Skip to main content

PHP

24738 CVEs product

Monthly

CVE-2026-25027 HIGH This Week

ThemeMove Unicamp through version 2.7.1 contains a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the server through improper filename validation in include/require statements. An attacker with valid credentials can leverage this flaw to access sensitive files and potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14274 MEDIUM This Month

Unlimited Elements for Elementor (WordPress plugin) versions up to 2.0.1. is affected by cross-site scripting (xss) (CVSS 5.4).

WordPress XSS PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67484 Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php.

PHP Information Disclosure
NVD
EPSS
0.0%
CVE-2025-67480 Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php.

PHP Information Disclosure
NVD
EPSS
0.1%
CVE-2025-67479 Monitor

Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php.

Mediawiki PHP
NVD
EPSS
0.0%
CVE-2025-67478 Monitor

Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php.

PHP Information Disclosure
NVD
EPSS
0.0%
CVE-2025-67476 LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php.

PHP Information Disclosure
NVD
CVSS 4.0
1.3
EPSS
0.0%
CVE-2025-67475 This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php.

PHP XSS
NVD
EPSS
0.0%
CVE-2025-61658 LOW Monitor

Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/GlobalContributionsPager.Php.

PHP Path Traversal
NVD
CVSS 4.0
1.3
EPSS
0.1%
CVE-2025-61655 This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor.

PHP XSS
NVD
EPSS
0.0%
CVE-2025-61654 Monitor

Vulnerability in Wikimedia Foundation Thanks. This vulnerability is associated with program files includes/ThanksQueryHelper.Php.

PHP
NVD
EPSS
0.1%
CVE-2025-61653 Monitor

Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associated with program files includes/ApiQueryExtracts.Php.

PHP
NVD
EPSS
0.1%
CVE-2025-61650 This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php.

PHP XSS
NVD
EPSS
0.1%
CVE-2025-61649 Monitor

Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php.

PHP
NVD
EPSS
0.1%
CVE-2025-61646 LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php.

PHP Path Traversal
NVD VulDB
CVSS 4.0
1.2
EPSS
0.1%
CVE-2025-61645 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. [CVSS 6.1 MEDIUM]

Mediawiki PHP XSS Red Hat
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-11173 Monitor

Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php.

PHP
NVD
EPSS
0.0%
CVE-2025-61647 LOW Monitor

Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php.

PHP Path Traversal
NVD
CVSS 4.0
0.4
EPSS
0.1%
CVE-2025-61643 LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php.

PHP Information Disclosure
NVD VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2025-61642 This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php.

PHP XSS
NVD VulDB
EPSS
0.0%
CVE-2025-61641 LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php.

PHP Path Traversal
NVD VulDB
CVSS 4.0
1.7
EPSS
0.0%
CVE-2025-61639 This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php.

Mediawiki PHP
NVD VulDB
EPSS
0.0%
CVE-2025-61638 This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php.

Mediawiki PHP XSS
NVD VulDB
EPSS
0.0%
CVE-2025-61636 This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php.

Mediawiki PHP XSS
NVD VulDB
EPSS
0.0%
CVE-2025-61635 Monitor

Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php.

PHP
NVD
EPSS
0.0%
CVE-2025-61634 LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php.

PHP Path Traversal
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-25144 MEDIUM This Month

Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. [CVSS 5.3 MEDIUM]

PHP XSS
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-6927 Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php.

Mediawiki PHP
NVD
EPSS
0.0%
CVE-2025-6597 Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php.

Mediawiki PHP
NVD
EPSS
0.0%
CVE-2025-6593 This Week

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php.

Mediawiki PHP
NVD
EPSS
0.0%
CVE-2025-6592 Monitor

from fe0b1cb9e9691faf4d8d9bd80646589f6ec37615 versions up to 1.43.2 is affected by improper access control.

PHP
NVD
EPSS
0.0%
CVE-2025-6591 This Week

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php.

Mediawiki PHP
NVD
EPSS
0.0%
CVE-2025-6590 This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php.

Mediawiki PHP
NVD
EPSS
0.0%
CVE-2025-6589 Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php.

Mediawiki PHP
NVD
EPSS
0.0%
CVE-2024-54263 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion.This issue affects Spirit Framework: from n/a through 1.2.13. [CVSS 7.5 HIGH]

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-15396 HIGH This Week

The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD WPScan
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-15030 CRITICAL Act Now

Improper password reset process in User Profile Builder WordPress plugin before 3.15.2 allows unauthenticated attackers to reset any user's password with minimal requests.

WordPress PHP
NVD WPScan
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-1734 MEDIUM POC This Month

Missing authorization in CRMEB crontab endpoints (versions up to 5.6.3) allows unauthenticated remote attackers to manipulate unspecified functionality through the CrontabController.php file. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

PHP Crmeb
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2022-50940 MEDIUM This Month

Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. [CVSS 6.4 MEDIUM]

PHP XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2021-47919 MEDIUM POC This Month

Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. [CVSS 6.4 MEDIUM]

PHP XSS Simple Cms Php
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2021-47918 HIGH POC This Week

Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application. [CVSS 8.1 HIGH]

PHP SQLi Simple Cms Php
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2021-47914 MEDIUM POC This Month

PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. [CVSS 6.4 MEDIUM]

PHP XSS Php Melody
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14554 HIGH This Week

Sell BTC - Cryptocurrency Selling Calculator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-15525 MEDIUM This Month

The Ajax Load More - Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-15510 MEDIUM This Month

The NEX-Forms - Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2020-37051 HIGH POC This Week

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. [CVSS 8.2 HIGH]

PHP SQLi Online Exam System
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37046 MEDIUM POC This Month

Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2020-37035 HIGH POC This Week

e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. [CVSS 8.2 HIGH]

PHP SQLi
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37023 HIGH POC This Week

Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. [CVSS 8.8 HIGH]

PHP
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-25129 PHP MEDIUM POC PATCH This Month

PsySH versions prior to 0.11.23 and 0.12.19 automatically execute a `.psysh.php` file from the current working directory during startup, allowing local attackers with write access to a directory to achieve arbitrary code execution when a user launches PsySH from that location. When a privileged user such as root or a CI runner executes PsySH in an attacker-controlled directory, this results in local privilege escalation. Public exploit code exists for this vulnerability and no patch is currently available.

PHP Laravel Privilege Escalation Psysh
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-24293 Ruby CRITICAL PATCH Act Now

Command injection in Ruby on Rails Active Storage allows attackers to abuse a permissive default allow-list of image transformation methods, escaping the framework's safe-transformation guardrails when an application forwards untrusted input as the transformation method or its parameters. Three methods on the default allow-list can be used to circumvent the safe defaults and reach the underlying ImageMagick processor, enabling OS command injection (CVSS 4.0 9.2). No public exploit has been identified at time of analysis, and EPSS is low at 0.22% (44th percentile), but a vendor patch is available and the issue is RCE-class.

PHP Command Injection
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2025-51958 CRITICAL Act Now

Unauthenticated command injection in DokuWiki runcommand plugin via lib/plugins/runcommand. Allows arbitrary system command execution.

PHP Runcommand
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1702 LOW POC Monitor

Improper authorization in SourceCodester Pet Grooming Management Software 1.0 allows authenticated users to manipulate the group_id parameter in the user management component, potentially gaining unauthorized access to restricted functionality. An attacker with valid credentials can exploit this remotely, and public exploit code is already available. The vulnerability currently lacks a patch from the vendor.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1701 MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /enrollment/index.php enables unauthenticated remote attackers to manipulate database queries and extract or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network against affected installations.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1700 LOW POC Monitor

House Rental And Property Listing Project versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2020-36996 MEDIUM POC This Month

PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. [CVSS 6.4 MEDIUM]

PHP XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2020-36966 MEDIUM POC This Month

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. [CVSS 6.4 MEDIUM]

PHP LDAP XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24854 HIGH POC PATCH This Week

Authenticated SQL injection in ChurchCRM's PaddleNumEditor.php endpoint prior to version 6.7.2 allows any logged-in user to execute arbitrary database queries regardless of their assigned permissions. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete sensitive church data. Update to version 6.7.2 or later to remediate.

PHP SQLi Churchcrm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1688 MEDIUM POC This Month

SQL injection in itsourcecode Directory Management System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter in /admin/index.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can compromise data confidentiality, integrity, and availability.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1595 MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the student_id parameter in /admin/edit_student_query.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available, increasing the risk of active exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1594 MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0's expense administration interface allows unauthenticated remote attackers to manipulate the detail parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems expose confidentiality, integrity, and availability of underlying data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1593 MEDIUM POC This Month

Society Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1590 MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /ramonsys/faculty/index.php enables unauthenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1589 MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the txtsearch parameter in /ramonsys/inquiry/index.php enables unauthenticated remote attackers to execute arbitrary SQL queries with limited impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2020-37012 CRITICAL POC Act Now

Unauthenticated RCE in Tea LaTeX 1.0 via command injection in /api endpoint. EPSS 0.29% with PoC available.

PHP RCE
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2020-37009 HIGH POC This Week

MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. [CVSS 8.8 HIGH]

PHP RCE
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2020-37006 HIGH POC This Week

berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2020-37005 HIGH POC This Week

TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-36999 HIGH POC This Week

Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-1469 MEDIUM This Month

Stored XSS in RLE NOVA PlanManager allows authenticated users to inject malicious scripts via the comment and brand parameters, which are executed in other users' browsers without sanitization. An attacker can leverage this to hijack sessions, steal credentials, or perform unauthorized actions on behalf of victims. Exploitation requires user interaction and network access, with no patch currently available.

PHP XSS Planmanager
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14975 HIGH This Week

Custom Login Page Customizer WordPre versions up to 2.5.4 is affected by improper privilege management (CVSS 8.1).

WordPress PHP
NVD WPScan
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-1552 LOW POC Monitor

SQL injection in SEMCMS 5.0 via the searchml parameter in /SEMCMS_Info.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1551 LOW POC Monitor

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1545 MEDIUM POC This Month

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-24739 PHP MEDIUM POC PATCH This Month

Symfony versions up to 5.4.51 contains a vulnerability that allows attackers to operations being performed on an unintended path, up to and including deletion o (CVSS 6.3).

Windows PHP Symfony
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1535 MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminReply.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary SQL queries, potentially compromising database confidentiality and integrity. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1534 MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminEditUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling potential data theft, modification, or service disruption. No patch is currently available, leaving affected installations vulnerable.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1533 LOW POC Monitor

SQL injection in Online Music Site 1.0's AdminAddCategory.php allows remote attackers with high privileges to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2020-36973 MEDIUM POC This Month

PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. [CVSS 6.5 MEDIUM]

PHP RCE Path Traversal
NVD GitHub Exploit-DB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2020-36970 HIGH POC This Week

PMB 5.6 contains a local file disclosure vulnerability in getgif.php that allows attackers to read arbitrary system files by manipulating the 'chemin' parameter. [CVSS 8.4 HIGH]

PHP
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-22243 PHP HIGH POC PATCH This Week

SQL injection in EGroupware's Nextmatch filter allows authenticated attackers to execute arbitrary database commands by exploiting PHP type juggling that bypasses integer validation checks. Public exploit code exists for this vulnerability affecting EGroupware versions prior to 23.1.20260113 and 26.0.20260113, and no patch is currently available. Attackers with valid credentials can manipulate WHERE clauses to extract sensitive data, modify records, or compromise database integrity.

PHP SQLi Egroupware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-14795 MEDIUM This Month

Stop Spammers Classic (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1056 CRITICAL Act Now

Snow Monkey Forms WordPress plugin has an arbitrary file deletion vulnerability through insufficient path validation, enabling attackers to delete critical WordPress files.

WordPress PHP RCE
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-14865 MEDIUM This Month

The Passster - Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15511 MEDIUM This Month

The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14616 MEDIUM This Month

The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14386 HIGH This Week

The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. [CVSS 8.8 HIGH]

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1400 HIGH This Week

Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.

WordPress PHP RCE AI / ML
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-9082 MEDIUM This Month

The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14039 MEDIUM This Month

The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH This Week

ThemeMove Unicamp through version 2.7.1 contains a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the server through improper filename validation in include/require statements. An attacker with valid credentials can leverage this flaw to access sensitive files and potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Unlimited Elements for Elementor (WordPress plugin) versions up to 2.0.1. is affected by cross-site scripting (xss) (CVSS 5.4).

WordPress XSS PHP
NVD
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php.

PHP Information Disclosure
NVD
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php.

PHP Information Disclosure
NVD
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php.

Mediawiki PHP
NVD
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php.

PHP Information Disclosure
NVD
EPSS 0% CVSS 1.3
LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php.

PHP Information Disclosure
NVD
EPSS 0%
This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php.

PHP XSS
NVD
EPSS 0% CVSS 1.3
LOW Monitor

Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/GlobalContributionsPager.Php.

PHP Path Traversal
NVD
EPSS 0%
This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor.

PHP XSS
NVD
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation Thanks. This vulnerability is associated with program files includes/ThanksQueryHelper.Php.

PHP
NVD
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associated with program files includes/ApiQueryExtracts.Php.

PHP
NVD
EPSS 0%
This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php.

PHP XSS
NVD
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php.

PHP
NVD
EPSS 0% CVSS 1.2
LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php.

PHP Path Traversal
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. [CVSS 6.1 MEDIUM]

Mediawiki PHP XSS +1
NVD
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php.

PHP
NVD
EPSS 0% CVSS 0.4
LOW Monitor

Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php.

PHP Path Traversal
NVD
EPSS 0% CVSS 2.7
LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php.

PHP Information Disclosure
NVD VulDB
EPSS 0%
This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php.

PHP XSS
NVD VulDB
EPSS 0% CVSS 1.7
LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php.

PHP Path Traversal
NVD VulDB
EPSS 0%
This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php.

Mediawiki PHP
NVD VulDB
EPSS 0%
This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php.

Mediawiki PHP XSS
NVD VulDB
EPSS 0%
This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php.

Mediawiki PHP XSS
NVD VulDB
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php.

PHP
NVD
EPSS 0% CVSS 3.1
LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php.

PHP Path Traversal
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. [CVSS 5.3 MEDIUM]

PHP XSS
NVD GitHub
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php.

Mediawiki PHP
NVD
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php.

Mediawiki PHP
NVD
EPSS 0%
This Week

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php.

Mediawiki PHP
NVD
EPSS 0%
Monitor

from fe0b1cb9e9691faf4d8d9bd80646589f6ec37615 versions up to 1.43.2 is affected by improper access control.

PHP
NVD
EPSS 0%
This Week

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php.

Mediawiki PHP
NVD
EPSS 0%
This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php.

Mediawiki PHP
NVD
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php.

Mediawiki PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion.This issue affects Spirit Framework: from n/a through 1.2.13. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.1
HIGH This Week

The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD WPScan
EPSS 0% CVSS 9.8
CRITICAL Act Now

Improper password reset process in User Profile Builder WordPress plugin before 3.15.2 allows unauthenticated attackers to reset any user's password with minimal requests.

WordPress PHP
NVD WPScan
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Missing authorization in CRMEB crontab endpoints (versions up to 5.6.3) allows unauthenticated remote attackers to manipulate unspecified functionality through the CrontabController.php file. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

PHP Crmeb
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. [CVSS 6.4 MEDIUM]

PHP XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM POC This Month

Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. [CVSS 6.4 MEDIUM]

PHP XSS Simple Cms Php
NVD
EPSS 0% CVSS 8.1
HIGH POC This Week

Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application. [CVSS 8.1 HIGH]

PHP SQLi Simple Cms Php
NVD
EPSS 0% CVSS 6.4
MEDIUM POC This Month

PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. [CVSS 6.4 MEDIUM]

PHP XSS Php Melody
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Sell BTC - Cryptocurrency Selling Calculator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Ajax Load More - Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The NEX-Forms - Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 8.2
HIGH POC This Week

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. [CVSS 8.2 HIGH]

PHP SQLi Online Exam System
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. [CVSS 8.2 HIGH]

PHP SQLi
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. [CVSS 8.8 HIGH]

PHP
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.7
MEDIUM POC PATCH This Month

PsySH versions prior to 0.11.23 and 0.12.19 automatically execute a `.psysh.php` file from the current working directory during startup, allowing local attackers with write access to a directory to achieve arbitrary code execution when a user launches PsySH from that location. When a privileged user such as root or a CI runner executes PsySH in an attacker-controlled directory, this results in local privilege escalation. Public exploit code exists for this vulnerability and no patch is currently available.

PHP Laravel Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Command injection in Ruby on Rails Active Storage allows attackers to abuse a permissive default allow-list of image transformation methods, escaping the framework's safe-transformation guardrails when an application forwards untrusted input as the transformation method or its parameters. Three methods on the default allow-list can be used to circumvent the safe defaults and reach the underlying ImageMagick processor, enabling OS command injection (CVSS 4.0 9.2). No public exploit has been identified at time of analysis, and EPSS is low at 0.22% (44th percentile), but a vendor patch is available and the issue is RCE-class.

PHP Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated command injection in DokuWiki runcommand plugin via lib/plugins/runcommand. Allows arbitrary system command execution.

PHP Runcommand
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in SourceCodester Pet Grooming Management Software 1.0 allows authenticated users to manipulate the group_id parameter in the user management component, potentially gaining unauthorized access to restricted functionality. An attacker with valid credentials can exploit this remotely, and public exploit code is already available. The vulnerability currently lacks a patch from the vendor.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /enrollment/index.php enables unauthenticated remote attackers to manipulate database queries and extract or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network against affected installations.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

House Rental And Property Listing Project versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. [CVSS 6.4 MEDIUM]

PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. [CVSS 6.4 MEDIUM]

PHP LDAP XSS
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Authenticated SQL injection in ChurchCRM's PaddleNumEditor.php endpoint prior to version 6.7.2 allows any logged-in user to execute arbitrary database queries regardless of their assigned permissions. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete sensitive church data. Update to version 6.7.2 or later to remediate.

PHP SQLi Churchcrm
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Directory Management System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter in /admin/index.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can compromise data confidentiality, integrity, and availability.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the student_id parameter in /admin/edit_student_query.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available, increasing the risk of active exploitation.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0's expense administration interface allows unauthenticated remote attackers to manipulate the detail parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems expose confidentiality, integrity, and availability of underlying data.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Society Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /ramonsys/faculty/index.php enables unauthenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the txtsearch parameter in /ramonsys/inquiry/index.php enables unauthenticated remote attackers to execute arbitrary SQL queries with limited impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated RCE in Tea LaTeX 1.0 via command injection in /api endpoint. EPSS 0.29% with PoC available.

PHP RCE
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. [CVSS 8.8 HIGH]

PHP RCE
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in RLE NOVA PlanManager allows authenticated users to inject malicious scripts via the comment and brand parameters, which are executed in other users' browsers without sanitization. An attacker can leverage this to hijack sessions, steal credentials, or perform unauthorized actions on behalf of victims. Exploitation requires user interaction and network access, with no patch currently available.

PHP XSS Planmanager
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Custom Login Page Customizer WordPre versions up to 2.5.4 is affected by improper privilege management (CVSS 8.1).

WordPress PHP
NVD WPScan
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SEMCMS 5.0 via the searchml parameter in /SEMCMS_Info.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

Symfony versions up to 5.4.51 contains a vulnerability that allows attackers to operations being performed on an unintended path, up to and including deletion o (CVSS 6.3).

Windows PHP Symfony
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminReply.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary SQL queries, potentially compromising database confidentiality and integrity. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminEditUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling potential data theft, modification, or service disruption. No patch is currently available, leaving affected installations vulnerable.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in Online Music Site 1.0's AdminAddCategory.php allows remote attackers with high privileges to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. [CVSS 6.5 MEDIUM]

PHP RCE Path Traversal
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.4
HIGH POC This Week

PMB 5.6 contains a local file disclosure vulnerability in getgif.php that allows attackers to read arbitrary system files by manipulating the 'chemin' parameter. [CVSS 8.4 HIGH]

PHP
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

SQL injection in EGroupware's Nextmatch filter allows authenticated attackers to execute arbitrary database commands by exploiting PHP type juggling that bypasses integer validation checks. Public exploit code exists for this vulnerability affecting EGroupware versions prior to 23.1.20260113 and 26.0.20260113, and no patch is currently available. Attackers with valid credentials can manipulate WHERE clauses to extract sensitive data, modify records, or compromise database integrity.

PHP SQLi Egroupware
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Stop Spammers Classic (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Snow Monkey Forms WordPress plugin has an arbitrary file deletion vulnerability through insufficient path validation, enabling attackers to delete critical WordPress files.

WordPress PHP RCE
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Passster - Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. [CVSS 8.8 HIGH]

WordPress Authentication Bypass PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.

WordPress PHP RCE +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
Prev Page 39 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy