Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-3550 MEDIUM This Month

The RockPress WordPress plugin (versions up to 1.0.17) contains a Missing Authorization vulnerability in five AJAX actions that allows authenticated users with Subscriber-level privileges to trigger privileged operations intended for administrators. The vulnerability stems from a combination of missing capability checks (current_user_can() calls) in AJAX handlers and exposure of an admin nonce to all authenticated users via an unconditionally enqueued script. Attackers can extract the nonce from the HTML source and use it to trigger resource-intensive imports, reset import data, check service connectivity, and read import status information without administrative privileges.

WordPress PHP Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2421 MEDIUM This Month

A Path Traversal vulnerability exists in the ilGhera Carta Docente for WooCommerce plugin for WordPress (versions up to and including 1.5.0) that allows authenticated administrators to delete arbitrary files on the server through insufficient validation of the 'cert' parameter in the 'wccd-delete-certificate' AJAX action. An attacker with administrator privileges can exploit this to delete critical files such as wp-config.php, leading to site takeover and potential remote code execution. The vulnerability has been documented by Wordfence security researchers and affects all versions from release through 1.5.0, with a patch available in version 1.5.1 and later.

WordPress PHP Path Traversal RCE
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-33070 LOW PATCH Monitor

FileRise, a self-hosted web file manager and WebDAV server, contains a missing-authentication vulnerability in the deleteShareLink endpoint that allows unauthenticated attackers to delete arbitrary file share links by providing only the share token, resulting in denial of service to legitimate users accessing shared files. All versions prior to 3.8.0 are affected. While the CVSS score is moderate at 3.7 due to high attack complexity, the vulnerability has a published proof-of-concept via the GitHub security advisory and represents a trivial attack surface requiring only knowledge of a share token.

PHP Denial Of Service CSRF Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-33061 MEDIUM This Month

Jexactyl, a game management panel and billing system, contains a stored DOM-based cross-site scripting (XSS) vulnerability in its template rendering engine where server-side objects are injected into client-side JavaScript without proper escaping. The vulnerability affects versions after commit 025e8dbb0daaa04054276bda814d922cf4af58da and before the patched commit e28edb204e80efab628d1241198ea4f079779cfd, allowing authenticated attackers with high privileges to inject malicious payloads through attacker-controlled fields such as usernames or display names that execute arbitrary JavaScript in the browsers of all users viewing the affected page. The CVSS score of 5.8 reflects local attack vector requirements and high privilege prerequisites, though the stored nature of the XSS and lack of user interaction requirements for viewing the malicious content represent meaningful security risk for multi-user deployments.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-4474 LOW Monitor

A stored cross-site scripting (XSS) vulnerability exists in itsourcecode University Management System version 1.0 within the /admin_single_student_update.php file, where the st_name parameter fails to properly sanitize user input. An authenticated administrator with high privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. A proof-of-concept exploit has been publicly disclosed on GitHub, increasing real-world exploitation risk despite the low CVSS score of 2.4.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4473 LOW Monitor

SQL injection in itsourcecode Online Doctor Appointment System 1.0 allows remote attackers with high privileges to manipulate the appointment_id parameter in /admin/appointment_action.php, potentially compromising data confidentiality and integrity. Public exploit code exists for this vulnerability, though no patch is currently available for PHP-based deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4472 LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated remote attackers to manipulate the Supplier_Name parameter in /admin/admin_edit_supplier.php, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4471 LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated administrators to manipulate the First_Name parameter in /admin/admin_edit_employee.php, enabling remote database compromise. Public exploit code exists for this vulnerability, which requires high-level privileges but carries low complexity for exploitation. The affected system currently lacks an available patch.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4470 LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high privileges to manipulate the product_name parameter in /admin/admin_edit_menu.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The affected PHP application currently lacks an available patch.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4469 LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high-level privileges to manipulate the product_name parameter in /admin/admin_edit_menu_action.php, potentially exposing or modifying sensitive database information. Public exploit code for this vulnerability exists, though no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-33025 HIGH PATCH This Week

Unauthenticated SQL injection in AVideo versions before 8.0 allows authenticated attackers to manipulate database queries through unsanitized sort parameters in POST requests, potentially leading to unauthorized data access or modification. The vulnerability stems from improper use of real_escape_string() on SQL identifiers rather than string literals, rendering the escaping mechanism ineffective. Affected organizations should upgrade to version 8.0 or implement WAF rules restricting sort parameter characters to alphanumeric and underscore values.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33024 CRITICAL PATCH Act Now

AVideo, a video-sharing platform, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 8.0 affecting the public thumbnail endpoints getImage.php and getImageMP4.php. Unauthenticated attackers can exploit insufficient URL validation to force the server to make requests to internal network resources including cloud metadata endpoints (AWS EC2 169.254.169.254), localhost, and private IP ranges. The vulnerability has a CVSS 4.0 score of 9.3 with network attack vector requiring no privileges or user interaction, though there is no evidence of active exploitation or public proof-of-concept at this time.

SSRF PHP
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-32935 PHP HIGH PATCH This Week

phpseclib versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a padding oracle timing attack when using AES in CBC mode, allowing attackers to decrypt sensitive data through cryptanalysis of response timing differences. This information disclosure vulnerability affects any PHP application using the vulnerable phpseclib library for AES-CBC encryption. Although no CVSS score, EPSS data, or confirmed active exploitation (KEV status) are currently available, the presence of a verified fix and security advisory indicates this is a legitimate cryptographic weakness requiring attention.

PHP Oracle Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-32888 HIGH This Week

Open Source Point of Sale (opensourcepos) contains a critical SQL Injection vulnerability in the Items search functionality when custom attribute search is enabled. An authenticated attacker with basic item search permissions can execute arbitrary SQL queries by manipulating the search GET parameter, which is directly interpolated into a HAVING clause without sanitization. The vulnerability affects all versions up to and including 3.4.1, carries a CVSS score of 8.8 (High), and had no patch available at the time of publication.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-32880 MEDIUM PATCH This Month

ChurchCRM versions prior to 7.0.2 contain a stored cross-site scripting (XSS) vulnerability in the system settings module where administrative users can inject unescaped JavaScript payloads into JSON-type system settings fields. Any administrator who subsequently views the system settings page will execute the attacker's malicious script, potentially allowing credential theft, session hijacking, or lateral movement within the church organization's administrative infrastructure. The vulnerability has been patched in version 7.0.2, and no evidence of active exploitation in the wild has been reported, though the attack requires only high-level privileges (admin access) and basic user interaction (viewing settings).

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-32817 PHP CRITICAL PATCH Act Now

Admidio versions 5.0.0 through 5.0.6 contain a critical authorization bypass vulnerability in the documents and files module that allows unauthorized deletion of folders and files. When the module is configured in public mode, unauthenticated attackers can permanently destroy the entire document library via simple HTTP GET requests without CSRF protection. The vulnerability combines missing authorization checks (CWE-862) with CSRF weaknesses, resulting in a CVSS score of 9.1 (Critical) with network-based attack vector requiring no privileges or user interaction.

CSRF PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-32985 CRITICAL POC Emergency

Xerte Online Toolkits 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability allowing remote code execution with a CVSS score of 9.8. The template import functionality at /website_code/php/import/import.php lacks authentication checks, enabling attackers to upload ZIP archives containing malicious PHP files that are extracted to web-accessible directories. This is a critical severity issue with network-based attack vector requiring no privileges or user interaction, and a proof-of-concept has been published by VulnCheck.

PHP Authentication Bypass RCE File Upload
NVD VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-29109 HIGH This Week

Unsafe deserialization in SuiteCRM versions up to 8.9.2 allows authenticated administrators to execute arbitrary system commands on the server through the SavedSearch filter processing component. The vulnerability stems from improper handling of unserialized data in the FilterDefinitionProvider.php file, which fails to restrict instantiable classes when processing user-controlled input from the database. SuiteCRM 8.9.3 and later versions contain the fix.

PHP Deserialization
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-55988 PHP HIGH PATCH This Week

A path traversal vulnerability in the component /Controllers/RestController.php of DreamFactory Core (CVSS 7.2) that allows attackers. High severity vulnerability requiring prompt remediation.

PHP Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-32818 PHP MEDIUM PATCH This Month

Admidio versions 5.0.0 through 5.0.6 contain an authorization bypass vulnerability in the forum module that allows any authenticated user to permanently delete forum topics and posts without proper permission checks. An attacker with basic forum access can delete any topic or post by knowing its UUID, which is publicly visible in URLs, completely circumventing the authorization controls that are properly enforced in edit/save operations. This vulnerability was fixed in version 5.0.7, and exploitation requires only low privileges (authenticated user status) with no user interaction.

PHP CSRF Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32816 PHP MEDIUM PATCH This Month

Admidio versions 5.0.0 through 5.0.6 contain a critical cross-site request forgery (CSRF) vulnerability in the groups-roles management module that allows unauthenticated attackers to trick privileged users into permanently deleting organizational roles, deactivating groups, or revoking memberships through forged POST requests. The vulnerability affects users with rol_assign_roles privileges, and exploited attacks result in permanent data loss including cascading deletion of role memberships, event associations, and access rights with no built-in undo mechanism. A patch is available in version 5.0.7, and the vulnerability is not currently tracked in active exploitation databases but poses significant organizational impact due to the permanent nature of role deletion and the low barrier to discovery of target role UUIDs from publicly accessible card views.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-29103 CRITICAL Act Now

A critical remote code execution vulnerability in SuiteCRM versions 7.15.0 and 8.9.2 allows authenticated administrators to execute arbitrary system commands through a bypass of previous security patches. This vulnerability circumvents the ModuleScanner.php security controls by exploiting improper PHP token parsing that resets security checks when encountering single-character tokens, enabling attackers to hide dangerous function calls. The vulnerability represents a direct bypass of the previously patched CVE-2024-49774 and has been assigned a CVSS score of 9.1.

PHP RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-29099 HIGH This Week

SQL injection in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to execute arbitrary SQL queries through improper input validation in the EmailUIAjax module's retrieve() function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete sensitive database records without restrictions. The vulnerability requires authentication but has no patch currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-29098 MEDIUM This Month

Path traversal in SuiteCRM's ModuleBuilder module (versions prior to 7.15.1 and 8.9.3) allows authenticated administrators to read arbitrary files from the server by manipulating the `$modules` and `$name` parameters, which are improperly validated before being used in file operations. An attacker with ModuleBuilder access can exploit this to copy sensitive files from any readable directory into the web root, exposing their contents through the web server.

PHP Path Traversal
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-33346 HIGH PATCH This Week

A stored cross-site scripting vulnerability in OpenEMR's patient portal payment flow allows authenticated patient users to inject malicious JavaScript that executes when staff members review payment submissions. The vulnerability affects OpenEMR versions prior to 8.0.0.2 and enables attackers to compromise staff accounts, potentially accessing sensitive medical records and administrative functions. No evidence of active exploitation exists, and no KEV listing or public POC has been identified.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-33354 PHP HIGH PATCH This Week

Authenticated file read vulnerability in PHP and Docker deployments allows users to exfiltrate arbitrary files from the server by exploiting insufficient path validation in the video upload endpoint, which copies attacker-specified local files to publicly accessible storage. An authenticated attacker can leverage this to read sensitive files from broad server directories including application roots, cache, and temporary locations. No patch is currently available, and the vulnerability carries a 10% exploit prediction score.

PHP RCE Docker
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
10.0%
CVE-2026-25928 MEDIUM PATCH This Month

Improper path sanitization in OpenEMR's DICOM export feature prior to version 8.0.0.2 allows authenticated users with DICOM permissions to write arbitrary files outside the intended directory through path traversal sequences. An attacker could exploit this to place malicious PHP files within the web root, potentially achieving remote code execution. The vulnerability requires valid credentials but poses significant risk to systems containing sensitive healthcare data.

PHP RCE Path Traversal
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-33352 PHP CRITICAL PATCH Act Now

An unauthenticated SQL injection vulnerability in AVideo allows remote attackers to execute arbitrary SQL queries through the doNotShowCats parameter in the getAllCategories() method. The vulnerability bypasses quote-stripping sanitization using backslash escape techniques, enabling attackers to extract sensitive data including user credentials, modify database contents, or potentially achieve remote code execution. No active exploitation has been reported in KEV, but proof-of-concept exploitation details are publicly available in the GitHub advisory.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
10.0%
CVE-2026-33351 PHP CRITICAL Act Now

A Server-Side Request Forgery (SSRF) vulnerability in AVideo's Live plugin allows unauthenticated remote attackers to scan internal networks, access cloud metadata services, and bypass authentication mechanisms when the plugin is deployed in standalone mode. The vulnerability exists because user-controlled input is directly used to construct URLs for server-side requests without validation, enabling attackers to proxy requests through the vulnerable server and potentially chain this with command execution. With a CVSS score of 9.1 and requiring no authentication or user interaction, this represents a critical security risk for affected deployments.

PHP Authentication Bypass Information Disclosure Command Injection SSRF
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-33297 PHP CRITICAL Act Now

The CustomizeUser plugin in PHP and Python allows attackers to bypass channel-level access control by exploiting improper password validation in the setPassword.json.php endpoint. An administrator-level attacker can set any user's channel password to zero due to type coercion of non-numeric characters, enabling trivial authentication bypass for any visitor. No patch is currently available for this critical vulnerability.

PHP Authentication Bypass Privilege Escalation Python
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-33296 PHP MEDIUM This Month

WWBN/AVideo fails to properly validate the redirectUri parameter in its login flow, allowing attackers to craft malicious URLs that redirect authenticated users to attacker-controlled sites after successful login. The vulnerability stems from insufficient encoding of user input before it is embedded into JavaScript code that executes a redirect via document.location. An attacker can exploit this open redirect to perform phishing attacks or distribute malware by tricking users into clicking a login link with an attacker-controlled redirect destination.

PHP Python Open Redirect
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33295 PHP MEDIUM This Month

Stored cross-site scripting in the WWBN/AVideo CDN plugin allows authenticated attackers to inject malicious JavaScript through improperly sanitized video titles, which executes when users access download pages. An attacker with video creation or modification privileges can compromise any user viewing the affected download interface. No patch is currently available for PHP and Python implementations.

PHP XSS Python
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33294 PHP MEDIUM This Month

The BulkEmbed plugin in AVideo fails to validate thumbnail URLs in its save endpoint, allowing authenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and retrieve responses from internal network resources. An attacker can supply malicious URLs via the bulk embed feature to force the server to make HTTP requests to internal systems and view the cached thumbnail responses. This vulnerability affects PHP-based AVideo installations and requires authentication to exploit.

PHP SSRF Google Microsoft
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-33293 PHP HIGH This Week

Arbitrary file deletion in PHP CloneSite plugin allows authenticated attackers to bypass path validation and remove critical files via path traversal in the deleteDump parameter, causing denial of service or facilitating privilege escalation attacks. An attacker with valid clone credentials can leverage unvalidated input passed directly to unlink() to delete arbitrary files including configuration.php and other security-critical application files. No patch is currently available for this vulnerability.

PHP Denial Of Service Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33292 PHP HIGH This Week

Unauthenticated attackers can stream any private or paid video in PHP, Oracle, and Apple applications through a path traversal vulnerability in the HLS streaming endpoint. The flaw exploits a split-oracle condition where authorization validation and file access use different parsing logic on the videoDirectory parameter, allowing attackers to bypass authentication checks while accessing unauthorized content. No patch is currently available for this high-severity vulnerability.

PHP Path Traversal Oracle Apple
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32843 MEDIUM This Month

Linkit ONE Location Aware Sensor System (LASS) up to commit f06bd20 contains reflected cross-site scripting (XSS) in PM25.php that permits remote attackers to execute arbitrary JavaScript in victim browsers through unencoded GET parameters (site, city, district, channel, apikey). The vulnerability affects a sensor data collection platform and carries a low exploitation probability (EPSS 0.21%, percentile 43%), suggesting limited real-world attack activity despite public disclosure through VulnCheck.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-30711 HIGH This Week

Authenticated attackers can execute arbitrary SQL queries in Devome GRR v4.5.0 through injection vulnerabilities in the referer and user-agent parameters within include/session.inc.php, enabling full database compromise including data exfiltration, modification, and potential remote code execution. The vulnerability carries a CVSS score of 8.8 (High) with low attack complexity requiring only low-level privileges and no user interaction. EPSS probability of exploitation is extremely low at 0.01% (2nd percentile), and no public exploit identified at time of analysis beyond technical disclosure and audit documentation.

PHP SQLi
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33319 PHP MEDIUM This Month

A command injection vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.

PHP RCE Command Injection
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-33238 PHP MEDIUM PATCH This Month

The `listFiles.json.php` endpoint in AVideo accepts an unsanitized POST parameter `path` and passes it directly to PHP's `glob()` function without restricting traversal to an allowed base directory, enabling authenticated uploaders to enumerate `.mp4` files anywhere on the server filesystem. An attacker with the standard `canUpload` permission can discover private, premium, or access-controlled video files stored outside the intended upload directory by supplying arbitrary absolute paths, revealing both filenames and full filesystem paths that may aid further exploitation. A proof-of-concept is available demonstrating traversal from the web root to arbitrary locations such as `/var/private/premium-content/` and the root filesystem.

Path Traversal PHP
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33237 PHP MEDIUM PATCH This Month

The AVideo Scheduler plugin fails to validate callback URLs against Server-Side Request Forgery (SSRF) protections, allowing authenticated administrators to configure scheduled tasks that make HTTP requests to internal networks, cloud metadata services, and private IP ranges. An attacker with admin access can retrieve AWS/GCP/Azure instance metadata credentials (including IAM role tokens) or probe internal APIs not exposed to the internet. A proof-of-concept exists demonstrating credential extraction from AWS metadata endpoints at 169.254.169.254.

SSRF PHP Privilege Escalation Microsoft
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27065 CRITICAL Act Now

ThimPress BuilderPress, a WordPress plugin, contains a Local File Inclusion vulnerability through improper filename control in PHP include/require statements that allows unauthenticated remote attackers to read arbitrary files from the server. All versions through 2.0.1 are affected. With a CVSS score of 9.8 (Critical) and no authentication required, this represents a severe vulnerability allowing unauthorized information disclosure, though EPSS and KEV status data are not provided in the intelligence sources.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4120 MEDIUM This Month

The Info Cards - Add Text and Media in Card Layouts WordPress plugin versions up to 2.0.7 contains a Stored Cross-Site Scripting vulnerability in the 'btnUrl' parameter of the Info Cards block that allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript code. The vulnerability exists because the plugin fails to validate URL protocols (specifically javascript: schemes) on the server side, and the client-side rendering directly inserts unsanitized URLs into anchor href attributes, enabling script execution when users click the malicious button links. While there is no indication of active KEV exploitation, the low attack complexity and low privilege requirements make this a practical threat in multi-author WordPress environments.

WordPress PHP XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-27093 HIGH PATCH This Week

A PHP remote/local file inclusion vulnerability exists in the Ovatheme Tripgo WordPress theme due to improper control of filename parameters in include/require statements. Versions prior to 1.5.6 are affected, allowing unauthenticated remote attackers to potentially include arbitrary files and execute malicious code. This vulnerability has a CVSS score of 8.1 (High) with network attack vector but high attack complexity, and has been reported by Patchstack as exploitable for local file inclusion and information disclosure.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-32321 HIGH PATCH This Week

An authenticated time-based blind SQL injection vulnerability exists in the ClipBucket v5 open source video sharing platform, affecting versions prior to 5.5.3 #80. The vulnerability resides in the actions/ajax.php endpoint where the userid parameter lacks proper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries. This can lead to full database disclosure and potential administrative account takeover with a CVSS score of 8.8.

SQLi PHP Clipbucket V5
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33204 PHP HIGH PATCH This Week

The SimpleJWT PHP library version 1.1.0 contains an algorithmic complexity denial-of-service vulnerability in its PBES2 password-based encryption implementation. An unauthenticated attacker can send a crafted JWE token with an extremely large p2c (PBKDF2 iteration count) parameter in the header, forcing the server to perform hundreds of billions of iterations during key derivation and causing CPU exhaustion. A working proof-of-concept exploit is publicly available demonstrating how a single malicious request can block PHP workers until execution timeouts are reached.

PHP Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1463 HIGH This Week

The NextGEN Gallery plugin for WordPress contains a Local File Inclusion vulnerability in the 'template' parameter of gallery shortcodes, affecting all versions up to and including 4.0.3. Authenticated attackers with Author-level privileges or higher can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or complete site compromise. This is a confirmed vulnerability reported by Wordfence with a high CVSS score of 8.8, though no active exploitation (KEV) status has been reported at this time.

WordPress PHP LFI RCE Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4356 LOW POC Monitor

A Cross-Site Scripting (XSS) vulnerability exists in itsourcecode University Management System version 1.0, specifically in the /add_result.php file where the 'vr' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. A public proof-of-concept exploit is available on GitHub, and while the CVSS score is low (2.4), the vulnerability is actively documented in security databases and poses a real risk in educational environments.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4355 LOW Monitor

A stored or reflected cross-site scripting (XSS) vulnerability exists in Portabilis i-Educar 2.11 through improper input validation on the Name parameter in the /intranet/educar_servidor_curso_lst.php endpoint. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially enabling session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts, indicating no patch is currently available.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-27894 HIGH PATCH This Week

LDAP Account Manager (LAM), a web-based interface for managing LDAP directory entries, contains a local file inclusion vulnerability in its PDF export functionality that allows authenticated users to include and execute arbitrary PHP files. When chained with GHSA-88hf-2cjm-m9g8, this vulnerability enables complete remote code execution on the affected server. The vulnerability affects all versions prior to 9.5 and requires low-privilege authentication (CVSS 8.8, PR:L), tracking across 7 Ubuntu and 4 Debian releases indicates significant deployment in enterprise LDAP environments.

PHP LFI RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-27895 MEDIUM This Month

Insufficient file extension validation in the PDF export component of LDAP Account Manager prior to version 9.5 permits authenticated attackers to upload arbitrary file types, including PHP files, to the server. When combined with GHSA-w7xq-vjr3-p9cf, this vulnerability enables remote code execution with web server privileges. Affected users should upgrade to version 9.5 or restrict web server write access to the LAM configuration directory.

PHP RCE
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-33039 PHP HIGH PATCH This Week

A Server-Side Request Forgery (SSRF) vulnerability in AVideo's LiveLinks proxy endpoint allows unauthenticated attackers to access internal services and cloud metadata by exploiting missing validation on HTTP redirect targets. The vulnerability enables attackers to bypass initial URL validation through a malicious redirect, potentially exposing AWS/GCP/Azure instance metadata including IAM credentials. A detailed proof-of-concept is available and a patch has been released by the vendor.

PHP SSRF Google Microsoft Mozilla +1
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-33035 PHP MEDIUM PATCH This Month

Reflected XSS in AVideo's error message handling allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by injecting malicious code through a URL parameter that bypasses `json_encode()` filtering. An attacker can craft a malicious link to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious sites. A patch is available.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-33043 PHP HIGH PATCH This Week

AVideo (WWBN_AVideo) contains a critical CORS misconfiguration vulnerability that exposes PHP session IDs to any unauthenticated external website, enabling complete account takeover of any logged-in user including administrators. The vulnerability has a working proof-of-concept exploit and requires only that a victim visit an attacker-controlled webpage while logged into AVideo, making it highly exploitable with an 8.1 CVSS score.

Cors Misconfiguration PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33041 PHP MEDIUM PATCH This Month

An unauthenticated attacker can leverage an exposed password hashing endpoint in PHP applications to obtain hashed versions of arbitrary passwords, facilitating offline cracking attacks against compromised database credentials. The vulnerable `/objects/encryptPass.json.php` file accepts user-supplied passwords via request parameters and returns their encrypted equivalents without authentication, effectively disclosing the application's hashing algorithm and salt to potential adversaries. This information disclosure has a CVSS score of 5.3 and patches are available.

PHP Information Disclosure SQLi
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33038 PHP HIGH PATCH This Week

A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.

PHP RCE SQLi Authentication Bypass CSRF +1
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-31891 PHP HIGH PATCH This Week

SQL injection in Cockpit CMS version 2.13.4 and earlier allows attackers with a valid read-only API key to inject arbitrary SQL through the `/api/content/aggregate/{model}` endpoint and extract unauthorized data from the SQLite database, including unpublished content. The vulnerability requires network access and low-privilege API credentials, enabling data exfiltration without administrative privileges. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-4319 MEDIUM POC This Month

SQL injection in Simple Food Order System 1.0's /routers/add-item.php endpoint allows unauthenticated remote attackers to manipulate the price parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and could lead to unauthorized data access, modification, or deletion.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-32813 PHP HIGH PATCH This Week

A second-order SQL injection vulnerability exists in Admidio's MyList configuration feature, allowing authenticated users to inject arbitrary SQL commands through list column configurations that are safely stored but unsafely read back. The vulnerability enables attackers to read sensitive data including password hashes, modify database contents, or achieve full database compromise. A detailed proof-of-concept is available demonstrating exploitation requiring only standard user privileges.

CSRF SQLi PHP Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-32757 PHP MEDIUM PATCH This Month

Admidio's eCard functionality is vulnerable to stored XSS when authenticated users send greeting cards, as the application uses unsanitized POST data instead of properly filtered values during email construction. An authenticated attacker can inject malicious HTML and JavaScript into eCard emails sent to other members, bypassing the HTMLPurifier sanitization that occurs during form validation. No patch is currently available for this vulnerability affecting PHP-based Admidio installations.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32812 PHP MEDIUM PATCH This Month

An unauthenticated Server-Side Request Forgery (SSRF) and Local File Read vulnerability exists in the Admidio SSO metadata fetch endpoint, which accepts arbitrary URLs via GET parameter and passes them directly to file_get_contents() after validating only with PHP's FILTER_VALIDATE_URL-a format checker that does not block dangerous URI schemes. An authenticated administrator can exploit this to read arbitrary local files (including database credentials from config.php), probe internal network services, or fetch cloud instance metadata (such as AWS IAM credentials from 169.254.169.254). A proof-of-concept demonstrating all attack vectors has been published; CVSS 6.8 reflects high confidentiality impact but is mitigated by the requirement for administrator privileges.

CSRF Elastic PHP Microsoft SSRF +1
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-32755 PHP MEDIUM PATCH This Month

Admidio's profile membership management function fails to validate CSRF tokens on the save_membership action, allowing an attacker to forge requests that modify membership start and end dates for any member of roles led by the victim. While other membership-related actions (stop_membership, remove_former_membership) include CSRF protection, save_membership was omitted from validation, enabling silent privilege escalation or access revocation through cross-site request forgery. A proof-of-concept exists demonstrating immediate exploitation by embedding a form on an external page.

CSRF PHP
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-32756 PHP HIGH PATCH This Week

A critical unrestricted file upload vulnerability in Admidio's Documents & Files module allows authenticated users with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, enabling upload of PHP scripts that lead to Remote Code Execution. The vulnerability affects Admidio versions prior to the patch and has a published proof-of-concept demonstrating webshell upload and command execution. With a CVSS score of 8.8 and detailed exploitation steps available, this represents a high-priority risk for organizations using Admidio for document management.

CSRF PHP RCE Information Disclosure File Upload
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-30875 HIGH PATCH This Week

An arbitrary file upload vulnerability in Chamilo LMS allows authenticated users with Teacher role to achieve Remote Code Execution by uploading malicious H5P packages. The flaw affects versions prior to 1.11.36 and stems from inadequate validation of H5P package contents, which only checks for h5p.json existence but fails to block .htaccess or PHP files with alternative extensions. With a CVSS score of 8.8 and high exploitation potential, attackers can upload webshells disguised as text files along with .htaccess configurations to bypass security controls.

PHP RCE File Upload Code Injection Chamilo Lms
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-29516 MEDIUM This Month

CVE-2026-29516 is a security vulnerability (CVSS 4.9) that allows authenticated attackers. Remediation should follow standard vulnerability management procedures.

PHP Information Disclosure
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-23489 CRITICAL PATCH Act Now

A critical remote code execution vulnerability exists in the Fields plugin for GLPI that allows authenticated users with dropdown creation privileges to execute arbitrary PHP code on the server. The vulnerability affects Fields plugin versions prior to 1.23.3 and has a CVSS score of 9.1, indicating severe impact with the ability to compromise the entire system. While no active exploitation has been reported in KEV and no public proof-of-concept is mentioned, the straightforward attack vector and high privileges requirement suggest targeted insider threat or compromised account scenarios.

PHP RCE Fields
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-69768 HIGH This Week

SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32264 PHP HIGH PATCH This Week

Remote code execution in Craft CMS allows authenticated administrators with control panel access to execute arbitrary code by exploiting an incomplete patch that left the same vulnerable gadget chain pattern in multiple controllers. The vulnerability requires administrative privileges and the allowAdminChanges setting to be enabled, limiting exposure to trusted users with elevated access. Craft CMS versions before 4.17.5 and 5.9.11 are affected and should be patched immediately.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-32263 PHP HIGH PATCH This Week

Unsafe deserialization of untrusted user input in PHP Craft CMS allows authenticated high-privilege users to inject arbitrary Yii2 behaviors and event handlers, enabling remote code execution through the EntryTypesController. An incomplete prior patch for a similar vulnerability left the same dangerous pattern in place, permitting attackers with administrative access to manipulate application configuration and achieve full system compromise. A patch is available to properly sanitize configuration inputs before processing.

Code Injection PHP
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-32261 PHP HIGH PATCH This Week

A security vulnerability in renders user-supplied template content (CVSS 8.5) that allows an authenticated user with access. High severity vulnerability requiring prompt remediation. Vendor patch is available.

RCE PHP Ssti
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-4241 LOW Monitor

SQL injection in itsourcecode College Management System 1.0 allows authenticated attackers to manipulate the course_code parameter in /admin/time-table.php and execute arbitrary SQL commands remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can lead to unauthorized data access, modification, or deletion within the application database.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4238 LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0 via the course_code parameter in /admin/courses.php allows authenticated administrators to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but could enable data exfiltration or manipulation.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4237 MEDIUM POC This Month

SQL injection in Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to manipulate the Home parameter in /hotel/admin/mod_reports/index.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems running the vulnerable PHP application are at immediate risk of data theft and database compromise.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4236 MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate parameters in the enrollment module via the txtsearch, deptname, or name arguments. Public exploit code exists for this vulnerability, which enables attackers to read, modify, or delete database contents. No patch is currently available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4235 MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the user_email parameter in /sms/login.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to read, modify, or delete sensitive enrollment data without authentication. No patch is currently available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4225 LOW POC Monitor

A cross-site scripting (XSS) vulnerability exists in CMS Made Simple versions up to 2.2.21 affecting the User Management Module's admin/listusers.php file. An attacker with high-level privileges can inject malicious JavaScript through the Message parameter to compromise other users' sessions or steal sensitive data. Public exploit code is available and the vulnerability has been actively exploited, making this a tangible threat despite its low CVSS score of 2.4.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4223 MEDIUM POC This Month

SQL injection in itsourcecode Payroll Management System 1.0 via the ID parameter in /manage_employee.php allows unauthenticated remote attackers to execute arbitrary SQL queries and access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running this system should implement network-level protections and consider upgrading to a patched version once released.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-50881 HIGH This Week

The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution.

PHP RCE Code Injection N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4189 LOW POC Monitor

SQL injection in phpIPAM versions up to 1.7.4 allows authenticated administrators to manipulate the subnetOrdering parameter in the Section Handler component, enabling remote database compromise. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

SQLi PHP
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4186 LOW POC Monitor

A vulnerability was determined in UEditor up to 1.4.3.2.

PHP XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2015-20121 HIGH POC This Week

SQL injection vulnerabilities in RealtyScript 4.0.2 allow unauthenticated remote attackers to manipulate database queries through vulnerable parameters in admin panel files (/admin/users.php and /admin/mailer.php). Attackers can extract sensitive database information using time-based blind SQL injection or cause denial of service. A public proof-of-concept exploit is available on Exploit-DB, though the vulnerability is not currently in CISA's KEV catalog.

Denial Of Service SQLi PHP Realtyscripts
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2015-20119 MEDIUM POC This Month

RealtyScript 4.0.2 contains a stored cross-site scripting (XSS) vulnerability in the pages.php admin interface that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter. Attackers can craft POST requests to store malicious content that executes in the browsers of users viewing affected pages. A public proof-of-concept exploit exists (Exploit-DB 38496), making this vulnerability actively exploitable by authenticated threat actors.

PHP XSS Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2015-20118 HIGH POC This Week

A stored cross-site scripting (XSS) vulnerability exists in RealtyScript 4.0.2's admin locations interface, allowing unauthenticated attackers to inject malicious JavaScript through the location_name parameter. Successful exploitation enables arbitrary code execution in administrator browsers when they view compromised location entries. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation has been reported (not in CISA KEV).

RCE PHP XSS Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2015-20117 MEDIUM POC This Month

RealtyScript 4.0.2 contains a cross-site request forgery (CSRF) vulnerability in its user management endpoints that allows unauthenticated attackers to create arbitrary user accounts and escalate privileges to SUPERUSER level without authentication. The vulnerability affects the /admin/addusers.php and /admin/editadmins.php endpoints, which process hidden form data without CSRF token validation. An attacker can craft malicious web pages or emails containing hidden forms that, when visited by an authenticated administrator, silently create new administrative accounts under the attacker's control, leading to complete system compromise.

CSRF PHP Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2015-20115 HIGH POC This Week

Stored cross-site scripting (XSS) vulnerability in Next Click Ventures RealtyScript 4.0.2 that allows attackers to upload malicious JavaScript files through unsanitized file uploads in admin/tools.php. With a publicly available proof-of-concept exploit and a CVSS score of 7.2, attackers can execute JavaScript in the context of other users' browsers without authentication, though the vulnerability is not listed in CISA KEV and has no EPSS score indicating limited real-world exploitation.

PHP XSS Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-4175 PHP MEDIUM PATCH This Month

A vulnerability was determined in Aureus ERP up to 1.3.0-BETA2.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-4170 HIGH POC This Week

Critical OS command injection vulnerability in Topsec TopACM 3.0's web management interface that allows unauthenticated remote attackers to execute arbitrary system commands. A public proof-of-concept exploit is available, and the vulnerability has a CVSS score of 9.8, though no active exploitation has been confirmed in CISA's KEV catalog. The vendor has not responded to disclosure attempts, leaving systems unpatched.

Command Injection PHP
NVD VulDB
CVSS 4.0
8.9
EPSS
0.2%
CVE-2026-4169 MEDIUM PATCH This Month

A security flaw has been discovered in Tecnick TCExam up to 16.6.0.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-4168 LOW POC PATCH Monitor

A vulnerability was identified in Tecnick TCExam 16.5.0.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3839 HIGH This Week

Critical authentication bypass vulnerability in Unraid's auth-request.php file that allows remote attackers to gain unauthorized access without credentials through path traversal exploitation. The vulnerability affects all versions of Unraid (CPE indicates no version restrictions) and can be exploited over the network with low complexity, potentially compromising system confidentiality, integrity, and availability. No KEV listing or EPSS data was provided, suggesting this may be a recently disclosed vulnerability without known active exploitation.

Authentication Bypass PHP Path Traversal Unraid
NVD VulDB
CVSS 3.0
7.3
EPSS
0.3%
CVE-2026-3838 HIGH This Week

Critical path traversal vulnerability in Unraid's update.php file that allows authenticated remote attackers to execute arbitrary code as root. The vulnerability affects all versions of Unraid (per CPE data) and was discovered by Zero Day Initiative (ZDI-CAN-28951). With a CVSS score of 8.8 and requiring only low privileges, this represents a severe risk for Unraid installations.

PHP Path Traversal RCE Unraid
NVD VulDB
CVSS 3.0
8.8
EPSS
1.6%
EPSS 0% CVSS 5.3
MEDIUM This Month

The RockPress WordPress plugin (versions up to 1.0.17) contains a Missing Authorization vulnerability in five AJAX actions that allows authenticated users with Subscriber-level privileges to trigger privileged operations intended for administrators. The vulnerability stems from a combination of missing capability checks (current_user_can() calls) in AJAX handlers and exposure of an admin nonce to all authenticated users via an unconditionally enqueued script. Attackers can extract the nonce from the HTML source and use it to trigger resource-intensive imports, reset import data, check service connectivity, and read import status information without administrative privileges.

WordPress PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A Path Traversal vulnerability exists in the ilGhera Carta Docente for WooCommerce plugin for WordPress (versions up to and including 1.5.0) that allows authenticated administrators to delete arbitrary files on the server through insufficient validation of the 'cert' parameter in the 'wccd-delete-certificate' AJAX action. An attacker with administrator privileges can exploit this to delete critical files such as wp-config.php, leading to site takeover and potential remote code execution. The vulnerability has been documented by Wordfence security researchers and affects all versions from release through 1.5.0, with a patch available in version 1.5.1 and later.

WordPress PHP Path Traversal +1
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

FileRise, a self-hosted web file manager and WebDAV server, contains a missing-authentication vulnerability in the deleteShareLink endpoint that allows unauthenticated attackers to delete arbitrary file share links by providing only the share token, resulting in denial of service to legitimate users accessing shared files. All versions prior to 3.8.0 are affected. While the CVSS score is moderate at 3.7 due to high attack complexity, the vulnerability has a published proof-of-concept via the GitHub security advisory and represents a trivial attack surface requiring only knowledge of a share token.

PHP Denial Of Service CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM This Month

Jexactyl, a game management panel and billing system, contains a stored DOM-based cross-site scripting (XSS) vulnerability in its template rendering engine where server-side objects are injected into client-side JavaScript without proper escaping. The vulnerability affects versions after commit 025e8dbb0daaa04054276bda814d922cf4af58da and before the patched commit e28edb204e80efab628d1241198ea4f079779cfd, allowing authenticated attackers with high privileges to inject malicious payloads through attacker-controlled fields such as usernames or display names that execute arbitrary JavaScript in the browsers of all users viewing the affected page. The CVSS score of 5.8 reflects local attack vector requirements and high privilege prerequisites, though the stored nature of the XSS and lack of user interaction requirements for viewing the malicious content represent meaningful security risk for multi-user deployments.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

A stored cross-site scripting (XSS) vulnerability exists in itsourcecode University Management System version 1.0 within the /admin_single_student_update.php file, where the st_name parameter fails to properly sanitize user input. An authenticated administrator with high privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. A proof-of-concept exploit has been publicly disclosed on GitHub, increasing real-world exploitation risk despite the low CVSS score of 2.4.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in itsourcecode Online Doctor Appointment System 1.0 allows remote attackers with high privileges to manipulate the appointment_id parameter in /admin/appointment_action.php, potentially compromising data confidentiality and integrity. Public exploit code exists for this vulnerability, though no patch is currently available for PHP-based deployments.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated remote attackers to manipulate the Supplier_Name parameter in /admin/admin_edit_supplier.php, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated administrators to manipulate the First_Name parameter in /admin/admin_edit_employee.php, enabling remote database compromise. Public exploit code exists for this vulnerability, which requires high-level privileges but carries low complexity for exploitation. The affected system currently lacks an available patch.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high privileges to manipulate the product_name parameter in /admin/admin_edit_menu.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The affected PHP application currently lacks an available patch.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high-level privileges to manipulate the product_name parameter in /admin/admin_edit_menu_action.php, potentially exposing or modifying sensitive database information. Public exploit code for this vulnerability exists, though no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Unauthenticated SQL injection in AVideo versions before 8.0 allows authenticated attackers to manipulate database queries through unsanitized sort parameters in POST requests, potentially leading to unauthorized data access or modification. The vulnerability stems from improper use of real_escape_string() on SQL identifiers rather than string literals, rendering the escaping mechanism ineffective. Affected organizations should upgrade to version 8.0 or implement WAF rules restricting sort parameter characters to alphanumeric and underscore values.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

AVideo, a video-sharing platform, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 8.0 affecting the public thumbnail endpoints getImage.php and getImageMP4.php. Unauthenticated attackers can exploit insufficient URL validation to force the server to make requests to internal network resources including cloud metadata endpoints (AWS EC2 169.254.169.254), localhost, and private IP ranges. The vulnerability has a CVSS 4.0 score of 9.3 with network attack vector requiring no privileges or user interaction, though there is no evidence of active exploitation or public proof-of-concept at this time.

SSRF PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

phpseclib versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a padding oracle timing attack when using AES in CBC mode, allowing attackers to decrypt sensitive data through cryptanalysis of response timing differences. This information disclosure vulnerability affects any PHP application using the vulnerable phpseclib library for AES-CBC encryption. Although no CVSS score, EPSS data, or confirmed active exploitation (KEV status) are currently available, the presence of a verified fix and security advisory indicates this is a legitimate cryptographic weakness requiring attention.

PHP Oracle Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Open Source Point of Sale (opensourcepos) contains a critical SQL Injection vulnerability in the Items search functionality when custom attribute search is enabled. An authenticated attacker with basic item search permissions can execute arbitrary SQL queries by manipulating the search GET parameter, which is directly interpolated into a HAVING clause without sanitization. The vulnerability affects all versions up to and including 3.4.1, carries a CVSS score of 8.8 (High), and had no patch available at the time of publication.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

ChurchCRM versions prior to 7.0.2 contain a stored cross-site scripting (XSS) vulnerability in the system settings module where administrative users can inject unescaped JavaScript payloads into JSON-type system settings fields. Any administrator who subsequently views the system settings page will execute the attacker's malicious script, potentially allowing credential theft, session hijacking, or lateral movement within the church organization's administrative infrastructure. The vulnerability has been patched in version 7.0.2, and no evidence of active exploitation in the wild has been reported, though the attack requires only high-level privileges (admin access) and basic user interaction (viewing settings).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Admidio versions 5.0.0 through 5.0.6 contain a critical authorization bypass vulnerability in the documents and files module that allows unauthorized deletion of folders and files. When the module is configured in public mode, unauthenticated attackers can permanently destroy the entire document library via simple HTTP GET requests without CSRF protection. The vulnerability combines missing authorization checks (CWE-862) with CSRF weaknesses, resulting in a CVSS score of 9.1 (Critical) with network-based attack vector requiring no privileges or user interaction.

CSRF PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Emergency

Xerte Online Toolkits 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability allowing remote code execution with a CVSS score of 9.8. The template import functionality at /website_code/php/import/import.php lacks authentication checks, enabling attackers to upload ZIP archives containing malicious PHP files that are extracted to web-accessible directories. This is a critical severity issue with network-based attack vector requiring no privileges or user interaction, and a proof-of-concept has been published by VulnCheck.

PHP Authentication Bypass RCE +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Unsafe deserialization in SuiteCRM versions up to 8.9.2 allows authenticated administrators to execute arbitrary system commands on the server through the SavedSearch filter processing component. The vulnerability stems from improper handling of unserialized data in the FilterDefinitionProvider.php file, which fails to restrict instantiable classes when processing user-controlled input from the database. SuiteCRM 8.9.3 and later versions contain the fix.

PHP Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

A path traversal vulnerability in the component /Controllers/RestController.php of DreamFactory Core (CVSS 7.2) that allows attackers. High severity vulnerability requiring prompt remediation.

PHP Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Admidio versions 5.0.0 through 5.0.6 contain an authorization bypass vulnerability in the forum module that allows any authenticated user to permanently delete forum topics and posts without proper permission checks. An attacker with basic forum access can delete any topic or post by knowing its UUID, which is publicly visible in URLs, completely circumventing the authorization controls that are properly enforced in edit/save operations. This vulnerability was fixed in version 5.0.7, and exploitation requires only low privileges (authenticated user status) with no user interaction.

PHP CSRF Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Admidio versions 5.0.0 through 5.0.6 contain a critical cross-site request forgery (CSRF) vulnerability in the groups-roles management module that allows unauthenticated attackers to trick privileged users into permanently deleting organizational roles, deactivating groups, or revoking memberships through forged POST requests. The vulnerability affects users with rol_assign_roles privileges, and exploited attacks result in permanent data loss including cascading deletion of role memberships, event associations, and access rights with no built-in undo mechanism. A patch is available in version 5.0.7, and the vulnerability is not currently tracked in active exploitation databases but poses significant organizational impact due to the permanent nature of role deletion and the low barrier to discovery of target role UUIDs from publicly accessible card views.

PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

A critical remote code execution vulnerability in SuiteCRM versions 7.15.0 and 8.9.2 allows authenticated administrators to execute arbitrary system commands through a bypass of previous security patches. This vulnerability circumvents the ModuleScanner.php security controls by exploiting improper PHP token parsing that resets security checks when encountering single-character tokens, enabling attackers to hide dangerous function calls. The vulnerability represents a direct bypass of the previously patched CVE-2024-49774 and has been assigned a CVSS score of 9.1.

PHP RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to execute arbitrary SQL queries through improper input validation in the EmailUIAjax module's retrieve() function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete sensitive database records without restrictions. The vulnerability requires authentication but has no patch currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Path traversal in SuiteCRM's ModuleBuilder module (versions prior to 7.15.1 and 8.9.3) allows authenticated administrators to read arbitrary files from the server by manipulating the `$modules` and `$name` parameters, which are improperly validated before being used in file operations. An attacker with ModuleBuilder access can exploit this to copy sensitive files from any readable directory into the web root, exposing their contents through the web server.

PHP Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

A stored cross-site scripting vulnerability in OpenEMR's patient portal payment flow allows authenticated patient users to inject malicious JavaScript that executes when staff members review payment submissions. The vulnerability affects OpenEMR versions prior to 8.0.0.2 and enables attackers to compromise staff accounts, potentially accessing sensitive medical records and administrative functions. No evidence of active exploitation exists, and no KEV listing or public POC has been identified.

PHP XSS
NVD GitHub VulDB
EPSS 10% CVSS 7.6
HIGH PATCH This Week

Authenticated file read vulnerability in PHP and Docker deployments allows users to exfiltrate arbitrary files from the server by exploiting insufficient path validation in the video upload endpoint, which copies attacker-specified local files to publicly accessible storage. An authenticated attacker can leverage this to read sensitive files from broad server directories including application roots, cache, and temporary locations. No patch is currently available, and the vulnerability carries a 10% exploit prediction score.

PHP RCE Docker
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper path sanitization in OpenEMR's DICOM export feature prior to version 8.0.0.2 allows authenticated users with DICOM permissions to write arbitrary files outside the intended directory through path traversal sequences. An attacker could exploit this to place malicious PHP files within the web root, potentially achieving remote code execution. The vulnerability requires valid credentials but poses significant risk to systems containing sensitive healthcare data.

PHP RCE Path Traversal
NVD GitHub VulDB
EPSS 10% CVSS 9.8
CRITICAL PATCH Act Now

An unauthenticated SQL injection vulnerability in AVideo allows remote attackers to execute arbitrary SQL queries through the doNotShowCats parameter in the getAllCategories() method. The vulnerability bypasses quote-stripping sanitization using backslash escape techniques, enabling attackers to extract sensitive data including user credentials, modify database contents, or potentially achieve remote code execution. No active exploitation has been reported in KEV, but proof-of-concept exploitation details are publicly available in the GitHub advisory.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

A Server-Side Request Forgery (SSRF) vulnerability in AVideo's Live plugin allows unauthenticated remote attackers to scan internal networks, access cloud metadata services, and bypass authentication mechanisms when the plugin is deployed in standalone mode. The vulnerability exists because user-controlled input is directly used to construct URLs for server-side requests without validation, enabling attackers to proxy requests through the vulnerable server and potentially chain this with command execution. With a CVSS score of 9.1 and requiring no authentication or user interaction, this represents a critical security risk for affected deployments.

PHP Authentication Bypass Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

The CustomizeUser plugin in PHP and Python allows attackers to bypass channel-level access control by exploiting improper password validation in the setPassword.json.php endpoint. An administrator-level attacker can set any user's channel password to zero due to type coercion of non-numeric characters, enabling trivial authentication bypass for any visitor. No patch is currently available for this critical vulnerability.

PHP Authentication Bypass Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

WWBN/AVideo fails to properly validate the redirectUri parameter in its login flow, allowing attackers to craft malicious URLs that redirect authenticated users to attacker-controlled sites after successful login. The vulnerability stems from insufficient encoding of user input before it is embedded into JavaScript code that executes a redirect via document.location. An attacker can exploit this open redirect to perform phishing attacks or distribute malware by tricking users into clicking a login link with an attacker-controlled redirect destination.

PHP Python Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in the WWBN/AVideo CDN plugin allows authenticated attackers to inject malicious JavaScript through improperly sanitized video titles, which executes when users access download pages. An attacker with video creation or modification privileges can compromise any user viewing the affected download interface. No patch is currently available for PHP and Python implementations.

PHP XSS Python
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM This Month

The BulkEmbed plugin in AVideo fails to validate thumbnail URLs in its save endpoint, allowing authenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and retrieve responses from internal network resources. An attacker can supply malicious URLs via the bulk embed feature to force the server to make HTTP requests to internal systems and view the cached thumbnail responses. This vulnerability affects PHP-based AVideo installations and requires authentication to exploit.

PHP SSRF Google +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary file deletion in PHP CloneSite plugin allows authenticated attackers to bypass path validation and remove critical files via path traversal in the deleteDump parameter, causing denial of service or facilitating privilege escalation attacks. An attacker with valid clone credentials can leverage unvalidated input passed directly to unlink() to delete arbitrary files including configuration.php and other security-critical application files. No patch is currently available for this vulnerability.

PHP Denial Of Service Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can stream any private or paid video in PHP, Oracle, and Apple applications through a path traversal vulnerability in the HLS streaming endpoint. The flaw exploits a split-oracle condition where authorization validation and file access use different parsing logic on the videoDirectory parameter, allowing attackers to bypass authentication checks while accessing unauthorized content. No patch is currently available for this high-severity vulnerability.

PHP Path Traversal Oracle +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Linkit ONE Location Aware Sensor System (LASS) up to commit f06bd20 contains reflected cross-site scripting (XSS) in PM25.php that permits remote attackers to execute arbitrary JavaScript in victim browsers through unencoded GET parameters (site, city, district, channel, apikey). The vulnerability affects a sensor data collection platform and carries a low exploitation probability (EPSS 0.21%, percentile 43%), suggesting limited real-world attack activity despite public disclosure through VulnCheck.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated attackers can execute arbitrary SQL queries in Devome GRR v4.5.0 through injection vulnerabilities in the referer and user-agent parameters within include/session.inc.php, enabling full database compromise including data exfiltration, modification, and potential remote code execution. The vulnerability carries a CVSS score of 8.8 (High) with low attack complexity requiring only low-level privileges and no user interaction. EPSS probability of exploitation is extremely low at 0.01% (2nd percentile), and no public exploit identified at time of analysis beyond technical disclosure and audit documentation.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

A command injection vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.

PHP RCE Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The `listFiles.json.php` endpoint in AVideo accepts an unsanitized POST parameter `path` and passes it directly to PHP's `glob()` function without restricting traversal to an allowed base directory, enabling authenticated uploaders to enumerate `.mp4` files anywhere on the server filesystem. An attacker with the standard `canUpload` permission can discover private, premium, or access-controlled video files stored outside the intended upload directory by supplying arbitrary absolute paths, revealing both filenames and full filesystem paths that may aid further exploitation. A proof-of-concept is available demonstrating traversal from the web root to arbitrary locations such as `/var/private/premium-content/` and the root filesystem.

Path Traversal PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The AVideo Scheduler plugin fails to validate callback URLs against Server-Side Request Forgery (SSRF) protections, allowing authenticated administrators to configure scheduled tasks that make HTTP requests to internal networks, cloud metadata services, and private IP ranges. An attacker with admin access can retrieve AWS/GCP/Azure instance metadata credentials (including IAM role tokens) or probe internal APIs not exposed to the internet. A proof-of-concept exists demonstrating credential extraction from AWS metadata endpoints at 169.254.169.254.

SSRF PHP Privilege Escalation +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

ThimPress BuilderPress, a WordPress plugin, contains a Local File Inclusion vulnerability through improper filename control in PHP include/require statements that allows unauthenticated remote attackers to read arbitrary files from the server. All versions through 2.0.1 are affected. With a CVSS score of 9.8 (Critical) and no authentication required, this represents a severe vulnerability allowing unauthorized information disclosure, though EPSS and KEV status data are not provided in the intelligence sources.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

The Info Cards - Add Text and Media in Card Layouts WordPress plugin versions up to 2.0.7 contains a Stored Cross-Site Scripting vulnerability in the 'btnUrl' parameter of the Info Cards block that allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript code. The vulnerability exists because the plugin fails to validate URL protocols (specifically javascript: schemes) on the server side, and the client-side rendering directly inserts unsanitized URLs into anchor href attributes, enabling script execution when users click the malicious button links. While there is no indication of active KEV exploitation, the low attack complexity and low privilege requirements make this a practical threat in multi-author WordPress environments.

WordPress PHP XSS
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A PHP remote/local file inclusion vulnerability exists in the Ovatheme Tripgo WordPress theme due to improper control of filename parameters in include/require statements. Versions prior to 1.5.6 are affected, allowing unauthenticated remote attackers to potentially include arbitrary files and execute malicious code. This vulnerability has a CVSS score of 8.1 (High) with network attack vector but high attack complexity, and has been reported by Patchstack as exploitable for local file inclusion and information disclosure.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

An authenticated time-based blind SQL injection vulnerability exists in the ClipBucket v5 open source video sharing platform, affecting versions prior to 5.5.3 #80. The vulnerability resides in the actions/ajax.php endpoint where the userid parameter lacks proper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries. This can lead to full database disclosure and potential administrative account takeover with a CVSS score of 8.8.

SQLi PHP Clipbucket V5
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The SimpleJWT PHP library version 1.1.0 contains an algorithmic complexity denial-of-service vulnerability in its PBES2 password-based encryption implementation. An unauthenticated attacker can send a crafted JWE token with an extremely large p2c (PBKDF2 iteration count) parameter in the header, forcing the server to perform hundreds of billions of iterations during key derivation and causing CPU exhaustion. A working proof-of-concept exploit is publicly available demonstrating how a single malicious request can block PHP workers until execution timeouts are reached.

PHP Denial Of Service Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The NextGEN Gallery plugin for WordPress contains a Local File Inclusion vulnerability in the 'template' parameter of gallery shortcodes, affecting all versions up to and including 4.0.3. Authenticated attackers with Author-level privileges or higher can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or complete site compromise. This is a confirmed vulnerability reported by Wordfence with a high CVSS score of 8.8, though no active exploitation (KEV) status has been reported at this time.

WordPress PHP LFI +2
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A Cross-Site Scripting (XSS) vulnerability exists in itsourcecode University Management System version 1.0, specifically in the /add_result.php file where the 'vr' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. A public proof-of-concept exploit is available on GitHub, and while the CVSS score is low (2.4), the vulnerability is actively documented in security databases and poses a real risk in educational environments.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

A stored or reflected cross-site scripting (XSS) vulnerability exists in Portabilis i-Educar 2.11 through improper input validation on the Name parameter in the /intranet/educar_servidor_curso_lst.php endpoint. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially enabling session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts, indicating no patch is currently available.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

LDAP Account Manager (LAM), a web-based interface for managing LDAP directory entries, contains a local file inclusion vulnerability in its PDF export functionality that allows authenticated users to include and execute arbitrary PHP files. When chained with GHSA-88hf-2cjm-m9g8, this vulnerability enables complete remote code execution on the affected server. The vulnerability affects all versions prior to 9.5 and requires low-privilege authentication (CVSS 8.8, PR:L), tracking across 7 Ubuntu and 4 Debian releases indicates significant deployment in enterprise LDAP environments.

PHP LFI RCE
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insufficient file extension validation in the PDF export component of LDAP Account Manager prior to version 9.5 permits authenticated attackers to upload arbitrary file types, including PHP files, to the server. When combined with GHSA-w7xq-vjr3-p9cf, this vulnerability enables remote code execution with web server privileges. Affected users should upgrade to version 9.5 or restrict web server write access to the LAM configuration directory.

PHP RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

A Server-Side Request Forgery (SSRF) vulnerability in AVideo's LiveLinks proxy endpoint allows unauthenticated attackers to access internal services and cloud metadata by exploiting missing validation on HTTP redirect targets. The vulnerability enables attackers to bypass initial URL validation through a malicious redirect, potentially exposing AWS/GCP/Azure instance metadata including IAM credentials. A detailed proof-of-concept is available and a patch has been released by the vendor.

PHP SSRF Google +3
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in AVideo's error message handling allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by injecting malicious code through a URL parameter that bypasses `json_encode()` filtering. An attacker can craft a malicious link to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious sites. A patch is available.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

AVideo (WWBN_AVideo) contains a critical CORS misconfiguration vulnerability that exposes PHP session IDs to any unauthenticated external website, enabling complete account takeover of any logged-in user including administrators. The vulnerability has a working proof-of-concept exploit and requires only that a victim visit an attacker-controlled webpage while logged into AVideo, making it highly exploitable with an 8.1 CVSS score.

Cors Misconfiguration PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

An unauthenticated attacker can leverage an exposed password hashing endpoint in PHP applications to obtain hashed versions of arbitrary passwords, facilitating offline cracking attacks against compromised database credentials. The vulnerable `/objects/encryptPass.json.php` file accepts user-supplied passwords via request parameters and returns their encrypted equivalents without authentication, effectively disclosing the application's hashing algorithm and salt to potential adversaries. This information disclosure has a CVSS score of 5.3 and patches are available.

PHP Information Disclosure SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.

PHP RCE SQLi +3
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

SQL injection in Cockpit CMS version 2.13.4 and earlier allows attackers with a valid read-only API key to inject arbitrary SQL through the `/api/content/aggregate/{model}` endpoint and extract unauthorized data from the SQLite database, including unpublished content. The vulnerability requires network access and low-privilege API credentials, enabling data exfiltration without administrative privileges. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Food Order System 1.0's /routers/add-item.php endpoint allows unauthenticated remote attackers to manipulate the price parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and could lead to unauthorized data access, modification, or deletion.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

A second-order SQL injection vulnerability exists in Admidio's MyList configuration feature, allowing authenticated users to inject arbitrary SQL commands through list column configurations that are safely stored but unsafely read back. The vulnerability enables attackers to read sensitive data including password hashes, modify database contents, or achieve full database compromise. A detailed proof-of-concept is available demonstrating exploitation requiring only standard user privileges.

CSRF SQLi PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Admidio's eCard functionality is vulnerable to stored XSS when authenticated users send greeting cards, as the application uses unsanitized POST data instead of properly filtered values during email construction. An authenticated attacker can inject malicious HTML and JavaScript into eCard emails sent to other members, bypassing the HTMLPurifier sanitization that occurs during form validation. No patch is currently available for this vulnerability affecting PHP-based Admidio installations.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

An unauthenticated Server-Side Request Forgery (SSRF) and Local File Read vulnerability exists in the Admidio SSO metadata fetch endpoint, which accepts arbitrary URLs via GET parameter and passes them directly to file_get_contents() after validating only with PHP's FILTER_VALIDATE_URL-a format checker that does not block dangerous URI schemes. An authenticated administrator can exploit this to read arbitrary local files (including database credentials from config.php), probe internal network services, or fetch cloud instance metadata (such as AWS IAM credentials from 169.254.169.254). A proof-of-concept demonstrating all attack vectors has been published; CVSS 6.8 reflects high confidentiality impact but is mitigated by the requirement for administrator privileges.

CSRF Elastic PHP +3
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Admidio's profile membership management function fails to validate CSRF tokens on the save_membership action, allowing an attacker to forge requests that modify membership start and end dates for any member of roles led by the victim. While other membership-related actions (stop_membership, remove_former_membership) include CSRF protection, save_membership was omitted from validation, enabling silent privilege escalation or access revocation through cross-site request forgery. A proof-of-concept exists demonstrating immediate exploitation by embedding a form on an external page.

CSRF PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A critical unrestricted file upload vulnerability in Admidio's Documents & Files module allows authenticated users with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, enabling upload of PHP scripts that lead to Remote Code Execution. The vulnerability affects Admidio versions prior to the patch and has a published proof-of-concept demonstrating webshell upload and command execution. With a CVSS score of 8.8 and detailed exploitation steps available, this represents a high-priority risk for organizations using Admidio for document management.

CSRF PHP RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

An arbitrary file upload vulnerability in Chamilo LMS allows authenticated users with Teacher role to achieve Remote Code Execution by uploading malicious H5P packages. The flaw affects versions prior to 1.11.36 and stems from inadequate validation of H5P package contents, which only checks for h5p.json existence but fails to block .htaccess or PHP files with alternative extensions. With a CVSS score of 8.8 and high exploitation potential, attackers can upload webshells disguised as text files along with .htaccess configurations to bypass security controls.

PHP RCE File Upload +2
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

CVE-2026-29516 is a security vulnerability (CVSS 4.9) that allows authenticated attackers. Remediation should follow standard vulnerability management procedures.

PHP Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

A critical remote code execution vulnerability exists in the Fields plugin for GLPI that allows authenticated users with dropdown creation privileges to execute arbitrary PHP code on the server. The vulnerability affects Fields plugin versions prior to 1.23.3 and has a CVSS score of 9.1, indicating severe impact with the ability to compromise the entire system. While no active exploitation has been reported in KEV and no public proof-of-concept is mentioned, the straightforward attack vector and high privileges requirement suggest targeted insider threat or compromised account scenarios.

PHP RCE Fields
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Remote code execution in Craft CMS allows authenticated administrators with control panel access to execute arbitrary code by exploiting an incomplete patch that left the same vulnerable gadget chain pattern in multiple controllers. The vulnerability requires administrative privileges and the allowAdminChanges setting to be enabled, limiting exposure to trusted users with elevated access. Craft CMS versions before 4.17.5 and 5.9.11 are affected and should be patched immediately.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Unsafe deserialization of untrusted user input in PHP Craft CMS allows authenticated high-privilege users to inject arbitrary Yii2 behaviors and event handlers, enabling remote code execution through the EntryTypesController. An incomplete prior patch for a similar vulnerability left the same dangerous pattern in place, permitting attackers with administrative access to manipulate application configuration and achieve full system compromise. A patch is available to properly sanitize configuration inputs before processing.

Code Injection PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

A security vulnerability in renders user-supplied template content (CVSS 8.5) that allows an authenticated user with access. High severity vulnerability requiring prompt remediation. Vendor patch is available.

RCE PHP Ssti
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode College Management System 1.0 allows authenticated attackers to manipulate the course_code parameter in /admin/time-table.php and execute arbitrary SQL commands remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can lead to unauthorized data access, modification, or deletion within the application database.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0 via the course_code parameter in /admin/courses.php allows authenticated administrators to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but could enable data exfiltration or manipulation.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to manipulate the Home parameter in /hotel/admin/mod_reports/index.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems running the vulnerable PHP application are at immediate risk of data theft and database compromise.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate parameters in the enrollment module via the txtsearch, deptname, or name arguments. Public exploit code exists for this vulnerability, which enables attackers to read, modify, or delete database contents. No patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the user_email parameter in /sms/login.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to read, modify, or delete sensitive enrollment data without authentication. No patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

A cross-site scripting (XSS) vulnerability exists in CMS Made Simple versions up to 2.2.21 affecting the User Management Module's admin/listusers.php file. An attacker with high-level privileges can inject malicious JavaScript through the Message parameter to compromise other users' sessions or steal sensitive data. Public exploit code is available and the vulnerability has been actively exploited, making this a tangible threat despite its low CVSS score of 2.4.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Payroll Management System 1.0 via the ID parameter in /manage_employee.php allows unauthenticated remote attackers to execute arbitrary SQL queries and access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running this system should implement network-level protections and consider upgrading to a patched version once released.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH This Week

The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution.

PHP RCE Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in phpIPAM versions up to 1.7.4 allows authenticated administrators to manipulate the subnetOrdering parameter in the Section Handler component, enabling remote database compromise. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was determined in UEditor up to 1.4.3.2.

PHP XSS
NVD VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

SQL injection vulnerabilities in RealtyScript 4.0.2 allow unauthenticated remote attackers to manipulate database queries through vulnerable parameters in admin panel files (/admin/users.php and /admin/mailer.php). Attackers can extract sensitive database information using time-based blind SQL injection or cause denial of service. A public proof-of-concept exploit is available on Exploit-DB, though the vulnerability is not currently in CISA's KEV catalog.

Denial Of Service SQLi PHP +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

RealtyScript 4.0.2 contains a stored cross-site scripting (XSS) vulnerability in the pages.php admin interface that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter. Attackers can craft POST requests to store malicious content that executes in the browsers of users viewing affected pages. A public proof-of-concept exploit exists (Exploit-DB 38496), making this vulnerability actively exploitable by authenticated threat actors.

PHP XSS Realtyscript
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.2
HIGH POC This Week

A stored cross-site scripting (XSS) vulnerability exists in RealtyScript 4.0.2's admin locations interface, allowing unauthenticated attackers to inject malicious JavaScript through the location_name parameter. Successful exploitation enables arbitrary code execution in administrator browsers when they view compromised location entries. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation has been reported (not in CISA KEV).

RCE PHP XSS +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

RealtyScript 4.0.2 contains a cross-site request forgery (CSRF) vulnerability in its user management endpoints that allows unauthenticated attackers to create arbitrary user accounts and escalate privileges to SUPERUSER level without authentication. The vulnerability affects the /admin/addusers.php and /admin/editadmins.php endpoints, which process hidden form data without CSRF token validation. An attacker can craft malicious web pages or emails containing hidden forms that, when visited by an authenticated administrator, silently create new administrative accounts under the attacker's control, leading to complete system compromise.

CSRF PHP Realtyscript
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.2
HIGH POC This Week

Stored cross-site scripting (XSS) vulnerability in Next Click Ventures RealtyScript 4.0.2 that allows attackers to upload malicious JavaScript files through unsanitized file uploads in admin/tools.php. With a publicly available proof-of-concept exploit and a CVSS score of 7.2, attackers can execute JavaScript in the context of other users' browsers without authentication, though the vulnerability is not listed in CISA KEV and has no EPSS score indicating limited real-world exploitation.

PHP XSS Realtyscript
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

A vulnerability was determined in Aureus ERP up to 1.3.0-BETA2.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 8.9
HIGH POC This Week

Critical OS command injection vulnerability in Topsec TopACM 3.0's web management interface that allows unauthenticated remote attackers to execute arbitrary system commands. A public proof-of-concept exploit is available, and the vulnerability has a CVSS score of 9.8, though no active exploitation has been confirmed in CISA's KEV catalog. The vendor has not responded to disclosure attempts, leaving systems unpatched.

Command Injection PHP
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

A security flaw has been discovered in Tecnick TCExam up to 16.6.0.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

A vulnerability was identified in Tecnick TCExam 16.5.0.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Critical authentication bypass vulnerability in Unraid's auth-request.php file that allows remote attackers to gain unauthorized access without credentials through path traversal exploitation. The vulnerability affects all versions of Unraid (CPE indicates no version restrictions) and can be exploited over the network with low complexity, potentially compromising system confidentiality, integrity, and availability. No KEV listing or EPSS data was provided, suggesting this may be a recently disclosed vulnerability without known active exploitation.

Authentication Bypass PHP Path Traversal +1
NVD VulDB
EPSS 2% CVSS 8.8
HIGH This Week

Critical path traversal vulnerability in Unraid's update.php file that allows authenticated remote attackers to execute arbitrary code as root. The vulnerability affects all versions of Unraid (per CPE data) and was discovered by Zero Day Initiative (ZDI-CAN-28951). With a CVSS score of 8.8 and requiring only low privileges, this represents a severe risk for Unraid installations.

PHP Path Traversal RCE +1
NVD VulDB
Prev Page 28 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy