page, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability was patched in version 2.28.1, and proof-of-concept information is available via the GitHub security advisory and associated commit references.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-33723 PHP HIGH This Week

WWBN AVideo, an open source video platform, contains a SQL injection vulnerability in the Subscribe::save() method that allows authenticated attackers to execute arbitrary SQL queries. Versions up to and including 26.0 are affected, with the vulnerability stemming from unsanitized user input from the $_POST['user_id'] parameter being concatenated directly into INSERT queries. An attacker with low-level authentication can extract sensitive data including password hashes, API keys, and encryption salts from the database, representing a significant information disclosure risk.

PHP Information Disclosure SQLi
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33719 PHP HIGH This Week

WWBN AVideo video platform up to and including version 26.0 contains an authentication bypass vulnerability in the CDN plugin that allows unauthenticated remote attackers to completely modify CDN configuration settings including storage credentials and authentication keys. The vulnerability stems from the CDN plugin's default empty string authentication key, which causes validation checks to be bypassed entirely when the plugin is enabled but not properly configured. The CVSS score of 8.6 reflects high integrity impact with network-based exploitation requiring no privileges or user interaction.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-33717 PHP HIGH This Week

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability (CWE-434) that allows authenticated attackers to upload and execute arbitrary PHP code on the server. The vulnerability exists in the downloadVideoFromDownloadURL() function which saves remote content with its original filename and extension to a web-accessible directory; by providing an invalid resolution parameter, attackers can bypass cleanup mechanisms, leaving executable PHP files persistent under the web root. With a CVSS score of 8.8, this represents a high-severity remote code execution risk for authenticated users.

PHP File Upload
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33716 PHP CRITICAL Act Now

WWBN AVideo versions up to and including 26.0 contain an authentication bypass vulnerability in the standalone live stream control endpoint. The endpoint accepts a user-supplied 'streamerURL' parameter that redirects token verification to an attacker-controlled server, allowing complete bypass of authentication without any user interaction. With a CVSS score of 9.4, an attacker gains unauthenticated control over any live stream including the ability to drop publishers, manipulate recordings, and probe stream existence.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-33690 PHP MEDIUM This Month

WWBN AVideo versions up to and including 26.0 contain an IP address spoofing vulnerability in the getRealIpAddr() function that trusts user-controlled HTTP headers to determine client IP addresses. This allows attackers to bypass IP-based access controls and audit logging mechanisms by forging headers such as X-Forwarded-For or X-Real-IP without authentication or user interaction. The vulnerability carries a CVSS score of 5.3 (medium severity) with low attack complexity, and a patch is available via commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c, though no public exploit code or KEV designation has been confirmed at this time.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33688 PHP MEDIUM This Month

WWBN AVideo versions up to and including 26.0 contain an information disclosure vulnerability in the password recovery endpoint (objects/userRecoverPass.php) that allows unauthenticated attackers to enumerate valid usernames and determine account status (active, inactive, or banned) without solving any captcha. The vulnerability exists because user existence and account status validation occurs before captcha verification, enabling attackers to distinguish three different JSON error responses at scale. No evidence of active exploitation in the wild has been reported, but a patch is available in commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33685 PHP MEDIUM This Month

WWBN AVideo versions up to 26.0 expose advertising analytics data through an unauthenticated JSON API endpoint that lacks access controls, allowing attackers to retrieve sensitive information including video titles, user identifiers, channel names, and ad campaign performance metrics. While the HTML and CSV export functions properly enforce admin authentication, the JSON variant was left unprotected, enabling unauthorized data disclosure with no authentication required. A patch is available in commit daca4ffb1ce19643eecaa044362c41ac2ce45dde.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-33681 PHP HIGH This Week

WWBN AVideo, an open source video platform, contains a critical path traversal vulnerability in the pluginRunDatabaseScript.json.php endpoint that allows authenticated administrators to execute arbitrary SQL queries against the application database. Versions up to and including 26.0 are affected. The vulnerability can also be exploited via CSRF attacks against authenticated admin sessions, enabling unauthenticated attackers to achieve remote code execution or complete database compromise.

Path Traversal PHP CSRF
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33651 PHP HIGH This Week

SQL injection in WWBN AVideo up to version 26.0 allows authenticated users to extract arbitrary database contents through time-based blind SQL injection via the remindMe.json.php endpoint. The vulnerability stems from insufficient input sanitization of the live_schedule_id parameter, which is concatenated directly into a SQL LIKE clause despite partial validation in intermediate functions. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-4595 LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0 affecting the /admin/update_s6.php file, where the sname parameter fails to properly sanitize user input. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the context of other users' browsers, potentially compromising admin accounts or exfiltrating sensitive exam data. A public proof-of-concept is available on GitHub, and while the CVSS score is low at 2.4, the vulnerability requires high privileges and user interaction to exploit, limiting real-world impact.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-33650 PHP HIGH This Week

Privilege escalation in WWBN AVideo up to version 26.0 allows users with "Videos Moderator" permissions to gain full video management capabilities, including transferring ownership and deleting any video, by exploiting inconsistent authorization checks between the video editing and deletion endpoints. An authenticated attacker can chain an ownership transfer with deletion operations to compromise videos outside their legitimate scope. A patch is available in commit 838e16818c793779406ecbf34ebaeba9830e33f8.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-33649 PHP HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo open source video platform versions up to and including 26.0 allows unauthenticated attackers to escalate privileges to near-admin access by tricking an administrator into visiting a malicious page. The vulnerability exists in the setPermission.json.php endpoint which accepts state-changing operations via GET requests without CSRF token validation, compounded by the application's explicit SameSite=None cookie setting. No patched version is currently available, and with a CVSS score of 8.1 (High), this represents a significant risk for installations with administrative users who browse external content.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33647 PHP HIGH This Week

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability in the ImageGallery::saveFile() method that allows authenticated attackers to upload polyglot files (JPEG with embedded PHP code) and achieve Remote Code Execution. The vulnerability exploits a mismatch between MIME type validation (which checks file content) and filename extension handling (which trusts user input), allowing attackers to bypass security controls and execute arbitrary code on the server. A patch is available in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae, and the issue has been publicly disclosed via GitHub Security Advisory GHSA-wxjw-phj6-g75w.

PHP RCE File Upload
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-33513 PHP HIGH This Week

WWBN AVideo versions up to and including 26.0 contain an unauthenticated path traversal vulnerability in the locale API endpoint that allows arbitrary PHP file inclusion under the web root. Attackers can achieve confirmed file disclosure and code execution by including existing PHP files, with potential escalation to full remote code execution if they can upload or control PHP files elsewhere in the application tree. The vulnerability has a CVSS score of 8.6 and requires no authentication or user interaction to exploit, though no patch is currently available and there is no evidence of active exploitation in KEV data.

Path Traversal PHP RCE
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-33512 PHP HIGH This Week

WWBN AVideo versions up to and including 26.0 contain an unauthenticated API endpoint that allows arbitrary decryption of ciphertext. Attackers can exploit the decryptString action in the API plugin without authentication to decrypt publicly-issued ciphertext (such as from view/url2Embed.json.php), allowing recovery of protected tokens and metadata. The CVSS score of 7.5 reflects high confidentiality impact with network accessibility and no authentication required.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4592 LOW POC Monitor

Improper authentication in the two-factor authentication verification function of Kalcaddle Kodbox 1.64 allows remote attackers to bypass login controls with high complexity exploitation. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected users should implement network-level access controls while awaiting a vendor update.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-4591 LOW POC Monitor

The fileThumb endpoint in Kodbox 1.64 contains an OS command injection vulnerability in the checkBin function that allows authenticated remote attackers to execute arbitrary commands with the privileges of the web server process. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with high-level privileges can leverage this to achieve remote code execution on affected systems.

PHP Command Injection
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-4590 LOW POC Monitor

A cross-site request forgery (CSRF) vulnerability exists in Kalcaddle Kodbox 1.64 affecting the loginSubmit API endpoint within the OAuth bind controller. An unauthenticated remote attacker can manipulate the 'third' parameter to forge requests that modify application state, though the attack requires user interaction and high complexity. A public proof-of-concept exploit has been released, and the vendor has not responded to early disclosure notifications.

CSRF PHP
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-4589 LOW POC Monitor

Server-side request forgery in Kodbox 1.64's fileGet endpoint allows authenticated attackers to manipulate the path parameter in the PathDriverUrl function, enabling arbitrary outbound requests from the affected server. Public exploit code exists for this vulnerability, and no patch is currently available. The impact is limited to users with valid credentials, though successful exploitation could facilitate further network reconnaissance or attacks against internal systems.

PHP SSRF
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-41008 CRITICAL Act Now

A SQL injection vulnerability exists in Sinturno that allows unauthenticated or low-privileged attackers to execute arbitrary SQL commands through the 'client' parameter in the '/_adm/scripts/modalReport_data.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, updating, and deletion of database objects. The vulnerability was reported by INCIBE and affects all versions of Sinturno; no CVSS score, EPSS data, or KEV status has been published, but the ability to perform CRUD operations on databases represents critical severity regardless of formal scoring.

PHP SQLi
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-4588 LOW POC Monitor

Kalcaddle Kodbox 1.64 contains a cryptographic key hardcoding vulnerability in the Site-level API key Handler component (shareSafeGroup function in shareOut.class.php), where manipulation of the 'sk' parameter exploits the use of a hard-coded cryptographic key. This allows unauthenticated remote attackers to disclose sensitive information with low complexity, though the attack itself requires high complexity execution. A public proof-of-concept is available, and the vendor has not responded to early disclosure.

PHP Information Disclosure
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-4587 PHP MEDIUM This Month

HybridAuth versions up to 3.12.2 contain an improper certificate validation vulnerability in the SSL Handler component (src/HttpClient/Curl.php) where manipulation of curlOptions arguments bypasses SSL/TLS certificate verification. This affects any application using HybridAuth for authentication, allowing attackers to conduct man-in-the-middle attacks against remote authentication flows. While the CVSS score is relatively low (3.7) due to high attack complexity and lack of confidentiality impact, the integrity compromise from certificate validation bypass presents a real threat to authentication security in vulnerable deployments.

PHP Information Disclosure
NVD VulDB GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2025-41007 CRITICAL PATCH Act Now

A SQL injection vulnerability exists in Cuantis that allows unauthenticated attackers to execute arbitrary SQL commands through the 'search' parameter in the '/search.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, modification, and deletion of database contents. A patch is available from the vendor, and exploitation requires only network access to the affected application with no special privileges or user interaction.

PHP SQLi
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-4581 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0's /checklogin.php parameter handler allows unauthenticated remote attackers to manipulate the Username field and execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, leaving affected PHP installations vulnerable to data theft and unauthorized access.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4580 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0's /checkupdatestatus.php parameter handler allows unauthenticated remote attackers to manipulate the serviceId argument and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available, creating immediate risk for affected deployments.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4579 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 through the serviceId parameter in /viewdetail.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can exploit this to read or modify sensitive database information.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4578 LOW POC Monitor

A cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, specifically in the /admin/update_s3.php file where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious scripts through this parameter to perform actions in the context of other users' browsers. A public proof-of-concept is available, making this vulnerability actively exploitable despite its low CVSS score of 2.4.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4577 LOW POC Monitor

A Stored Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0 affecting the /admin/update_s4.php endpoint, where the 'sname' parameter is not properly sanitized before output. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or administrative action abuse. A public proof-of-concept exploit is available, increasing real-world risk despite the low CVSS score of 2.4.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4576 LOW POC Monitor

A Stored or Reflected Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, specifically in the /admin/update_s5.php file where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious JavaScript code through this parameter, which will execute in the context of other users' browsers when they interact with the affected page. A public proof-of-concept exploit is available on GitHub, and the vulnerability has a low CVSS score of 2.4 due to high privilege requirements and user interaction dependency, but the public disclosure increases practical exploitation likelihood.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4575 LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, affecting the /admin/update_s2.php endpoint where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the browser of other users who view the affected page, potentially leading to session hijacking, credential theft, or administrative action manipulation. A public proof-of-concept exploit is available on GitHub, and the vulnerability carries a low CVSS score of 2.4 due to requiring high privileges and user interaction, but the published exploit status indicates active reconnaissance and potential targeted exploitation.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-10679 HIGH This Week

The ReviewX plugin for WordPress contains a critical arbitrary method call vulnerability in all versions up to and including 2.2.12. Unauthenticated attackers can exploit insufficient input validation in the bulkTenReviews function to call arbitrary PHP class methods, potentially achieving remote code execution or information disclosure. With a CVSS score of 7.3 and network-based exploitation requiring no privileges or user interaction, this presents a significant risk to WordPress sites using this WooCommerce product review plugin.

WordPress PHP RCE Information Disclosure Code Injection +1
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-4573 LOW POC Monitor

SQL injection in SourceCodester Simple E-learning System 1.0 allows authenticated attackers to manipulate the post_id parameter in the delete_post.php endpoint, enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4572 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the searchtxt parameter in /view_product.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4571 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows remote authenticated attackers to manipulate the searchtxt parameter in /view_payments.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed with low complexity over the network.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4570 LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_customers.php endpoint where the searchtxt parameter is insufficiently sanitized, allowing authenticated attackers to execute arbitrary SQL queries and manipulate database contents. The vulnerability requires valid credentials but can be exploited remotely over the network, and public exploit code is available. No patch is currently available for this vulnerability.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4569 LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_category.php endpoint's searchtxt parameter that allows authenticated attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and there is currently no available patch. The attack requires valid credentials but can be executed remotely over the network.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4568 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_supplier.php allows authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4563 LOW Monitor

An authorization bypass vulnerability exists in MacCMS up to version 2025.1000.4052 within the Member Order Detail Interface component, specifically in the order_info function of application/index/controller/User.php. An authenticated attacker can manipulate the order_id parameter to access order information belonging to other users, disclosing sensitive data. A public proof-of-concept exploit is available, elevating the risk of active exploitation despite the moderate CVSS 4.3 score.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2024-51223 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2024-51224 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in the component /admin/edit-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2024-51225 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/add-brand.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2024-51226 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/search-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-46878 MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-51222 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2024-46879 MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4562 MEDIUM POC This Month

MacCMS version 2025.1000.4052 contains a missing authentication vulnerability in the Timming API endpoint (application/api/controller/Timming.php). An unauthenticated remote attacker can access protected functionality, potentially leading to unauthorized data access, modification, or service disruption. A public proof-of-concept exploit is available on GitHub, significantly increasing the risk of active exploitation in the wild.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-4557 LOW POC Monitor

A Stored Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, affecting the /admin/update_s1.php file where the 'sname' parameter is not properly sanitized. An unauthenticated attacker can remotely inject malicious JavaScript by manipulating this parameter, which will execute in the browsers of administrators or other users who view the affected page. A public proof-of-concept exploit is available on GitHub, and the vulnerability has an EPSS score indicating probable exploitation likelihood.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4550 LOW POC Monitor

SQL injection in Simple Gym Management System up to version 1.0 allows remote attackers with high privileges to manipulate the Trainer_id and fname parameters in /gym/func.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4540 MEDIUM POC This Month

SQL injection in projectworlds Online Notes Sharing System 1.0 allows unauthenticated remote attackers to manipulate the Benutzer parameter in /login.php, enabling unauthorized data access, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4533 LOW POC Monitor

SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to manipulate the Status parameter in all-tickets.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete database contents. The affected PHP application currently lacks a security patch.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2019-25582 MEDIUM POC This Month

i-doit CMDB 1.12 contains an arbitrary file download vulnerability that allows authenticated attackers to download sensitive files by manipulating the file parameter in index.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP
NVD Exploit-DB VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2019-25580 HIGH POC This Week

ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload SQLi PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25578 HIGH POC This Week

phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25573 HIGH POC This Week

Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-4514 LOW POC Monitor

PbootCMS versions up to 3.2.12 contain an improper access control vulnerability in the Backend UserController component that allows authenticated attackers to manipulate the Field argument and bypass access restrictions. An attacker with login credentials can exploit this to gain unauthorized access to sensitive user data or system functions. A proof-of-concept exploit has been publicly disclosed on GitHub and the vulnerability carries a moderate CVSS score of 6.3 with documented exploitation capability.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4510 LOW POC Monitor

A reflected cross-site scripting (XSS) vulnerability exists in PbootCMS versions up to 3.2.12 in the alert_location function of the MemberController.php file, where the backurl parameter is not properly sanitized before output. An attacker can craft a malicious URL containing JavaScript code that will execute in a victim's browser when they click the link, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit is available on GitHub, increasing the risk of active exploitation.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4509 LOW POC Monitor

PbootCMS versions up to 3.2.12 contain an incomplete blacklist bypass vulnerability in the file upload functionality (core/function/file.php) that allows authenticated attackers to upload dangerous files by manipulating the blacklist parameter. An attacker with login credentials can bypass file type restrictions to upload arbitrary files, potentially achieving remote code execution or other malicious outcomes. A public proof-of-concept exploit is available on GitHub, increasing the practical risk of exploitation.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3554 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Sherk Custom Post Type Displays WordPress plugin (versions up to 1.2.1) where the 'title' shortcode attribute is insufficiently sanitized and directly concatenated into HTML output without escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes for all users viewing affected pages. The vulnerability has a CVSS score of 6.4 (Medium) with a local privilege requirement, making it exploitable by lower-privileged authenticated users rather than unauthenticated remote attackers.

WordPress PHP XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3645 MEDIUM This Month

The Punnel - Landing Page Builder WordPress plugin contains a critical missing authorization vulnerability in the save_config() AJAX function that allows authenticated attackers with Subscriber-level privileges to overwrite the plugin's configuration and API key without proper capability checks or nonce verification. Combined with an insecure public API endpoint (sniff_requests()) that only validates requests via token comparison, attackers can subsequently create, update, or delete arbitrary posts, pages, and products on affected WordPress installations. The vulnerability affects all versions up to and including 1.3.1 and has been documented by Wordfence with publicly available code references.

Authentication Bypass WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2375 MEDIUM This Month

The App Builder - Create Native Android & iOS Apps On The Flight WordPress plugin up to version 5.5.10 contains a privilege escalation vulnerability in its REST API registration endpoint that allows unauthenticated attackers to register accounts with the wcfm_vendor role, bypassing WCFM Marketplace's vendor approval workflow. The verify_role() function in AuthTrails.php explicitly whitelists the wcfm_vendor role without proper authorization checks, enabling attackers to immediately gain vendor-level privileges including product management, order access, and store management on affected WordPress installations. This vulnerability has a CVSS score of 6.5 with low attack complexity and no authentication requirements, making it a moderate-to-significant risk for WordPress sites using both this plugin and WCFM Marketplace.

Apple Google WordPress PHP Privilege Escalation
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3335 MEDIUM This Month

The Canto plugin for WordPress (versions up to 3.1.1) contains a critical missing authorization vulnerability in the copy-media.php file and related endpoints that allows unauthenticated attackers to upload arbitrary files to the WordPress uploads directory. The vulnerability stems from multiple PHP files being directly accessible without authentication, nonce validation, or authorization checks, while also accepting attacker-controlled parameters for API endpoints and domain configuration. An attacker can exploit this to upload malicious files (within WordPress MIME type constraints) or redirect legitimate file operations to attacker-controlled infrastructure, potentially leading to remote code execution or site compromise.

WordPress PHP Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-3570 MEDIUM This Month

The Smarter Analytics WordPress plugin (all versions up to 2.0) contains an authentication bypass vulnerability that allows unauthenticated attackers to reset plugin configuration and delete all analytics settings via the 'reset' parameter in the global scope of smarter-analytics.php. This is a missing authentication and capability check vulnerability (CWE-862) with a CVSS score of 5.3, classified as moderate severity with low attack complexity and no authentication required. The vulnerability is publicly documented via Wordfence threat intelligence with direct references to the vulnerable code in the WordPress plugin repository, though no active exploitation in the wild or public proof-of-concept has been widely reported.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-3474 MEDIUM This Month

The EmailKit - Email Customizer for WooCommerce & WP WordPress plugin contains a path traversal vulnerability in the TemplateData class that allows authenticated administrators to read arbitrary files from the server via the 'emailkit-editor-template' REST API parameter. An attacker with Administrator privileges can exploit this flaw to access sensitive files such as wp-config.php or /etc/passwd by supplying directory traversal sequences, with the retrieved file contents stored as post metadata and retrievable through the fetch-data REST API endpoint. The vulnerability affects all versions up to and including 1.6.3, and while it requires high-level administrative access and has a moderate CVSS score of 4.9, it represents a critical information disclosure risk in multi-user WordPress environments.

WordPress PHP Path Traversal
NVD VulDB
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-3516 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Contact List plugin for WordPress (versions up to 3.0.18) where the '_cl_map_iframe' parameter fails to properly sanitize and escape Google Maps iframe custom fields, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that executes in the browsers of users viewing affected pages. The vulnerability stems from insufficient input validation in the saveCustomFields() function and missing output escaping in the front-end rendering, creating a persistent XSS condition with a CVSS score of 6.4 and low-to-moderate exploitation probability given the authentication requirement.

WordPress PHP XSS Google
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2352 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Autoptimize WordPress plugin through version 3.1.14, caused by insufficient input sanitization in the ao_metabox_save() function and missing output escaping when rendering the 'ao_post_preload' meta value into HTML link tags. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes whenever users access pages with the Image optimization or Lazy-load images settings enabled, potentially affecting all users of compromised sites. The vulnerability has been patched and proof-of-concept code is available in the referenced GitHub commit.

WordPress PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3368 HIGH This Week

The Injection Guard plugin for WordPress versions up to 1.2.9 contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious JavaScript into the admin log interface. The flaw stems from insufficient sanitization of query parameter names, which are logged and later rendered without proper output escaping when administrators view the plugin's log page. This enables arbitrary script execution in the context of an authenticated administrator's browser session, potentially leading to account compromise or further malicious actions.

WordPress PHP XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-4508 MEDIUM POC This Month

SQL injection in PbootCMS versions up to 3.2.12 allows unauthenticated remote attackers to manipulate the Username parameter in the Member Login function, potentially enabling unauthorized database access and data manipulation. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-33507 PHP HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.

PHP RCE CSRF Command Injection Path Traversal +1
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-33502 PHP CRITICAL PATCH Act Now

An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit.

SSRF PHP RCE Apache Nginx
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
3.0%
CVE-2026-33501 PHP MEDIUM PATCH This Month

An unauthenticated information disclosure vulnerability exists in the AVideo Permissions plugin endpoint `list.json.php`, which exposes the complete permission matrix mapping user groups to installed plugins without any authentication check. The vulnerability affects AVideo instances with the Permissions plugin enabled and allows unauthenticated attackers to enumerate all user groups, plugins, and their permission assignments-information that significantly aids targeted privilege escalation attacks. A proof-of-concept curl command exists, and this represents a clear authentication bypass in a sensitive administrative endpoint.

PHP Authentication Bypass Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-33500 PHP MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability exists in AVideo's comment markdown processing, where the fix for a prior XSS issue (CVE-2026-27568) inadvertently disabled Parsedown's safe mode while implementing incomplete custom sanitization. An attacker with comment posting privileges can inject malicious JavaScript via markdown link syntax (e.g., `[text](javascript:alert(1))`) that executes in the browser context of any user viewing the comment, enabling session hijacking and account takeover. A working proof-of-concept exists and the vulnerability affects all versions of WWBN AVideo using the vulnerable ParsedownSafeWithLinks class (pkg:composer/wwbn_avideo).

PHP XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33499 PHP MEDIUM This Month

AVideo contains a reflected cross-site scripting (XSS) vulnerability in the password unlock functionality where the unlockPassword request parameter is directly reflected into HTML input tag attributes without output encoding. The vulnerability affects AVideo (pkg:composer/wwbn_avideo) and can be exploited by any unauthenticated attacker to execute arbitrary JavaScript in the victim's browser with no user interaction beyond clicking a crafted link, potentially leading to session hijacking, account takeover, or credential theft. A proof-of-concept has been published and the vulnerability is documented in the official GitHub advisory.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33493 PHP HIGH This Week

The AVideo platform contains a path traversal vulnerability in the objects/import.json.php endpoint that allows authenticated users with upload permissions to bypass directory restrictions and access any MP4 file on the filesystem. Attackers can steal private videos from other users, read adjacent text/HTML files containing video metadata, and delete video files if writable by the web server. A detailed proof-of-concept is publicly available in the GitHub security advisory, and the vulnerability affects all instances where authenticated users have upload permissions, which is the default configuration.

Path Traversal PHP
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-33492 PHP HIGH GHSA This Week

AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.

Session Fixation PHP CSRF Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-33488 PHP HIGH This Week

The LoginControl plugin for AVideo contains a critical cryptographic weakness in its PGP-based 2FA implementation, generating 512-bit RSA keys that can be factored on commodity hardware within hours using publicly available tools. Attackers who obtain a user's public key can derive the complete private key and decrypt authentication challenges, completely bypassing the second factor protection. A proof-of-concept demonstrating key factoring and challenge decryption is included in the advisory, and unauthenticated endpoints allow anonymous CPU-intensive key generation for denial-of-service attacks.

PHP Denial Of Service Python
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-33485 PHP HIGH GHSA This Week

An unauthenticated SQL injection vulnerability exists in the AVideo platform's RTMP on_publish callback, allowing remote attackers to extract the entire database via time-based blind SQL injection. The vulnerability affects the wwbn_avideo composer package and can be exploited without authentication to steal user password hashes, email addresses, and API keys. A detailed proof-of-concept is publicly available in the GitHub Security Advisory, and the vulnerability has a CVSS score of 7.5 (High) with network attack vector and low complexity.

SQLi PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-33483 PHP HIGH This Week

AVideo platform contains an unauthenticated file upload vulnerability in the aVideoEncoderChunk.json.php endpoint that allows remote attackers to exhaust disk space and cause denial of service. Any unauthenticated attacker can upload arbitrarily large files to the server's /tmp directory with no size limits, rate limiting, or cleanup mechanism, and the CORS wildcard header enables browser-based distributed attacks. A detailed proof-of-concept is publicly available demonstrating parallel upload attacks that can fill disk space and crash server services.

Denial Of Service Information Disclosure PHP
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33482 PHP HIGH This Week

Remote code execution in PHP ffmpeg integration allows unauthenticated attackers to execute arbitrary OS commands on standalone encoder servers by bypassing incomplete input sanitization that fails to filter bash command substitution syntax. The vulnerable `sanitizeFFmpegCommand()` function strips common shell metacharacters but permits `$()` notation, which can be injected through crafted encrypted payloads and executed in a double-quoted shell context. No patch is currently available.

RCE PHP Command Injection
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-33480 PHP HIGH This Week

AVideo, an open-source video platform, contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass URL validation using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x format). The vulnerable endpoint plugin/LiveLinks/proxy.php can be exploited to access cloud metadata services (AWS, GCP, Azure), internal networks, and localhost services without authentication. A detailed proof-of-concept is publicly available demonstrating credential theft from AWS instance metadata, making this a critical risk for cloud-hosted installations.

SSRF PHP Microsoft Redis
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-33479 PHP HIGH This Week

The Gallery plugin in AVideo contains an unauthenticated remote code execution vulnerability through CSRF-enabled PHP code injection. Attackers can exploit an eval() function that directly executes unsanitized user input by tricking an admin into visiting a malicious page, with the session cookie's SameSite=None configuration enabling cross-site request forgery. A detailed proof-of-concept exploit exists demonstrating command execution through crafted form submissions.

PHP RCE CSRF Code Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-33478 PHP CRITICAL POC PATCH GHSA Act Now

A critical authentication bypass and command injection vulnerability chain in AVideo's CloneSite plugin allows completely unauthenticated remote attackers to achieve full system compromise. The vulnerability affects AVideo installations with the CloneSite plugin enabled, allowing attackers to steal clone authentication keys, dump the entire database including MD5-hashed admin credentials, crack those credentials trivially, and finally execute arbitrary system commands via an rsync command injection. A detailed proof-of-concept demonstrating the complete attack chain is publicly available in the GitHub security advisory, making this an immediate exploitation risk.

RCE Command Injection PHP
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
3.0%
CVE-2026-32844 MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability exists in XinLiangCoder's php_api_doc application through commit 1ce5bbf, specifically in the list_method.php file where the 'f' GET parameter is output directly to the page without sanitization. Remote attackers can inject arbitrary JavaScript code by crafting malicious URLs, enabling session hijacking, credential theft, and malware distribution within the application context. No CVSS score, EPSS data, or KEV status are currently available, but the vulnerability is confirmed with a proof-of-concept reference available via VulnCheck advisory.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-4485 LOW POC Monitor

SQL injection in the College Management System 1.0 admin search_student.php endpoint allows authenticated attackers to manipulate the Search parameter and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to potentially extract, modify, or delete sensitive student data. The vulnerability affects PHP-based installations and currently lacks an available patch.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-33136 CRITICAL PATCH Act Now

WeGIA, a web manager for charitable institutions, contains a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint affecting versions 3.6.6 and below. An attacker can inject arbitrary JavaScript or HTML into the sccd GET parameter, which is reflected without sanitization when the msg parameter equals 'success', enabling session hijacking, credential theft, and malicious actions in the context of victim users. The vulnerability has a critical CVSS score of 9.3 with changed scope, indicating potential impact beyond the vulnerable component.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-33135 CRITICAL PATCH Act Now

A Reflected Cross-Site Scripting (XSS) vulnerability exists in WeGIA, a web manager for charitable institutions. Versions 3.6.6 and below are affected through the novo_memorandoo.php endpoint, where an attacker can inject arbitrary JavaScript via the sccs GET parameter without sanitization. This allows execution of malicious scripts in victims' browsers when they click a crafted link, with a critical CVSS score of 9.3 due to cross-site scripting scope and high confidentiality and integrity impact.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-33134 CRITICAL PATCH Act Now

WeGIA, a web manager for charitable institutions, contains an authenticated SQL injection vulnerability in versions 3.6.5 and below via the id_producto parameter in the restaurar_produto.php endpoint. An authenticated attacker can execute arbitrary SQL commands to fully compromise the database, extracting sensitive donor information, beneficiary records, and administrative credentials. No evidence of active exploitation (not in CISA KEV) is currently available, though proof-of-concept details are publicly disclosed in the GitHub security advisory.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-33130 MEDIUM PATCH This Month

Uptime Kuma versions 1.23.0 through 2.2.0 contain an incomplete Server-Side Template Injection (SSTI) vulnerability in the LiquidJS templating engine that allows authenticated attackers to read arbitrary files from the server. A prior fix (GHSA-vffh-c9pq-4crh) attempted to restrict file path access through three mitigation options (root, relativeReference, dynamicPartials), but this fix only blocks quoted paths; attackers can bypass the mitigation by using unquoted absolute paths like /etc/passwd that successfully resolve through the require.resolve() fallback mechanism in liquid.node.js. The vulnerability requires low privileges (authenticated access) but can result in high confidentiality impact, making it a notable information disclosure risk for self-hosted monitoring deployments.

Node.js LFI Code Injection PHP
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22324 HIGH This Week

A PHP Local File Inclusion vulnerability exists in the ThemeREX Melania WordPress theme, allowing remote attackers to include and execute arbitrary local files on the server. All versions up to and including 2.5.0 are affected. The CVSS score of 8.1 indicates high severity with network-based attack vector, though attack complexity is rated as high; there is no evidence of active exploitation (not in KEV) or public proof-of-concept at this time.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-33071 MEDIUM PATCH This Month

FileRise, a self-hosted web file manager and WebDAV server, contains an unrestricted file upload vulnerability in its WebDAV endpoint that bypasses filename validation controls present in the regular upload path, allowing authenticated attackers to upload executable file types such as .phtml, .php5, and .htaccess. In non-default Apache configurations lacking LocationMatch protection, this enables remote code execution on the underlying web server. The vulnerability affects FileRise versions prior to 3.8.0 and has been patched; no public exploit code or active KEV listing is currently confirmed, but the presence of a GitHub security advisory indicates vendor acknowledgment of the threat.

PHP RCE Apache File Upload
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.1%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

MantisBT version 2.28.0 contains a Stored/Reflected Cross-Site Scripting (XSS) vulnerability in the tag deletion confirmation dialog (tag_delete.php) due to improper HTML escaping of tag names in the confirmation message. An authenticated attacker can inject malicious HTML and JavaScript code that executes in the browser of any user viewing the confirmation page, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability was patched in version 2.28.1, and proof-of-concept information is available via the GitHub security advisory and associated commit references.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

WWBN AVideo, an open source video platform, contains a SQL injection vulnerability in the Subscribe::save() method that allows authenticated attackers to execute arbitrary SQL queries. Versions up to and including 26.0 are affected, with the vulnerability stemming from unsanitized user input from the $_POST['user_id'] parameter being concatenated directly into INSERT queries. An attacker with low-level authentication can extract sensitive data including password hashes, API keys, and encryption salts from the database, representing a significant information disclosure risk.

PHP Information Disclosure SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

WWBN AVideo video platform up to and including version 26.0 contains an authentication bypass vulnerability in the CDN plugin that allows unauthenticated remote attackers to completely modify CDN configuration settings including storage credentials and authentication keys. The vulnerability stems from the CDN plugin's default empty string authentication key, which causes validation checks to be bypassed entirely when the plugin is enabled but not properly configured. The CVSS score of 8.6 reflects high integrity impact with network-based exploitation requiring no privileges or user interaction.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability (CWE-434) that allows authenticated attackers to upload and execute arbitrary PHP code on the server. The vulnerability exists in the downloadVideoFromDownloadURL() function which saves remote content with its original filename and extension to a web-accessible directory; by providing an invalid resolution parameter, attackers can bypass cleanup mechanisms, leaving executable PHP files persistent under the web root. With a CVSS score of 8.8, this represents a high-severity remote code execution risk for authenticated users.

PHP File Upload
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

WWBN AVideo versions up to and including 26.0 contain an authentication bypass vulnerability in the standalone live stream control endpoint. The endpoint accepts a user-supplied 'streamerURL' parameter that redirects token verification to an attacker-controlled server, allowing complete bypass of authentication without any user interaction. With a CVSS score of 9.4, an attacker gains unauthenticated control over any live stream including the ability to drop publishers, manipulate recordings, and probe stream existence.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

WWBN AVideo versions up to and including 26.0 contain an IP address spoofing vulnerability in the getRealIpAddr() function that trusts user-controlled HTTP headers to determine client IP addresses. This allows attackers to bypass IP-based access controls and audit logging mechanisms by forging headers such as X-Forwarded-For or X-Real-IP without authentication or user interaction. The vulnerability carries a CVSS score of 5.3 (medium severity) with low attack complexity, and a patch is available via commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c, though no public exploit code or KEV designation has been confirmed at this time.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

WWBN AVideo versions up to and including 26.0 contain an information disclosure vulnerability in the password recovery endpoint (objects/userRecoverPass.php) that allows unauthenticated attackers to enumerate valid usernames and determine account status (active, inactive, or banned) without solving any captcha. The vulnerability exists because user existence and account status validation occurs before captcha verification, enabling attackers to distinguish three different JSON error responses at scale. No evidence of active exploitation in the wild has been reported, but a patch is available in commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

WWBN AVideo versions up to 26.0 expose advertising analytics data through an unauthenticated JSON API endpoint that lacks access controls, allowing attackers to retrieve sensitive information including video titles, user identifiers, channel names, and ad campaign performance metrics. While the HTML and CSV export functions properly enforce admin authentication, the JSON variant was left unprotected, enabling unauthorized data disclosure with no authentication required. A patch is available in commit daca4ffb1ce19643eecaa044362c41ac2ce45dde.

Authentication Bypass PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

WWBN AVideo, an open source video platform, contains a critical path traversal vulnerability in the pluginRunDatabaseScript.json.php endpoint that allows authenticated administrators to execute arbitrary SQL queries against the application database. Versions up to and including 26.0 are affected. The vulnerability can also be exploited via CSRF attacks against authenticated admin sessions, enabling unauthenticated attackers to achieve remote code execution or complete database compromise.

Path Traversal PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

SQL injection in WWBN AVideo up to version 26.0 allows authenticated users to extract arbitrary database contents through time-based blind SQL injection via the remindMe.json.php endpoint. The vulnerability stems from insufficient input sanitization of the live_schedule_id parameter, which is concatenated directly into a SQL LIKE clause despite partial validation in intermediate functions. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0 affecting the /admin/update_s6.php file, where the sname parameter fails to properly sanitize user input. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the context of other users' browsers, potentially compromising admin accounts or exfiltrating sensitive exam data. A public proof-of-concept is available on GitHub, and while the CVSS score is low at 2.4, the vulnerability requires high privileges and user interaction to exploit, limiting real-world impact.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Privilege escalation in WWBN AVideo up to version 26.0 allows users with "Videos Moderator" permissions to gain full video management capabilities, including transferring ownership and deleting any video, by exploiting inconsistent authorization checks between the video editing and deletion endpoints. An authenticated attacker can chain an ownership transfer with deletion operations to compromise videos outside their legitimate scope. A patch is available in commit 838e16818c793779406ecbf34ebaeba9830e33f8.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo open source video platform versions up to and including 26.0 allows unauthenticated attackers to escalate privileges to near-admin access by tricking an administrator into visiting a malicious page. The vulnerability exists in the setPermission.json.php endpoint which accepts state-changing operations via GET requests without CSRF token validation, compounded by the application's explicit SameSite=None cookie setting. No patched version is currently available, and with a CVSS score of 8.1 (High), this represents a significant risk for installations with administrative users who browse external content.

PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability in the ImageGallery::saveFile() method that allows authenticated attackers to upload polyglot files (JPEG with embedded PHP code) and achieve Remote Code Execution. The vulnerability exploits a mismatch between MIME type validation (which checks file content) and filename extension handling (which trusts user input), allowing attackers to bypass security controls and execute arbitrary code on the server. A patch is available in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae, and the issue has been publicly disclosed via GitHub Security Advisory GHSA-wxjw-phj6-g75w.

PHP RCE File Upload
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

WWBN AVideo versions up to and including 26.0 contain an unauthenticated path traversal vulnerability in the locale API endpoint that allows arbitrary PHP file inclusion under the web root. Attackers can achieve confirmed file disclosure and code execution by including existing PHP files, with potential escalation to full remote code execution if they can upload or control PHP files elsewhere in the application tree. The vulnerability has a CVSS score of 8.6 and requires no authentication or user interaction to exploit, though no patch is currently available and there is no evidence of active exploitation in KEV data.

Path Traversal PHP RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

WWBN AVideo versions up to and including 26.0 contain an unauthenticated API endpoint that allows arbitrary decryption of ciphertext. Attackers can exploit the decryptString action in the API plugin without authentication to decrypt publicly-issued ciphertext (such as from view/url2Embed.json.php), allowing recovery of protected tokens and metadata. The CVSS score of 7.5 reflects high confidentiality impact with network accessibility and no authentication required.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper authentication in the two-factor authentication verification function of Kalcaddle Kodbox 1.64 allows remote attackers to bypass login controls with high complexity exploitation. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected users should implement network-level access controls while awaiting a vendor update.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

The fileThumb endpoint in Kodbox 1.64 contains an OS command injection vulnerability in the checkBin function that allows authenticated remote attackers to execute arbitrary commands with the privileges of the web server process. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with high-level privileges can leverage this to achieve remote code execution on affected systems.

PHP Command Injection
NVD VulDB
EPSS 0% CVSS 1.3
LOW POC Monitor

A cross-site request forgery (CSRF) vulnerability exists in Kalcaddle Kodbox 1.64 affecting the loginSubmit API endpoint within the OAuth bind controller. An unauthenticated remote attacker can manipulate the 'third' parameter to forge requests that modify application state, though the attack requires user interaction and high complexity. A public proof-of-concept exploit has been released, and the vendor has not responded to early disclosure notifications.

CSRF PHP
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in Kodbox 1.64's fileGet endpoint allows authenticated attackers to manipulate the path parameter in the PathDriverUrl function, enabling arbitrary outbound requests from the affected server. Public exploit code exists for this vulnerability, and no patch is currently available. The impact is limited to users with valid credentials, though successful exploitation could facilitate further network reconnaissance or attacks against internal systems.

PHP SSRF
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

A SQL injection vulnerability exists in Sinturno that allows unauthenticated or low-privileged attackers to execute arbitrary SQL commands through the 'client' parameter in the '/_adm/scripts/modalReport_data.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, updating, and deletion of database objects. The vulnerability was reported by INCIBE and affects all versions of Sinturno; no CVSS score, EPSS data, or KEV status has been published, but the ability to perform CRUD operations on databases represents critical severity regardless of formal scoring.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Kalcaddle Kodbox 1.64 contains a cryptographic key hardcoding vulnerability in the Site-level API key Handler component (shareSafeGroup function in shareOut.class.php), where manipulation of the 'sk' parameter exploits the use of a hard-coded cryptographic key. This allows unauthenticated remote attackers to disclose sensitive information with low complexity, though the attack itself requires high complexity execution. A public proof-of-concept is available, and the vendor has not responded to early disclosure.

PHP Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

HybridAuth versions up to 3.12.2 contain an improper certificate validation vulnerability in the SSL Handler component (src/HttpClient/Curl.php) where manipulation of curlOptions arguments bypasses SSL/TLS certificate verification. This affects any application using HybridAuth for authentication, allowing attackers to conduct man-in-the-middle attacks against remote authentication flows. While the CVSS score is relatively low (3.7) due to high attack complexity and lack of confidentiality impact, the integrity compromise from certificate validation bypass presents a real threat to authentication security in vulnerable deployments.

PHP Information Disclosure
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

A SQL injection vulnerability exists in Cuantis that allows unauthenticated attackers to execute arbitrary SQL commands through the 'search' parameter in the '/search.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, modification, and deletion of database contents. A patch is available from the vendor, and exploitation requires only network access to the affected application with no special privileges or user interaction.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0's /checklogin.php parameter handler allows unauthenticated remote attackers to manipulate the Username field and execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, leaving affected PHP installations vulnerable to data theft and unauthorized access.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0's /checkupdatestatus.php parameter handler allows unauthenticated remote attackers to manipulate the serviceId argument and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available, creating immediate risk for affected deployments.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 through the serviceId parameter in /viewdetail.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can exploit this to read or modify sensitive database information.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

A cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, specifically in the /admin/update_s3.php file where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious scripts through this parameter to perform actions in the context of other users' browsers. A public proof-of-concept is available, making this vulnerability actively exploitable despite its low CVSS score of 2.4.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

A Stored Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0 affecting the /admin/update_s4.php endpoint, where the 'sname' parameter is not properly sanitized before output. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or administrative action abuse. A public proof-of-concept exploit is available, increasing real-world risk despite the low CVSS score of 2.4.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

A Stored or Reflected Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, specifically in the /admin/update_s5.php file where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious JavaScript code through this parameter, which will execute in the context of other users' browsers when they interact with the affected page. A public proof-of-concept exploit is available on GitHub, and the vulnerability has a low CVSS score of 2.4 due to high privilege requirements and user interaction dependency, but the public disclosure increases practical exploitation likelihood.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, affecting the /admin/update_s2.php endpoint where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the browser of other users who view the affected page, potentially leading to session hijacking, credential theft, or administrative action manipulation. A public proof-of-concept exploit is available on GitHub, and the vulnerability carries a low CVSS score of 2.4 due to requiring high privileges and user interaction, but the published exploit status indicates active reconnaissance and potential targeted exploitation.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 7.3
HIGH This Week

The ReviewX plugin for WordPress contains a critical arbitrary method call vulnerability in all versions up to and including 2.2.12. Unauthenticated attackers can exploit insufficient input validation in the bulkTenReviews function to call arbitrary PHP class methods, potentially achieving remote code execution or information disclosure. With a CVSS score of 7.3 and network-based exploitation requiring no privileges or user interaction, this presents a significant risk to WordPress sites using this WooCommerce product review plugin.

WordPress PHP RCE +3
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Simple E-learning System 1.0 allows authenticated attackers to manipulate the post_id parameter in the delete_post.php endpoint, enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the searchtxt parameter in /view_product.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows remote authenticated attackers to manipulate the searchtxt parameter in /view_payments.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed with low complexity over the network.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_customers.php endpoint where the searchtxt parameter is insufficiently sanitized, allowing authenticated attackers to execute arbitrary SQL queries and manipulate database contents. The vulnerability requires valid credentials but can be exploited remotely over the network, and public exploit code is available. No patch is currently available for this vulnerability.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_category.php endpoint's searchtxt parameter that allows authenticated attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and there is currently no available patch. The attack requires valid credentials but can be executed remotely over the network.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_supplier.php allows authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

An authorization bypass vulnerability exists in MacCMS up to version 2025.1000.4052 within the Member Order Detail Interface component, specifically in the order_info function of application/index/controller/User.php. An authenticated attacker can manipulate the order_id parameter to access order information belonging to other users, disclosing sensitive data. A public proof-of-concept exploit is available, elevating the risk of active exploitation despite the moderate CVSS 4.3 score.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in the component /admin/edit-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/add-brand.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/search-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

MacCMS version 2025.1000.4052 contains a missing authentication vulnerability in the Timming API endpoint (application/api/controller/Timming.php). An unauthenticated remote attacker can access protected functionality, potentially leading to unauthorized data access, modification, or service disruption. A public proof-of-concept exploit is available on GitHub, significantly increasing the risk of active exploitation in the wild.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A Stored Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, affecting the /admin/update_s1.php file where the 'sname' parameter is not properly sanitized. An unauthenticated attacker can remotely inject malicious JavaScript by manipulating this parameter, which will execute in the browsers of administrators or other users who view the affected page. A public proof-of-concept exploit is available on GitHub, and the vulnerability has an EPSS score indicating probable exploitation likelihood.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in Simple Gym Management System up to version 1.0 allows remote attackers with high privileges to manipulate the Trainer_id and fname parameters in /gym/func.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in projectworlds Online Notes Sharing System 1.0 allows unauthenticated remote attackers to manipulate the Benutzer parameter in /login.php, enabling unauthorized data access, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to manipulate the Status parameter in all-tickets.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete database contents. The affected PHP application currently lacks a security patch.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

i-doit CMDB 1.12 contains an arbitrary file download vulnerability that allows authenticated attackers to download sensitive files by manipulating the file parameter in index.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload SQLi PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Path Traversal PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

PbootCMS versions up to 3.2.12 contain an improper access control vulnerability in the Backend UserController component that allows authenticated attackers to manipulate the Field argument and bypass access restrictions. An attacker with login credentials can exploit this to gain unauthorized access to sensitive user data or system functions. A proof-of-concept exploit has been publicly disclosed on GitHub and the vulnerability carries a moderate CVSS score of 6.3 with documented exploitation capability.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A reflected cross-site scripting (XSS) vulnerability exists in PbootCMS versions up to 3.2.12 in the alert_location function of the MemberController.php file, where the backurl parameter is not properly sanitized before output. An attacker can craft a malicious URL containing JavaScript code that will execute in a victim's browser when they click the link, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit is available on GitHub, increasing the risk of active exploitation.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

PbootCMS versions up to 3.2.12 contain an incomplete blacklist bypass vulnerability in the file upload functionality (core/function/file.php) that allows authenticated attackers to upload dangerous files by manipulating the blacklist parameter. An attacker with login credentials can bypass file type restrictions to upload arbitrary files, potentially achieving remote code execution or other malicious outcomes. A public proof-of-concept exploit is available on GitHub, increasing the practical risk of exploitation.

PHP File Upload
NVD VulDB GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Sherk Custom Post Type Displays WordPress plugin (versions up to 1.2.1) where the 'title' shortcode attribute is insufficiently sanitized and directly concatenated into HTML output without escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes for all users viewing affected pages. The vulnerability has a CVSS score of 6.4 (Medium) with a local privilege requirement, making it exploitable by lower-privileged authenticated users rather than unauthenticated remote attackers.

WordPress PHP XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Punnel - Landing Page Builder WordPress plugin contains a critical missing authorization vulnerability in the save_config() AJAX function that allows authenticated attackers with Subscriber-level privileges to overwrite the plugin's configuration and API key without proper capability checks or nonce verification. Combined with an insecure public API endpoint (sniff_requests()) that only validates requests via token comparison, attackers can subsequently create, update, or delete arbitrary posts, pages, and products on affected WordPress installations. The vulnerability affects all versions up to and including 1.3.1 and has been documented by Wordfence with publicly available code references.

Authentication Bypass WordPress PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The App Builder - Create Native Android & iOS Apps On The Flight WordPress plugin up to version 5.5.10 contains a privilege escalation vulnerability in its REST API registration endpoint that allows unauthenticated attackers to register accounts with the wcfm_vendor role, bypassing WCFM Marketplace's vendor approval workflow. The verify_role() function in AuthTrails.php explicitly whitelists the wcfm_vendor role without proper authorization checks, enabling attackers to immediately gain vendor-level privileges including product management, order access, and store management on affected WordPress installations. This vulnerability has a CVSS score of 6.5 with low attack complexity and no authentication requirements, making it a moderate-to-significant risk for WordPress sites using both this plugin and WCFM Marketplace.

Apple Google WordPress +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Canto plugin for WordPress (versions up to 3.1.1) contains a critical missing authorization vulnerability in the copy-media.php file and related endpoints that allows unauthenticated attackers to upload arbitrary files to the WordPress uploads directory. The vulnerability stems from multiple PHP files being directly accessible without authentication, nonce validation, or authorization checks, while also accepting attacker-controlled parameters for API endpoints and domain configuration. An attacker can exploit this to upload malicious files (within WordPress MIME type constraints) or redirect legitimate file operations to attacker-controlled infrastructure, potentially leading to remote code execution or site compromise.

WordPress PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

The Smarter Analytics WordPress plugin (all versions up to 2.0) contains an authentication bypass vulnerability that allows unauthenticated attackers to reset plugin configuration and delete all analytics settings via the 'reset' parameter in the global scope of smarter-analytics.php. This is a missing authentication and capability check vulnerability (CWE-862) with a CVSS score of 5.3, classified as moderate severity with low attack complexity and no authentication required. The vulnerability is publicly documented via Wordfence threat intelligence with direct references to the vulnerable code in the WordPress plugin repository, though no active exploitation in the wild or public proof-of-concept has been widely reported.

WordPress PHP Authentication Bypass
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

The EmailKit - Email Customizer for WooCommerce & WP WordPress plugin contains a path traversal vulnerability in the TemplateData class that allows authenticated administrators to read arbitrary files from the server via the 'emailkit-editor-template' REST API parameter. An attacker with Administrator privileges can exploit this flaw to access sensitive files such as wp-config.php or /etc/passwd by supplying directory traversal sequences, with the retrieved file contents stored as post metadata and retrievable through the fetch-data REST API endpoint. The vulnerability affects all versions up to and including 1.6.3, and while it requires high-level administrative access and has a moderate CVSS score of 4.9, it represents a critical information disclosure risk in multi-user WordPress environments.

WordPress PHP Path Traversal
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Contact List plugin for WordPress (versions up to 3.0.18) where the '_cl_map_iframe' parameter fails to properly sanitize and escape Google Maps iframe custom fields, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that executes in the browsers of users viewing affected pages. The vulnerability stems from insufficient input validation in the saveCustomFields() function and missing output escaping in the front-end rendering, creating a persistent XSS condition with a CVSS score of 6.4 and low-to-moderate exploitation probability given the authentication requirement.

WordPress PHP XSS +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Autoptimize WordPress plugin through version 3.1.14, caused by insufficient input sanitization in the ao_metabox_save() function and missing output escaping when rendering the 'ao_post_preload' meta value into HTML link tags. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes whenever users access pages with the Image optimization or Lazy-load images settings enabled, potentially affecting all users of compromised sites. The vulnerability has been patched and proof-of-concept code is available in the referenced GitHub commit.

WordPress PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

The Injection Guard plugin for WordPress versions up to 1.2.9 contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious JavaScript into the admin log interface. The flaw stems from insufficient sanitization of query parameter names, which are logged and later rendered without proper output escaping when administrators view the plugin's log page. This enables arbitrary script execution in the context of an authenticated administrator's browser session, potentially leading to account compromise or further malicious actions.

WordPress PHP XSS
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in PbootCMS versions up to 3.2.12 allows unauthenticated remote attackers to manipulate the Username parameter in the Member Login function, potentially enabling unauthorized database access and data manipulation. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.

PHP RCE CSRF +3
NVD GitHub VulDB
EPSS 3% CVSS 9.3
CRITICAL PATCH Act Now

An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit.

SSRF PHP RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

An unauthenticated information disclosure vulnerability exists in the AVideo Permissions plugin endpoint `list.json.php`, which exposes the complete permission matrix mapping user groups to installed plugins without any authentication check. The vulnerability affects AVideo instances with the Permissions plugin enabled and allows unauthenticated attackers to enumerate all user groups, plugins, and their permission assignments-information that significantly aids targeted privilege escalation attacks. A proof-of-concept curl command exists, and this represents a clear authentication bypass in a sensitive administrative endpoint.

PHP Authentication Bypass Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability exists in AVideo's comment markdown processing, where the fix for a prior XSS issue (CVE-2026-27568) inadvertently disabled Parsedown's safe mode while implementing incomplete custom sanitization. An attacker with comment posting privileges can inject malicious JavaScript via markdown link syntax (e.g., `[text](javascript:alert(1))`) that executes in the browser context of any user viewing the comment, enabling session hijacking and account takeover. A working proof-of-concept exists and the vulnerability affects all versions of WWBN AVideo using the vulnerable ParsedownSafeWithLinks class (pkg:composer/wwbn_avideo).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

AVideo contains a reflected cross-site scripting (XSS) vulnerability in the password unlock functionality where the unlockPassword request parameter is directly reflected into HTML input tag attributes without output encoding. The vulnerability affects AVideo (pkg:composer/wwbn_avideo) and can be exploited by any unauthenticated attacker to execute arbitrary JavaScript in the victim's browser with no user interaction beyond clicking a crafted link, potentially leading to session hijacking, account takeover, or credential theft. A proof-of-concept has been published and the vulnerability is documented in the official GitHub advisory.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

The AVideo platform contains a path traversal vulnerability in the objects/import.json.php endpoint that allows authenticated users with upload permissions to bypass directory restrictions and access any MP4 file on the filesystem. Attackers can steal private videos from other users, read adjacent text/HTML files containing video metadata, and delete video files if writable by the web server. A detailed proof-of-concept is publicly available in the GitHub security advisory, and the vulnerability affects all instances where authenticated users have upload permissions, which is the default configuration.

Path Traversal PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.

Session Fixation PHP CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH This Week

The LoginControl plugin for AVideo contains a critical cryptographic weakness in its PGP-based 2FA implementation, generating 512-bit RSA keys that can be factored on commodity hardware within hours using publicly available tools. Attackers who obtain a user's public key can derive the complete private key and decrypt authentication challenges, completely bypassing the second factor protection. A proof-of-concept demonstrating key factoring and challenge decryption is included in the advisory, and unauthenticated endpoints allow anonymous CPU-intensive key generation for denial-of-service attacks.

PHP Denial Of Service Python
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

An unauthenticated SQL injection vulnerability exists in the AVideo platform's RTMP on_publish callback, allowing remote attackers to extract the entire database via time-based blind SQL injection. The vulnerability affects the wwbn_avideo composer package and can be exploited without authentication to steal user password hashes, email addresses, and API keys. A detailed proof-of-concept is publicly available in the GitHub Security Advisory, and the vulnerability has a CVSS score of 7.5 (High) with network attack vector and low complexity.

SQLi PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

AVideo platform contains an unauthenticated file upload vulnerability in the aVideoEncoderChunk.json.php endpoint that allows remote attackers to exhaust disk space and cause denial of service. Any unauthenticated attacker can upload arbitrarily large files to the server's /tmp directory with no size limits, rate limiting, or cleanup mechanism, and the CORS wildcard header enables browser-based distributed attacks. A detailed proof-of-concept is publicly available demonstrating parallel upload attacks that can fill disk space and crash server services.

Denial Of Service Information Disclosure PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Remote code execution in PHP ffmpeg integration allows unauthenticated attackers to execute arbitrary OS commands on standalone encoder servers by bypassing incomplete input sanitization that fails to filter bash command substitution syntax. The vulnerable `sanitizeFFmpegCommand()` function strips common shell metacharacters but permits `$()` notation, which can be injected through crafted encrypted payloads and executed in a double-quoted shell context. No patch is currently available.

RCE PHP Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

AVideo, an open-source video platform, contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass URL validation using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x format). The vulnerable endpoint plugin/LiveLinks/proxy.php can be exploited to access cloud metadata services (AWS, GCP, Azure), internal networks, and localhost services without authentication. A detailed proof-of-concept is publicly available demonstrating credential theft from AWS instance metadata, making this a critical risk for cloud-hosted installations.

SSRF PHP Microsoft +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The Gallery plugin in AVideo contains an unauthenticated remote code execution vulnerability through CSRF-enabled PHP code injection. Attackers can exploit an eval() function that directly executes unsanitized user input by tricking an admin into visiting a malicious page, with the session cookie's SameSite=None configuration enabling cross-site request forgery. A detailed proof-of-concept exploit exists demonstrating command execution through crafted form submissions.

PHP RCE CSRF +1
NVD GitHub VulDB
EPSS 3% CVSS 10.0
CRITICAL POC PATCH Act Now

A critical authentication bypass and command injection vulnerability chain in AVideo's CloneSite plugin allows completely unauthenticated remote attackers to achieve full system compromise. The vulnerability affects AVideo installations with the CloneSite plugin enabled, allowing attackers to steal clone authentication keys, dump the entire database including MD5-hashed admin credentials, crack those credentials trivially, and finally execute arbitrary system commands via an rsync command injection. A detailed proof-of-concept demonstrating the complete attack chain is publicly available in the GitHub security advisory, making this an immediate exploitation risk.

RCE Command Injection PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability exists in XinLiangCoder's php_api_doc application through commit 1ce5bbf, specifically in the list_method.php file where the 'f' GET parameter is output directly to the page without sanitization. Remote attackers can inject arbitrary JavaScript code by crafting malicious URLs, enabling session hijacking, credential theft, and malware distribution within the application context. No CVSS score, EPSS data, or KEV status are currently available, but the vulnerability is confirmed with a proof-of-concept reference available via VulnCheck advisory.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in the College Management System 1.0 admin search_student.php endpoint allows authenticated attackers to manipulate the Search parameter and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to potentially extract, modify, or delete sensitive student data. The vulnerability affects PHP-based installations and currently lacks an available patch.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

WeGIA, a web manager for charitable institutions, contains a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint affecting versions 3.6.6 and below. An attacker can inject arbitrary JavaScript or HTML into the sccd GET parameter, which is reflected without sanitization when the msg parameter equals 'success', enabling session hijacking, credential theft, and malicious actions in the context of victim users. The vulnerability has a critical CVSS score of 9.3 with changed scope, indicating potential impact beyond the vulnerable component.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

A Reflected Cross-Site Scripting (XSS) vulnerability exists in WeGIA, a web manager for charitable institutions. Versions 3.6.6 and below are affected through the novo_memorandoo.php endpoint, where an attacker can inject arbitrary JavaScript via the sccs GET parameter without sanitization. This allows execution of malicious scripts in victims' browsers when they click a crafted link, with a critical CVSS score of 9.3 due to cross-site scripting scope and high confidentiality and integrity impact.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

WeGIA, a web manager for charitable institutions, contains an authenticated SQL injection vulnerability in versions 3.6.5 and below via the id_producto parameter in the restaurar_produto.php endpoint. An authenticated attacker can execute arbitrary SQL commands to fully compromise the database, extracting sensitive donor information, beneficiary records, and administrative credentials. No evidence of active exploitation (not in CISA KEV) is currently available, though proof-of-concept details are publicly disclosed in the GitHub security advisory.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uptime Kuma versions 1.23.0 through 2.2.0 contain an incomplete Server-Side Template Injection (SSTI) vulnerability in the LiquidJS templating engine that allows authenticated attackers to read arbitrary files from the server. A prior fix (GHSA-vffh-c9pq-4crh) attempted to restrict file path access through three mitigation options (root, relativeReference, dynamicPartials), but this fix only blocks quoted paths; attackers can bypass the mitigation by using unquoted absolute paths like /etc/passwd that successfully resolve through the require.resolve() fallback mechanism in liquid.node.js. The vulnerability requires low privileges (authenticated access) but can result in high confidentiality impact, making it a notable information disclosure risk for self-hosted monitoring deployments.

Node.js LFI Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A PHP Local File Inclusion vulnerability exists in the ThemeREX Melania WordPress theme, allowing remote attackers to include and execute arbitrary local files on the server. All versions up to and including 2.5.0 are affected. The CVSS score of 8.1 indicates high severity with network-based attack vector, though attack complexity is rated as high; there is no evidence of active exploitation (not in KEV) or public proof-of-concept at this time.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

FileRise, a self-hosted web file manager and WebDAV server, contains an unrestricted file upload vulnerability in its WebDAV endpoint that bypasses filename validation controls present in the regular upload path, allowing authenticated attackers to upload executable file types such as .phtml, .php5, and .htaccess. In non-default Apache configurations lacking LocationMatch protection, this enables remote code execution on the underlying web server. The vulnerability affects FileRise versions prior to 3.8.0 and has been patched; no public exploit code or active KEV listing is currently confirmed, but the presence of a GitHub security advisory indicates vendor acknowledgment of the threat.

PHP RCE Apache +1
NVD GitHub VulDB
Prev Page 27 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy