Skip to main content

PHP

24709 CVEs product

Monthly

CVE-2026-14619 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `editid` parameter in `/medicine.php`. The attack achieves partial confidentiality, integrity, and availability impact against the underlying database. A public proof-of-concept exploit has been published (tracked via GitHub issue), lowering the barrier for exploitation; however, no active exploitation has been confirmed by CISA KEV at time of analysis.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14355 MEDIUM PATCH This Month

Heap-based buffer overflow in PHP's OpenSSL extension affects all maintained PHP branches (8.2.x, 8.3.x, 8.4.x, 8.5.x) when the AES key-wrap-with-padding (AES-WRAP-PAD) algorithm per RFC 5649 is invoked. The output buffer is allocated based only on plaintext length, omitting the mandatory RFC 5649 padding expansion, causing OpenSSL to write beyond the allocated heap region, corrupt heap metadata, and abort the process. No public exploit has been identified at time of analysis; vendor-released patches are available for all affected branches.

Heap Overflow OpenSSL Buffer Overflow PHP Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-14608 LOW Monitor

Authorization bypass in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows authenticated remote attackers to view student records they are not authorized to access. By manipulating the ID parameter in POST requests to /index.php?action=view_student, a low-privileged user can enumerate or access other students' data. A public proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no active exploitation confirmed in CISA KEV.

Authentication Bypass PHP
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-59234 MEDIUM PATCH This Month

{id} path parameter in GET /calendar/event/delete/{id}. The delete handler calls Calendar::find($id)->delete() with no user_id or company_id scoping, meaning possession of a valid session is the only gate to destroying arbitrary records. No public exploit has been identified at time of analysis; a confirmed fix is available in the v5.5.3 release.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-5137 MEDIUM This Month

Local File Inclusion in the RTMKit (rometheme-for-elementor) plugin for WordPress versions up to and including 2.0.7 allows authenticated attackers with Contributor-level access to include and execute arbitrary PHP code on the server. The render_templates AJAX endpoint passes the unsanitized 'template' parameter directly into a PHP require/include statement, restricted only to files ending in _templates.php. Wordfence reported this vulnerability; no public exploit code or CISA KEV listing is present at time of analysis.

WordPress LFI Information Disclosure PHP Rtmkit
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-9180 MEDIUM This Month

Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.

Authentication Bypass WordPress PHP Motopress Appointment Booking
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-58467 HIGH POC PATCH This Week

Arbitrary file disclosure and PHP local file inclusion in Cockpit CMS before release 364 lets unauthenticated remote attackers read files outside the web root and, on certain server setups, cause the application to include() attacker-chosen .php files. The flaw stems from unvalidated PATH_INFO (derived from REQUEST_URI) being used to build filesystem paths without containment checks. Publicly available exploit code exists; it is not listed in CISA KEV and no EPSS score was provided.

Path Traversal Nginx PHP Cockpit
NVD GitHub
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-7311 HIGH This Week

Arbitrary file deletion in the TinyPNG (JPEG, PNG & WebP image compression) plugin for WordPress affects all versions through 3.6.13, allowing authenticated attackers with author-level access or higher to delete any file the web server can reach. Because deleting sensitive files such as wp-config.php pushes the site into a fresh-install state, this file-deletion primitive can be escalated to full remote code execution. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but it was disclosed by Wordfence with a clear exploitation path and carries a CVSS 8.1 (High).

WordPress Path Traversal RCE PHP Tinypng Jpeg Png Webp Image Compression
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2026-50281 PHP HIGH PATCH GHSA This Week

Cross-tenant entry takeover in Craft CMS 5.7.0 through 5.9.20 lets a low-privileged author overwrite another user's existing entry by smuggling a numeric id through the newAttributes parameter of the bulk-duplicate element action. Because the duplication routine re-applies attacker-controlled attributes after nulling the primary key, a UPDATE is executed against the victim's row instead of an INSERT, letting the attacker rewrite the victim's title, slug, authorId, postDate, and UID. No public exploit identified at time of analysis and it is not in CISA KEV; the flaw is fixed in version 5.9.21.

Information Disclosure PHP Cms
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-58455 CRITICAL Act Now

Unauthenticated OS command injection in Notifiarr Dockwatch through version 0.6.567 lets remote attackers run arbitrary shell commands on the host and achieve full compromise, since default deployments mount the Docker socket. The root cause is an Execution-After-Redirect flaw (CWE-698) where loader.php redirects unauthenticated users but fails to call exit(), allowing the attacker to seed the required session flag and then reach shell_exec() in ajax/compose.php with attacker-controlled input. The CVSS 4.0 base score is 9.2 (VC/VI/VA all High); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though a vendor advisory and upstream fix exist.

Command Injection PHP Docker Dockwatch
NVD GitHub
CVSS 4.0
9.2
EPSS
1.2%
CVE-2026-5524 CRITICAL Act Now

Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.

WordPress Nginx PHP RCE File Upload +1
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-57749 HIGH This Week

Local File Inclusion in the SportsPress Pro WordPress plugin (versions 2.7.29 and earlier) lets an authenticated user holding at least Contributor privileges cause the application to include and disclose arbitrary local files on the server. Because the flaw is rooted in unsafe PHP file inclusion (CWE-98), a successful attacker can read sensitive files such as wp-config.php and, depending on which local files can be included, potentially escalate toward code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the finding is documented by Patchstack.

LFI Information Disclosure PHP Sportspress Pro
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57748 HIGH This Week

Local File Inclusion in the Shopify (Shopify Help Center) WordPress plugin through version 1.0.0 allows an authenticated user with at least Contributor privileges to include and read arbitrary local files on the server, potentially escalating to code execution via CWE-98-style file-inclusion abuse. The flaw was reported by Patchstack and carries a CVSS 7.5 rating driven by high confidentiality, integrity, and availability impact but with high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

LFI Information Disclosure PHP Shopify
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57677 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Novalnet Payment Gateway for WooCommerce WordPress plugin (versions 12.10.3 and earlier) lets remote attackers submit crafted serialized objects that the plugin deserializes, per CVSS enabling full compromise of confidentiality, integrity, and availability. The flaw is network-reachable without authentication or user interaction and carries a critical 9.8 CVSS score. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

WordPress Deserialization PHP Novalnet Payment Gateway For Woocommerce
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-57621 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Booktics WordPress plugin (by Arraytics) affects all versions up to and including 1.0.21, letting remote attackers with no authentication inject arbitrary PHP objects into the application. If a suitable POP (property-oriented programming) gadget chain exists in the plugin, WordPress core, or another active plugin, this can escalate to remote code execution, data theft, or full site takeover. Reported by Patchstack and rated CVSS 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization PHP Booktics
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-42382 HIGH This Week

Unauthenticated Local File Inclusion in the Audrey WordPress theme (elated-themes) affects all versions up to and including 1.5, letting remote attackers coerce the PHP application into including arbitrary files. Because CWE-98 covers PHP file-inclusion flaws, a successful include can leak sensitive files (wp-config.php, credentials) and, where remote or attacker-controlled content is includable, escalate to code execution. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, though the network-reachable, unauthenticated nature (CVSS 8.1) makes it a meaningful patching priority for sites running this theme.

LFI Information Disclosure PHP Audrey
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-27414 HIGH This Week

PHP Object Injection in the Werkstatt WordPress theme (fuelthemes) through version 4.8.3 lets a Contributor-level user pass attacker-controlled data into an unsafe deserialization routine, enabling instantiation of arbitrary PHP objects. With the right POP gadget chain present in WordPress core, another plugin, or the theme itself, this can escalate to file operations, SQL manipulation, or remote code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the 8.8 CVSS reflects the low-privilege network-exploitable path with high confidentiality, integrity, and availability impact.

Deserialization PHP Werkstatt
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-27412 HIGH This Week

Local File Inclusion in the Pearl - Corporate Business WordPress theme (StyleMixThemes) versions 3.4.10 and earlier lets unauthenticated remote attackers coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and credentials. Rated CVSS 8.1 by Patchstack, the flaw requires no authentication (PR:N) but carries high attack complexity (AC:H), and depending on include handling could escalate from information disclosure toward code execution. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied in the source data.

LFI Information Disclosure PHP Pearl Corporate Business
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-27060 HIGH This Week

Authenticated PHP object injection in the ARMember Premium WordPress membership plugin (all versions through 7.0) lets low-privileged Contributor-level users pass attacker-controlled serialized data into a PHP unserialize() sink, potentially chaining with POP gadgets to achieve high-impact compromise. With a CVSS of 8.8 and network vector, a user holding only a Contributor account can reach confidentiality, integrity, and availability impacts. No public exploit has been identified at time of analysis and it is not on CISA KEV, but the vulnerability class is well understood and reliably weaponizable where a suitable gadget chain exists.

Deserialization PHP Armember Premium
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-69133 HIGH This Week

Local File Inclusion in the GoodLayers Tourmaster WordPress plugin (versions <= 5.4.5) allows low-privileged authenticated users at the Subscriber level to include and read arbitrary local files from the server, exposing sensitive data such as configuration files and credentials. Reported through Patchstack and mapped to CWE-98, the flaw carries a CVSS 7.5 (High) score with high attack complexity; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.

LFI Information Disclosure PHP Tourmaster
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-58902 HIGH This Week

Unauthenticated Local File Inclusion in the AncoraThemes 'Lighthouse' WordPress theme (versions 1.2.12 and earlier, classified under CWE-98) lets remote attackers with no credentials coerce the theme's PHP include/require logic into loading attacker-influenced file paths. Because CWE-98 covers PHP remote/local file inclusion, a successful attack can disclose sensitive server files (wp-config.php, credentials) and, depending on server configuration, escalate to code execution, which is why NVD scores full C/I/A impact. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

LFI Information Disclosure PHP Lighthouse
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-9145 MEDIUM This Month

Arbitrary file copy in the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions ≤ 1.5.1) exposes any file readable by the PHP process to unauthenticated network attackers. The `create_entry_el()` function accepts attacker-controlled POST data as a file path and passes it directly to PHP's `copy()`, which transparently accepts both local filesystem paths and remote URLs - enabling server file exfiltration or remote resource staging. Exploitation requires Elementor Pro to be installed and active alongside the vulnerable plugin; no public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector and high confidentiality impact make this a credible priority for mixed Elementor Pro deployments.

WordPress Path Traversal PHP Database For Contact Form 7 Wpforms Elementor Forms
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-9834 HIGH This Week

Authenticated OS command injection in the WP Database Backup plugin for WordPress (all versions up to and including 7.11) lets administrator-level users execute arbitrary operating system commands on the underlying server, escalating a WordPress admin foothold into full host RCE. The flaw stems from the wp_db_exclude_table POST parameter being concatenated unescaped into the mysqldump shell command; the injection is stored, so payloads persist in the options table and fire whenever a backup runs. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection WordPress RCE PHP Wp Database Backup Unlimited Database Files Backup By Backup For Wp
NVD
CVSS 3.1
7.2
EPSS
2.7%
CVE-2026-14249 HIGH This Week

Unauthenticated code injection in the Request a Quote plugin for WordPress (versions up to and including 2.5.5) lets remote attackers invoke arbitrary zero-argument PHP functions on the server through the emd_delete_file AJAX action. Because the handler is registered for wp_ajax_nopriv and derives a callable function name from the attacker-controlled $_POST['path'] parameter, an attacker can trigger functions such as phpinfo() to expose server configuration and credentials, or destructive built-in functions. No public exploit identified at time of analysis, but the nonce that is the sole gatekeeper is printed directly into the public quote-form page, effectively neutralizing it.

WordPress RCE PHP
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54720 MEDIUM PATCH This Month

Cross-site scripting in Silverstripe Framework's 'Insert media from web' CMS feature allows a remote unauthenticated attacker to inject malicious JavaScript by supplying a specially crafted embed URL that a CMS editor then inserts into content. All Silverstripe Framework installations prior to version 6.2.2 are affected. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it a credible risk for any deployment where CMS editors process externally sourced media.

XSS PHP Silverstripe Framework
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-54164 MEDIUM PATCH This Month

Type confusion in API Platform Core's AbstractItemNormalizer allows authenticated API consumers to corrupt relational data by supplying IRIs pointing to resources of the wrong type during write operations (POST/PUT/PATCH). The root cause is that getResourceFromIri() omits the $operation context when calling IriConverter::getResourceFromIri(), silently bypassing the is_a type guard at IriConverter.php:86. All 4.1.x, 4.2.x, and 4.3.x releases prior to the patched versions are affected; no public exploit or CISA KEV listing has been identified at time of analysis.

Memory Corruption Information Disclosure PHP Core
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49981 PHP MEDIUM PATCH GHSA This Month

Sandbox allow-list bypass in the Twig PHP templating engine lets attacker-supplied filters, tags, and functions run unchecked when a shared Environment mixes sandboxed and non-sandboxed renders. The filter/tag/function SecurityPolicy check was computed once in the Template constructor and cached in $loadedTemplates, so any later sandbox state change or a pre-warmed template left a stale (typically empty) verdict, defeating the sandbox. Fixed in Twig 3.27.0; no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
6.0
EPSS
0.4%
CVE-2026-58451 HIGH PATCH This Week

Arbitrary file disclosure in Horde IMP webmail before 7.0.1 lets an authenticated user read any file the web server can access by planting directory-traversal sequences after a CKEditor path prefix inside an image src URL when composing mail. A weak stripos() prefix check fails to block traversal appended after the allowed prefix, so file_get_contents() pulls in files like /etc/passwd or configuration secrets and attaches them as MIME parts on the outgoing message. No public exploit identified at time of analysis, but VulnCheck published an advisory and the flaw is CSRF-triggerable against a live session, raising practical exposure for internet-facing Horde deployments.

CSRF Path Traversal PHP Imp
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-34117 CRITICAL Act Now

Unauthenticated OS command injection in the Guardian language-system PHP application lets remote attackers run arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter of text_to_subtitles.php, which is concatenated directly into a PHP exec() call. Any internet-reachable instance can be fully compromised without credentials or user interaction, and the CVSS 4.0 base score of 9.3 reflects full confidentiality, integrity, and availability loss. No public exploit identified at time of analysis, though a VulnCheck advisory and a technical gist describe the exact vulnerable code path.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34116 CRITICAL Act Now

OS command injection in Guardian language-system's transcribe.php lets an unauthenticated remote attacker inject arbitrary shell commands through the 'id' GET parameter, which is concatenated directly into a PHP exec() call. Because no authentication or user interaction is required and the flaw yields full command execution, it maps to a CVSS 4.0 score of 9.3 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis, though a public gist writeup and a VulnCheck advisory document the issue.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34115 CRITICAL Act Now

OS command injection in Guardian language-system's transcribe_amazon.php allows an unauthenticated remote attacker to run arbitrary operating-system commands on the host. The id GET parameter is concatenated directly into a PHP exec() call that shells out to a transcription job, so appending shell metacharacters (e.g. ; | `) yields command execution with the privileges of the web server. No authentication or user interaction is required (PR:N/UI:N), and a public gist reference exists that may contain proof-of-concept details, though active exploitation is not confirmed in CISA KEV.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34114 CRITICAL Act Now

OS command injection in Guardian Language System's translate_text.php allows unauthenticated remote attackers to execute arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter, which is concatenated directly into a PHP exec() call. Because no authentication is required and the CVSS 4.0 vector is AV:N/AC:L/PR:N/UI:N, exploitation is trivial and yields full command execution in the web server's context. There is no public exploit identified at time of analysis, though a VulnCheck advisory and a public gist document the flaw.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34113 CRITICAL Act Now

Unauthenticated OS command injection in Guardian language-system's speech_text.php allows remote attackers to execute arbitrary shell commands by injecting metacharacters into the id GET parameter, which is passed unsanitized into a PHP exec() call. No authentication is required (CVSS 4.0 base 9.3), giving full read/write/availability impact on the host. A referenced GitHub gist and a VulnCheck advisory document the flaw, indicating publicly available exploit details, though it is not listed in CISA KEV.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34112 CRITICAL Act Now

OS command injection in the Guardian language-system's speechmac.php enables unauthenticated remote attackers to run arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter, which is concatenated directly into a PHP exec() call. No credentials or user interaction are required, so any network-reachable instance can be fully compromised. This is a CWE-78 flaw carrying a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis, though a referenced gist may contain proof-of-concept material.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34111 CRITICAL Act Now

OS command injection in the Guardian language-system lets unauthenticated remote attackers run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter, which speechmac_text.php concatenates directly into a PHP exec() call. The CVSS 4.0 base score is 9.3 (critical) with full compromise of confidentiality, integrity, and availability, and no authentication or user interaction is needed. No public exploit identified at time of analysis, though a referenced gist and the VulnCheck advisory may contain technical exploitation detail.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34110 CRITICAL Act Now

OS command injection in Guardian language-system allows an unauthenticated remote attacker to execute arbitrary shell commands by injecting metacharacters into the 'id' GET parameter of complex_start.php, which is passed unsanitized into a PHP exec() call. No authentication or user interaction is required, and the CVSS 4.0 score of 9.3 (Critical) reflects full compromise of confidentiality, integrity, and availability. A public gist demonstrating the flaw means publicly available exploit code exists, though it is not listed in CISA KEV.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34109 CRITICAL Act Now

OS command injection in the Guardian language-system lets an unauthenticated remote attacker run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter, which speech.php passes unsanitized into a PHP exec() call. Rated CVSS 4.0 9.3 (Critical) with a fully remote, no-privilege, no-interaction vector, this is a direct pre-auth RCE. No CISA KEV listing or EPSS score is present in the provided data, and no confirmed public exploit is identified, though a referenced GitHub gist and a VulnCheck advisory document the flaw.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34108 CRITICAL Act Now

OS command injection in the Guardian language-system lets an unauthenticated remote attacker execute arbitrary operating-system commands on the hosting server. The flaw arises because text.php passes the user-controlled 'id' GET parameter straight into a PHP exec() call without sanitization, allowing shell metacharacters to break out of the intended command. The CVSS 4.0 base score is 9.3 (network vector, no privileges, no user interaction); no public exploit is identified at time of analysis, though a referenced gist and a VulnCheck advisory document the issue.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34107 CRITICAL POC Act Now

OS command injection in Guardian language-system lets unauthenticated remote attackers run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter of translate.php, which is concatenated directly into a PHP exec() call. Publicly available exploit code exists (published as a gist via VulnCheck), and the CVSS 4.0 base score of 9.3 reflects full compromise of confidentiality, integrity, and availability with no authentication or user interaction. There is no public exploit identified as actively exploited in CISA KEV, so the current risk is driven by ease of exploitation and public PoC rather than confirmed in-the-wild abuse.

Command Injection PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-34106 CRITICAL POC Act Now

Remote code execution in Guardian language-system allows unauthenticated attackers to run arbitrary OS commands by injecting shell metacharacters into the 'id' GET parameter of subtitles.php, which is concatenated directly into a PHP exec() call invoking jobs/subtitle_rendering.php. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation, and publicly available exploit code exists (published via VulnCheck), though there is no public exploit identified as being actively used in the wild at time of analysis.

Command Injection PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-34105 CRITICAL POC Act Now

SQL injection in the Guardian language-system (translate_text.php) lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The CVSS 4.0 vector scores this 9.3 (Critical) with PR:N, and the VulnCheck advisory title labels it unauthenticated, though the CVE description states an authenticated attacker is required - this discrepancy should be verified. Publicly available exploit code exists, but there is no public exploit identified as being actively used in attacks (not in CISA KEV).

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34104 CRITICAL POC Act Now

SQL injection in Guardian Language-System's designer.php exposes the entire backend database to attackers who supply a crafted 'name' GET parameter, which is concatenated directly into a SELECT query without sanitization (CWE-89). VulnCheck reports this as remotely reachable and publicly available exploit code exists, though no public exploit is confirmed as actively used in the wild (not in CISA KEV). Note a source conflict: the CVE description labels the attacker 'authenticated' while the VulnCheck advisory and CVSS 4.0 vector (PR:N) describe it as unauthenticated.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34103 CRITICAL POC Act Now

SQL injection in Guardian Language-System's subtitles.php lets attackers extract arbitrary database contents by tampering with the id GET parameter, which is concatenated directly into a SELECT query without sanitization. The flaw is error-based and rated critical (CVSS 4.0 base 9.3, VC:H/VI:H/VA:H), publicly available exploit code exists (VulnCheck advisory plus a public gist PoC), and there is no public exploit identified as being used in active attacks. Note a source conflict: the CVE description labels the attacker 'authenticated,' but the CVSS vector (PR:N) and VulnCheck's advisory title both describe it as unauthenticated.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34102 CRITICAL POC Act Now

SQL injection in Guardian language-system via the 'id' GET parameter in job_info_get.php lets attackers inject arbitrary SQL into a query against the 'jobs' table, enabling error-based extraction of database contents. The CVSS 4.0 vector (AV:N/PR:N) and VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description text describes an 'authenticated attacker' - a discrepancy defenders should verify. Publicly available exploit code exists (VulnCheck/gist PoC), raising the practical risk despite no confirmed active exploitation.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34101 CRITICAL POC Act Now

SQL injection in Guardian language-system's text_file.php lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The flaw is a classic error-based SQLi (CWE-89) where user input is concatenated directly into a SELECT statement, and publicly available exploit code exists (reported by VulnCheck). No CISA KEV listing exists, so this represents publicly available exploit code rather than confirmed active exploitation.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34100 CRITICAL POC Act Now

Error-based SQL injection in Guardian Language System's media.php allows attackers to extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter (CWE-89). Publicly available exploit code exists (published via a GitHub gist by VulnCheck), and the CVSS 4.0 vector (AV:N/AC:L/PR:N) plus the VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description conversely refers to an 'authenticated attacker' - a discrepancy defenders should verify. No public evidence of active in-the-wild exploitation (not listed in CISA KEV).

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34099 CRITICAL POC Act Now

Unauthenticated SQL injection in Guardian Language System lets remote attackers manipulate the backend database by injecting into the `id` GET parameter of job_info.php, which is concatenated directly into a SQL query with no sanitization. Because no authentication is required (CVSS 4.0 PR:N) and publicly available exploit code exists, any attacker who can reach the endpoint can extract database version, current user, schema names, and table contents via error-based injection. Reported by VulnCheck with a CVSS of 9.3; no public exploit identified as actively used in the wild (not in CISA KEV).

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34098 MEDIUM POC This Month

Reflected cross-site scripting in Guardian Language-System's media.php allows authenticated attackers to inject arbitrary JavaScript into the victim's browser session by crafting a malicious URL with a script payload in the id GET parameter. The flaw exists because the id parameter is written unsanitized directly into HTML source and form action attributes at lines 119 and 129 of media.php. A publicly available proof-of-concept exploit exists on GitHub, though no KEV listing indicates broad active exploitation at time of analysis.

XSS PHP Language System
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-34097 MEDIUM POC This Month

Reflected XSS in Guardian Language-System's text_file.php allows an authenticated attacker to inject arbitrary script tags into at least six distinct form action attributes (lines 94, 101, 323, 403, 826, 852) by crafting a malicious URL with a payload in the id GET parameter. When a second authenticated victim is socially engineered into following the crafted link, the script executes within their browser session against the Guardian Language-System origin, enabling session token theft or unauthorized actions on the victim's behalf. A publicly available proof-of-concept exploit exists on GitHub; no CISA KEV listing has been identified, meaning active exploitation is not confirmed at time of analysis.

XSS PHP Language System
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-34096 MEDIUM POC This Month

Reflected XSS in Guardian language-system's designer.php allows authenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session by crafting a malicious URL. The `name` GET parameter is echoed unsanitized directly into an HTML input value attribute at line 57, enabling classic reflected cross-site scripting. A publicly available proof-of-concept exploit exists on GitHub (via VulnCheck advisory); the vulnerability is not currently listed in CISA KEV, and real-world impact is constrained by the requirement for victim interaction and authentication.

XSS PHP Language System
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-58025 MEDIUM PATCH This Month

Deserialization of untrusted data in MediaWiki's wiki import subsystem and logging infrastructure exposes installations to PHP object injection, with high integrity impact on affected systems. Specifically, the WikiImporter, WikiRevision, and LogEntryBase components process attacker-controlled serialized data without sufficient validation, allowing a high-privileged authenticated user to trigger unintended object instantiation or code execution paths. No active exploitation (CISA KEV) or public proof-of-concept has been identified at time of analysis; however, vendor-confirmed patches are available in releases 1.43.9, 1.44.6, 1.45.4, and 1.46.0.

Deserialization PHP Mediawiki
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-58029 MEDIUM PATCH This Month

Authentication API endpoints and Special pages in MediaWiki expose low-severity confidentiality and integrity weaknesses exploitable by unauthenticated remote attackers who can induce victim user interaction. Five files spanning account-linking and credential management operations - ApiChangeAuthenticationData, ApiLinkAccount, ApiRemoveAuthenticationData, SpecialLinkAccounts, and SpecialUnlinkAccounts - are affected across all MediaWiki releases prior to the fixed branches 1.43.9, 1.44.6, 1.45.4, and the forthcoming 1.46.0. No public exploit code and no active exploitation have been identified at time of analysis; real-world risk is constrained by the user-interaction prerequisite and the limited impact scope.

PHP Mediawiki Authentication Bypass
NVD VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2026-58028 NONE PATCH Awaiting Data

Cross-site scripting in Wikimedia Foundation MediaWiki and the CentralAuth extension allows authenticated low-privileged users to inject malicious scripts into rendered wiki pages or API output through unsanitized input in API formatting, ResourceLoader module handling, page display hooks, and permission change log formatting. Affected versions span all releases of both products prior to the 1.46.0, 1.45.4, 1.44.6, and 1.43.9 patch series. No public exploit code or CISA KEV listing has been identified at time of analysis, though the five affected PHP files suggest a broad attack surface across core MediaWiki subsystems.

XSS PHP Mediawiki Centralauth
NVD VulDB
EPSS
0.4%
CVE-2026-57517 CRITICAL POC PATCH Act Now

Unauthenticated blind SQL injection in Control Web Panel (CWP) before 0.9.8.1225 lets remote attackers inject arbitrary SQL through the userRes POST parameter of the user endpoint, and because CWP's MySQL connection runs with root privileges the flaw escalates to full remote code execution via INTO DUMPFILE. Attackers write a PHP webshell into the web-accessible roundcube logs directory and execute commands as the cwpsvc account. Publicly available exploit code exists and a vendor patch has been released; this is a network, no-authentication, low-complexity issue (CVSS 4.0 9.3).

SQLi RCE PHP Control Web Panel
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-58026 NONE PATCH Awaiting Data

Information disclosure in MediaWiki's core parser component (includes/Parser/Parser.php) allows authenticated low-privilege users, under conditions requiring user interaction, to obtain sensitive information not intended for their access level. All MediaWiki branches are affected up to versions 1.43.9, 1.44.6, 1.45.4, and 1.46.0, covering a broad installation base including self-hosted wikis worldwide. No public exploit code exists and no active exploitation has been confirmed at time of analysis; however, the provided CVSS 4.0 vector contains a contradictory zero-impact scoring that warrants independent verification against the upstream advisory.

PHP Information Disclosure Mediawiki
NVD VulDB
EPSS
0.4%
CVE-2026-8857 NONE PATCH Awaiting Data

Code injection in the Wikimedia Foundation Timeline extension (EasyTimeline) allows authenticated wiki editors to execute arbitrary server-side code via crafted timeline syntax processed by the Perl-based EasyTimeline.Pl script and its PHP integration layer Timeline.Php. The vulnerability stems from CWE-94 improper code generation control, where user-supplied timeline markup is passed to the backend Perl interpreter without sufficient sanitization, enabling remote code execution on the MediaWiki server. No public exploit code has been identified at time of analysis, but the RCE tag and network-accessible attack vector make this a high-priority patching target for any publicly editable or semi-public MediaWiki instance.

Code Injection PHP RCE Timeline
NVD VulDB
EPSS
0.3%
CVE-2026-58038 NONE PATCH Awaiting Data

Stored cross-site scripting in the Wikimedia Foundation Timeline extension exposes MediaWiki installations to session hijacking and credential theft. The flaw exists in Timeline.php and EasyTimeline.pl, where user-supplied timeline markup syntax is not properly neutralized before HTML output, allowing an authenticated wiki editor to inject arbitrary JavaScript executed in other users' browsers. No public exploit has been identified at time of analysis, and KEV listing is absent, but the network-accessible nature and low-privilege entry point make this a credible risk on publicly editable wikis.

XSS PHP Timeline
NVD VulDB
EPSS
0.2%
CVE-2026-58027 MEDIUM PATCH This Month

Sensitive abuse filter configuration data in Wikimedia Foundation's AbuseFilter MediaWiki extension is exposed to authenticated low-privilege users via the QueryAbuseFilters API endpoint (includes/Api/QueryAbuseFilters.php). Authenticated wiki users on affected installations (all versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9) can retrieve private or restricted filter rule details they should not be authorized to access. No active exploitation has been confirmed (not listed in CISA KEV) and no public proof-of-concept exploit is known at time of analysis, but the moderate CVSS 4.0 score of 5.3 reflects real risk to wikis relying on confidential filter logic for abuse prevention.

PHP Information Disclosure Abusefilter
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-58030 MEDIUM PATCH This Month

Cross-site scripting in the Wikimedia Foundation SyntaxHighlight_GeSHi MediaWiki extension allows authenticated users to inject unsanitized input via the syntax highlighting interface, with malicious script executing in victims' browsers upon page view. The flaw originates in includes/SyntaxHighlight.php and affects all versions prior to branch-specific fixes at 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS 4.0 score of 5.3 (Medium) reflects limited confidentiality impact scoped to the vulnerable system.

XSS PHP Syntaxhighlight Geshi
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-58033 MEDIUM PATCH This Month

Sensitive information exposure in MediaWiki's InfoAction.php allows unauthenticated remote actors to obtain restricted page metadata through the 'Info' action endpoint. All MediaWiki versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9 are affected across all deployment configurations. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the low attack complexity and lack of authentication requirements make opportunistic discovery straightforward for any actor who can reach the wiki.

PHP Information Disclosure Mediawiki
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-58037 NONE PATCH Awaiting Data

Cross-site scripting vulnerabilities across multiple log formatter and language components in MediaWiki allow authenticated low-privilege users to inject malicious JavaScript that executes in the browser of any user who views affected log pages or the SpecialVersion special page. The vulnerability spans seven PHP files covering block, patrol, rename-user, and tag log formatters, the base LogFormatter, the Language class, and SpecialVersion - indicating widespread unsanitized output rendering in administrative and logging interfaces. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the breadth of affected components and the multiple concurrent fix branches (1.43.9, 1.44.6, 1.45.4, 1.46.0) signal a significant audit-driven remediation effort.

XSS PHP Mediawiki
NVD VulDB
EPSS
0.4%
CVE-2026-58036 LOW PATCH Monitor

Insufficient permission enforcement in MediaWiki's user query API endpoints allows low-privileged authenticated users to access sensitive user information - such as group memberships or account details - that permission controls should restrict. The vulnerability spans four source files: ApiQueryAllUsers.php, ApiQueryUsers.php, PermissionManager.php, and UserGroupManager.php, indicating that the flaw lies in how permission checks are applied (or bypassed) when the API serializes user data. No public exploit code exists and the CVSS 4.0 score of 2.1 reflects the constrained real-world exploitability. No confirmed active exploitation (CISA KEV) has been reported.

PHP Information Disclosure Mediawiki
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-58024 MEDIUM PATCH This Month

Information disclosure in MediaWiki's ApiUserrights.php exposes sensitive user rights data to authenticated actors who should not have access to it. All MediaWiki installations running versions prior to 1.43.9, 1.44.6, 1.45.4, and 1.46.0 are affected. The CVSS 4.0 score of 5.1 with low confidentiality impact (VC:L) reflects a bounded but real data leakage risk; no public exploit identified at time of analysis.

PHP Information Disclosure Mediawiki
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-13707 NONE Awaiting Data

Session fixation in the Wikimedia Foundation OAuth MediaWiki extension (src/Backend/MWOAuthServer.php) allows a network-accessible, low-privileged attacker to manipulate the OAuth authorization handshake so that a victim's authentication binds to an attacker-controlled session identifier. All four actively maintained release branches are affected through versions 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit or CISA KEV listing exists at time of analysis; however, the 'Information Disclosure' tag applied to this CVE creates tension with the vendor-supplied CVSS 4.0 zero-impact scoring and warrants independent verification.

Session Fixation Information Disclosure PHP Oauth
NVD VulDB
EPSS
0.3%
CVE-2026-13706 NONE Awaiting Data

Improper input validation in Wikimedia Foundation's UrlShortener extension (includes/UrlShortenerUtils.php) exposes a potential information disclosure path accessible to low-privileged authenticated users over the network. The vulnerability is classified under CWE-20 and tagged as an information disclosure issue, though the provided CVSS 4.0 vector records zero impact across all dimensions - a notable contradiction with the 'Information Disclosure' tag that warrants independent verification. No public exploit code exists and no active exploitation has been confirmed.

Information Disclosure PHP Urlshortener
NVD VulDB
EPSS
0.3%
CVE-2026-6070 CRITICAL Act Now

Arbitrary file deletion in the WP-BusinessDirectory (Business Directory) plugin for WordPress (versions ≤ 4.0.1) lets unauthenticated remote attackers delete any file the web server can access, including wp-config.php. The flaw stems from the frontend-accessible task=upload.remove endpoint accepting an unsanitized _filename parameter that permits ../ path traversal. No public exploit is identified at time of analysis, but the CVSS 9.1 rating and trivial exploitation (network, no auth, no user interaction) make it high priority; deleting wp-config.php can force WordPress into its installer, enabling site takeover.

WordPress Path Traversal PHP Wp Businessdirectory Business Directory Plugin For Wordpress
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-12923 HIGH This Week

Arbitrary zero-argument PHP function invocation in the Youtube Showcase (Video Gallery - YouTube Gallery, Playlist & Video Grid) plugin for WordPress affects all versions up to and including 4.0.3, letting authenticated Subscriber-level users abuse the emd_delete_file() AJAX handler to call any callable PHP function name with no arguments. Because the handler validates only a nonce and omits a current_user_can() capability check, low-privileged accounts can trigger functions such as phpinfo(), get_defined_vars(), or error_get_last() to disclose sensitive server and application data. No public exploit identified at time of analysis and the issue is not in CISA KEV, so risk is currently theoretical but credible given the low privilege bar.

WordPress LFI Information Disclosure PHP Video Gallery Youtube Gallery Playlist Video Grid
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13015 MEDIUM This Month

Reflected Cross-Site Scripting in Wp Google Places Review Slider (WordPress plugin, versions ≤ 18.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `place` GET parameter in `admin/partials/googlecrawl_dfs.php`. The raw user input is URL-decoded and passed through `stripslashes()` before being echoed directly into an HTML value attribute — bypassing WordPress's standard `esc_attr()` — but only when the supplied place value is not already present as a key in the `wprev_google_crawls` stored option. No public exploit identified at time of analysis; successful exploitation requires tricking an authenticated WordPress administrator into clicking a specially crafted link.

WordPress XSS PHP Google Wp Google Review Slider
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-37106 CRITICAL Act Now

Remote code execution is claimed in DokuWiki 2025-05-14b "Librarian" (build 56.2) via the register function in inc/auth.php, which security intelligence maps to CWE-640 (weak password-recovery mechanism) - a mismatch that suggests account-takeover-to-code-execution rather than a direct memory-corruption RCE. The CVSS 3.1 score of 9.8 (network, no authentication, no user interaction) implies any internet-facing DokuWiki instance is at risk, and publicly available exploit code exists (a public gist proof-of-concept plus SSVC 'poc' exploitation status), though EPSS remains low at 0.26% (17th percentile), indicating no observed mass exploitation yet. Reported by MITRE and tracked as ENISA EUVD-2026-40863, it is tagged PHP/RCE but is not listed in CISA KEV.

RCE PHP
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-56700 PHP CRITICAL PATCH Act Now

Arbitrary code execution in Grav CMS before 2.0.0-beta.2 stems from three distinct flaw classes: PHP object injection via unsafe unserialize() of attacker-controllable data in the Scheduler JobQueue, FileCache adapter, and Session components, an OS command injection in the plugin/theme InstallCommand git clone routine, and a Twig sandbox blocklist bypass enabling server-side template injection. An attacker who can influence the serialized input can chain available gadgets to run arbitrary PHP, while the command-injection path is reachable by authenticated administrators through plugin/theme installation. No public exploit identified at time of analysis; the issues were privately reported by VulnCheck and are fixed in 2.0.0-beta.2.

Command Injection Deserialization RCE PHP Grav
NVD GitHub
CVSS 4.0
9.3
EPSS
1.7%
CVE-2026-55219 PHP MEDIUM PATCH GHSA This Month

Credit double-spend via race condition in Paymenter allows any authenticated user with a non-zero credit balance to settle multiple invoices for the cost of one. The root cause is that `lockForUpdate()` in `app/Livewire/Invoices/Show.php` is called outside a database transaction, rendering the pessimistic lock a no-op in MySQL/MariaDB and leaving the read-check-deduct sequence unprotected against concurrent execution. Successful exploitation results in direct financial or resource loss to the platform operator as `ExtensionHelper::addPayment()` provisions services or digital goods for each winning request. No public exploit has been identified at time of analysis.

Authentication Bypass Race Condition PHP
NVD GitHub
CVSS 3.1
5.3
CVE-2026-48807 PHP HIGH PATCH GHSA This Week

Sandbox policy bypass in Twig PHP template engine allows sandboxed template authors to trigger `__toString()` calls on objects explicitly blocked by `SecurityPolicy::$allowedMethods`, through two distinct coercion paths: `Traversable` inputs to the `join` and `replace` filters, and PHP's implicit spaceship-operator coercion inside the `in`/`not in` operator implementation. Beyond unauthorized method invocation, the `in` operator can be chained into a character-by-character equality oracle, enabling reconstruction of the full string value of sensitive objects - such as tokens or credentials passed into the render context - without any direct method invocation being permitted. This is a residual bypass of CVE-2026-47732; no public exploit code has been identified at time of analysis, and the issue is patched in Twig v3.27.0.

Oracle Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-48806 PHP HIGH PATCH GHSA This Week

Sandbox __toString() policy enforcement in Twig is bypassed via dynamic array mapping keys, allowing sandboxed template authors to invoke __toString() on arbitrary context objects without sandbox policy checks. This is a residual bypass of the previously patched CVE-2026-47732, rooted in ArrayExpression failing to declare dynamic mapping keys as string-coercion sites through CoercesChildrenToStringInterface. The reliable demonstrated impact is unauthorized disclosure of sensitive data returned by __toString() on objects that the sandbox was explicitly configured to protect - no public KEV listing exists, but a clear proof-of-concept is embedded in the advisory.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-48805 PHP MEDIUM PATCH GHSA This Month

Sandbox bypass in Twig 3.26.x allows string callables to circumvent the Closure-only restriction when applications use the deprecated `twig_array_some()` and `twig_array_every()` wrapper functions over a sandboxed Environment. The 3.26.0 source-policy hardening changed `CoreExtension::checkArrow()` to accept a boolean sandbox state, but the legacy wrappers in `src/Resources/core.php` were not updated, causing them to silently pass `false` for `$isSandboxed` and accept arbitrary string callables such as `'exec'` or `'system'` that the sandbox was designed to block. No public exploit has been identified at time of analysis, and impact is limited to the narrow subset of applications calling the deprecated wrappers with sandbox mode active.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-47198 PHP HIGH PATCH GHSA This Week

Server provisioning parameter tampering in Paymenter (a PHP/Laravel billing and hosting-management platform) lets any authenticated customer override administrator-defined hosting plans and resource limits during checkout. By injecting arbitrary key-value pairs into the URL-bound checkout configuration, a low-privileged user can escalate CPU, RAM, storage, or package tiers without admin rights. Rated CVSS 8.5 (CWE-20); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
8.5
CVE-2026-58376 HIGH POC PATCH This Week

SQL injection in Dolibarr ERP/CRM through version 23.0.3 lets authenticated REST API users exfiltrate arbitrary database contents - including password hashes and API keys - by abusing the sqlfilters parameter on the setup dictionary and multicurrencies list endpoints. The flawed filter only checked for balanced parentheses and rewrote matched triplets, so an appended UNION SELECT placed outside the expected pattern was concatenated into the WHERE clause unmodified. Publicly available exploit code exists and a vendor fix has been committed; the issue is not listed in CISA KEV.

SQLi Information Disclosure PHP Dolibarr
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-27881 MEDIUM PATCH This Month

{uuid}`. The DeployController.php endpoint performs no team-ownership validation against the requesting user's session, making this a textbook CWE-639 Insecure Direct Object Reference (IDOR) across tenant boundaries. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the attack is mechanically trivial once a target UUID is known.

Authentication Bypass PHP Coolify
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-53691 HIGH This Week

Remote code execution in Redeight CMS 1.0 lets an authenticated attacker upload arbitrary PHP scripts through the admin Pages module's FileAdd endpoint, which performs no extension or MIME-type validation. The uploaded file lands in the web-accessible /uploads/files/ directory and is executed directly by the web server, yielding full server-side code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

PHP RCE File Upload Redeight Cms
NVD VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-53690 CRITICAL Act Now

SQL injection in Redeight CMS 1.0 lets unauthenticated remote attackers extract sensitive database contents by injecting through the 'userEmail' POST parameter of the /admin/index.php login endpoint. Because user input is interpolated directly into SQL without prepared statements, an attacker needs no credentials and no user interaction to read or manipulate backend data, including admin authentication material. The flaw was reported by CERT-PL and carries a CVSS 4.0 base score of 9.3 (Critical); no public exploit identified at time of analysis.

SQLi PHP Redeight Cms
NVD VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-12240 HIGH This Week

Arbitrary file deletion in the Export User Data plugin for WordPress (versions up to and including 2.2.6) allows an authenticated subscriber-level attacker to delete any file on the server, including wp-config.php, which can escalate to remote code execution. The flaw stems from unsafe deserialization of a PHP object embedded in a user's display name that is processed when an administrator exports user data. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation is gated by required administrator interaction.

WordPress Deserialization RCE PHP Export User Data
NVD VulDB
CVSS 3.1
8.0
EPSS
0.3%
CVE-2026-8944 MEDIUM This Month

Cross-site request forgery in Plugin for Google Analytics by IO Technologies (WordPress) versions up to and including 1.1 allows unauthenticated remote attackers to overwrite the site's Google Analytics tracking ID by tricking a logged-in administrator into clicking a crafted link. The flaw stems from absent nonce validation on the ga.php settings handler, meaning forged POST requests bypass WordPress's standard CSRF protections entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 4.3 reflects the required administrator interaction and limited integrity-only impact.

WordPress CSRF PHP Google Plugin For Google Analytics By Io Technologies
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-13579 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated patient users to database-level attacks via the `/patientchangepassword.php` endpoint. The `newpassword` parameter is passed unsanitized into SQL queries, allowing an authenticated attacker to manipulate backend database operations - potentially reading, modifying, or deleting patient records. A public proof-of-concept exploit exists (GitHub issue linked from VulDB report), though no active exploitation has been confirmed by CISA KEV. The CVSS 4.0 score of 2.1 reflects the limited real-world severity due to the authentication prerequisite and constrained impact scope.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13578 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientdetail.php` endpoint to database manipulation via the unsanitized `editid` parameter, reachable by any low-privileged authenticated user over the network. A public proof-of-concept exploit is available (referenced via GitHub issue), lowering the skill barrier for exploitation against any deployed instance. The CVSS 4.0 score of 2.1 reflects low per-impact ratings across confidentiality, integrity, and availability, but SQL injection vulnerabilities routinely exceed their scored impact bounds when database accounts carry excess privileges - no public exploitation has been confirmed in CISA KEV.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13572 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the billing endpoint /insertbillingrecord.php to database manipulation by low-privileged remote attackers via the unsanitized patientid parameter. A public exploit has been disclosed on GitHub, lowering the barrier to exploitation significantly despite a low CVSS 4.0 base score of 2.1. No CISA KEV listing exists, but the combination of a publicly available proof-of-concept and access to potentially sensitive patient health and billing records elevates real-world concern beyond what the numeric score alone conveys.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13571 MEDIUM POC This Month

Price parameter manipulation in SourceCodester Simple Food Ordering System 1.0 allows unauthenticated remote attackers to submit orders at arbitrary prices by modifying the item_price argument in POST requests to /cart.php. The server trusts client-supplied price data without server-side validation, enabling business logic bypass (CWE-840) that could result in financial loss for system operators. A public proof-of-concept exploit is available on GitHub; however, this vulnerability is not currently listed in the CISA KEV catalog.

Information Disclosure PHP Simple Food Ordering System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13570 LOW Monitor

Stored cross-site scripting in SourceCodester Inventory Management System 1.0 allows a low-privileged remote attacker to inject arbitrary JavaScript via the `full_name` parameter of the User Registration Endpoint at `/api/users_handler.php`. When a privileged user such as an administrator subsequently views the stored user data, the malicious script executes in their browser context, enabling session hijacking, credential theft, or UI redress. Public exploit code exists per VulDB (E:P in CVSS 4.0 vector); however, this vulnerability is not listed in CISA KEV and carries a low CVSS 4.0 base score of 2.0, indicating limited real-world severity.

XSS PHP Inventory Management System
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-13569 LOW POC Monitor

SQL injection in EyouCMS up to version 1.7.1 allows remote authenticated attackers with high privileges to manipulate database queries via the click_like argument in the /index.php API component. The CVSS 4.0 score is 2.0, heavily discounted by the PR:H requirement, yet confidentiality, integrity, and availability impacts are all rated Low. A public proof-of-concept exists via a GitHub issue report; the vendor has not acknowledged or patched the vulnerability. No active exploitation has been confirmed (not listed in CISA KEV).

SQLi PHP Eyoucms
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-13568 MEDIUM This Month

Privilege escalation via role parameter manipulation in SourceCodester Inventory Management System 1.0 allows unauthenticated remote attackers to self-assign elevated roles during user registration. The vulnerability resides in /api/users_handler.php, where the application fails to enforce server-side restrictions on the role argument at the User Registration Endpoint, enabling account creation with admin-level privileges. A public proof-of-concept exploit is available, lowering the skill bar for abuse against any exposed instance; no CISA KEV listing exists, so confirmed active exploitation in the wild has not been established.

Authentication Bypass PHP Inventory Management System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-40521 HIGH POC PATCH This Week

Remote code execution in FrontAccounting before 2.4.20 lets an authenticated user abuse the attachment upload handler to plant a PHP web shell. The handler fails to validate the unique_name parameter, so traversal sequences write attacker-controlled files outside the attachments directory and into the web root, and because file extensions are not validated, an uploaded PHP file executes as the web server user. Publicly available exploit code exists and a vendor patch is available, though the issue is not listed in CISA KEV.

Path Traversal RCE PHP Frontaccounting
NVD GitHub
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-13567 LOW POC Monitor

Cross-site scripting in code-projects Online Music Site 1.0 allows unauthenticated remote attackers to inject malicious scripts via the feedback form's fname, femail, faddress, or fmessage parameters handled by /Frontend/Feedback.php. The CVSS 4.0 score of 2.1 (Low) reflects the UI:P requirement - a victim must interact with the crafted content for the payload to execute, limiting autonomous exploitation. A public proof-of-concept is available via GitHub, though no confirmed active exploitation (CISA KEV) has been recorded.

XSS PHP Online Music Site
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `editid` parameter in `/medicine.php`. The attack achieves partial confidentiality, integrity, and availability impact against the underlying database. A public proof-of-concept exploit has been published (tracked via GitHub issue), lowering the barrier for exploitation; however, no active exploitation has been confirmed by CISA KEV at time of analysis.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Heap-based buffer overflow in PHP's OpenSSL extension affects all maintained PHP branches (8.2.x, 8.3.x, 8.4.x, 8.5.x) when the AES key-wrap-with-padding (AES-WRAP-PAD) algorithm per RFC 5649 is invoked. The output buffer is allocated based only on plaintext length, omitting the mandatory RFC 5649 padding expansion, causing OpenSSL to write beyond the allocated heap region, corrupt heap metadata, and abort the process. No public exploit has been identified at time of analysis; vendor-released patches are available for all affected branches.

Heap Overflow OpenSSL Buffer Overflow +2
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Authorization bypass in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows authenticated remote attackers to view student records they are not authorized to access. By manipulating the ID parameter in POST requests to /index.php?action=view_student, a low-privileged user can enumerate or access other students' data. A public proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no active exploitation confirmed in CISA KEV.

Authentication Bypass PHP
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

{id} path parameter in GET /calendar/event/delete/{id}. The delete handler calls Calendar::find($id)->delete() with no user_id or company_id scoping, meaning possession of a valid session is the only gate to destroying arbitrary records. No public exploit has been identified at time of analysis; a confirmed fix is available in the v5.5.3 release.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Local File Inclusion in the RTMKit (rometheme-for-elementor) plugin for WordPress versions up to and including 2.0.7 allows authenticated attackers with Contributor-level access to include and execute arbitrary PHP code on the server. The render_templates AJAX endpoint passes the unsanitized 'template' parameter directly into a PHP require/include statement, restricted only to files ending in _templates.php. Wordfence reported this vulnerability; no public exploit code or CISA KEV listing is present at time of analysis.

WordPress LFI Information Disclosure +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.

Authentication Bypass WordPress PHP +1
NVD VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Arbitrary file disclosure and PHP local file inclusion in Cockpit CMS before release 364 lets unauthenticated remote attackers read files outside the web root and, on certain server setups, cause the application to include() attacker-chosen .php files. The flaw stems from unvalidated PATH_INFO (derived from REQUEST_URI) being used to build filesystem paths without containment checks. Publicly available exploit code exists; it is not listed in CISA KEV and no EPSS score was provided.

Path Traversal Nginx PHP +1
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

Arbitrary file deletion in the TinyPNG (JPEG, PNG & WebP image compression) plugin for WordPress affects all versions through 3.6.13, allowing authenticated attackers with author-level access or higher to delete any file the web server can reach. Because deleting sensitive files such as wp-config.php pushes the site into a fresh-install state, this file-deletion primitive can be escalated to full remote code execution. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but it was disclosed by Wordfence with a clear exploitation path and carries a CVSS 8.1 (High).

WordPress Path Traversal RCE +2
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant entry takeover in Craft CMS 5.7.0 through 5.9.20 lets a low-privileged author overwrite another user's existing entry by smuggling a numeric id through the newAttributes parameter of the bulk-duplicate element action. Because the duplication routine re-applies attacker-controlled attributes after nulling the primary key, a UPDATE is executed against the victim's row instead of an INSERT, letting the attacker rewrite the victim's title, slug, authorId, postDate, and UID. No public exploit identified at time of analysis and it is not in CISA KEV; the flaw is fixed in version 5.9.21.

Information Disclosure PHP Cms
NVD GitHub VulDB
EPSS 1% CVSS 9.2
CRITICAL Act Now

Unauthenticated OS command injection in Notifiarr Dockwatch through version 0.6.567 lets remote attackers run arbitrary shell commands on the host and achieve full compromise, since default deployments mount the Docker socket. The root cause is an Execution-After-Redirect flaw (CWE-698) where loader.php redirects unauthenticated users but fails to call exit(), allowing the attacker to seed the required session flag and then reach shell_exec() in ajax/compose.php with attacker-controlled input. The CVSS 4.0 base score is 9.2 (VC/VI/VA all High); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though a vendor advisory and upstream fix exist.

Command Injection PHP Docker +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.

WordPress Nginx PHP +3
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the SportsPress Pro WordPress plugin (versions 2.7.29 and earlier) lets an authenticated user holding at least Contributor privileges cause the application to include and disclose arbitrary local files on the server. Because the flaw is rooted in unsafe PHP file inclusion (CWE-98), a successful attacker can read sensitive files such as wp-config.php and, depending on which local files can be included, potentially escalate toward code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the finding is documented by Patchstack.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Shopify (Shopify Help Center) WordPress plugin through version 1.0.0 allows an authenticated user with at least Contributor privileges to include and read arbitrary local files on the server, potentially escalating to code execution via CWE-98-style file-inclusion abuse. The flaw was reported by Patchstack and carries a CVSS 7.5 rating driven by high confidentiality, integrity, and availability impact but with high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the Novalnet Payment Gateway for WooCommerce WordPress plugin (versions 12.10.3 and earlier) lets remote attackers submit crafted serialized objects that the plugin deserializes, per CVSS enabling full compromise of confidentiality, integrity, and availability. The flaw is network-reachable without authentication or user interaction and carries a critical 9.8 CVSS score. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

WordPress Deserialization PHP +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the Booktics WordPress plugin (by Arraytics) affects all versions up to and including 1.0.21, letting remote attackers with no authentication inject arbitrary PHP objects into the application. If a suitable POP (property-oriented programming) gadget chain exists in the plugin, WordPress core, or another active plugin, this can escalate to remote code execution, data theft, or full site takeover. Reported by Patchstack and rated CVSS 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization PHP Booktics
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Audrey WordPress theme (elated-themes) affects all versions up to and including 1.5, letting remote attackers coerce the PHP application into including arbitrary files. Because CWE-98 covers PHP file-inclusion flaws, a successful include can leak sensitive files (wp-config.php, credentials) and, where remote or attacker-controlled content is includable, escalate to code execution. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, though the network-reachable, unauthenticated nature (CVSS 8.1) makes it a meaningful patching priority for sites running this theme.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP Object Injection in the Werkstatt WordPress theme (fuelthemes) through version 4.8.3 lets a Contributor-level user pass attacker-controlled data into an unsafe deserialization routine, enabling instantiation of arbitrary PHP objects. With the right POP gadget chain present in WordPress core, another plugin, or the theme itself, this can escalate to file operations, SQL manipulation, or remote code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the 8.8 CVSS reflects the low-privilege network-exploitable path with high confidentiality, integrity, and availability impact.

Deserialization PHP Werkstatt
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Pearl - Corporate Business WordPress theme (StyleMixThemes) versions 3.4.10 and earlier lets unauthenticated remote attackers coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and credentials. Rated CVSS 8.1 by Patchstack, the flaw requires no authentication (PR:N) but carries high attack complexity (AC:H), and depending on include handling could escalate from information disclosure toward code execution. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied in the source data.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP object injection in the ARMember Premium WordPress membership plugin (all versions through 7.0) lets low-privileged Contributor-level users pass attacker-controlled serialized data into a PHP unserialize() sink, potentially chaining with POP gadgets to achieve high-impact compromise. With a CVSS of 8.8 and network vector, a user holding only a Contributor account can reach confidentiality, integrity, and availability impacts. No public exploit has been identified at time of analysis and it is not on CISA KEV, but the vulnerability class is well understood and reliably weaponizable where a suitable gadget chain exists.

Deserialization PHP Armember Premium
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the GoodLayers Tourmaster WordPress plugin (versions <= 5.4.5) allows low-privileged authenticated users at the Subscriber level to include and read arbitrary local files from the server, exposing sensitive data such as configuration files and credentials. Reported through Patchstack and mapped to CWE-98, the flaw carries a CVSS 7.5 (High) score with high attack complexity; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the AncoraThemes 'Lighthouse' WordPress theme (versions 1.2.12 and earlier, classified under CWE-98) lets remote attackers with no credentials coerce the theme's PHP include/require logic into loading attacker-influenced file paths. Because CWE-98 covers PHP remote/local file inclusion, a successful attack can disclose sensitive server files (wp-config.php, credentials) and, depending on server configuration, escalate to code execution, which is why NVD scores full C/I/A impact. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary file copy in the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions ≤ 1.5.1) exposes any file readable by the PHP process to unauthenticated network attackers. The `create_entry_el()` function accepts attacker-controlled POST data as a file path and passes it directly to PHP's `copy()`, which transparently accepts both local filesystem paths and remote URLs - enabling server file exfiltration or remote resource staging. Exploitation requires Elementor Pro to be installed and active alongside the vulnerable plugin; no public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector and high confidentiality impact make this a credible priority for mixed Elementor Pro deployments.

WordPress Path Traversal PHP +1
NVD VulDB
EPSS 3% CVSS 7.2
HIGH This Week

Authenticated OS command injection in the WP Database Backup plugin for WordPress (all versions up to and including 7.11) lets administrator-level users execute arbitrary operating system commands on the underlying server, escalating a WordPress admin foothold into full host RCE. The flaw stems from the wp_db_exclude_table POST parameter being concatenated unescaped into the mysqldump shell command; the injection is stored, so payloads persist in the options table and fire whenever a backup runs. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection WordPress RCE +2
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated code injection in the Request a Quote plugin for WordPress (versions up to and including 2.5.5) lets remote attackers invoke arbitrary zero-argument PHP functions on the server through the emd_delete_file AJAX action. Because the handler is registered for wp_ajax_nopriv and derives a callable function name from the attacker-controlled $_POST['path'] parameter, an attacker can trigger functions such as phpinfo() to expose server configuration and credentials, or destructive built-in functions. No public exploit identified at time of analysis, but the nonce that is the sole gatekeeper is printed directly into the public quote-form page, effectively neutralizing it.

WordPress RCE PHP
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in Silverstripe Framework's 'Insert media from web' CMS feature allows a remote unauthenticated attacker to inject malicious JavaScript by supplying a specially crafted embed URL that a CMS editor then inserts into content. All Silverstripe Framework installations prior to version 6.2.2 are affected. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it a credible risk for any deployment where CMS editors process externally sourced media.

XSS PHP Silverstripe Framework
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Type confusion in API Platform Core's AbstractItemNormalizer allows authenticated API consumers to corrupt relational data by supplying IRIs pointing to resources of the wrong type during write operations (POST/PUT/PATCH). The root cause is that getResourceFromIri() omits the $operation context when calling IriConverter::getResourceFromIri(), silently bypassing the is_a type guard at IriConverter.php:86. All 4.1.x, 4.2.x, and 4.3.x releases prior to the patched versions are affected; no public exploit or CISA KEV listing has been identified at time of analysis.

Memory Corruption Information Disclosure PHP +1
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Sandbox allow-list bypass in the Twig PHP templating engine lets attacker-supplied filters, tags, and functions run unchecked when a shared Environment mixes sandboxed and non-sandboxed renders. The filter/tag/function SecurityPolicy check was computed once in the Template constructor and cached in $loadedTemplates, so any later sandbox state change or a pre-warmed template left a stale (typically empty) verdict, defeating the sandbox. Fixed in Twig 3.27.0; no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file disclosure in Horde IMP webmail before 7.0.1 lets an authenticated user read any file the web server can access by planting directory-traversal sequences after a CKEditor path prefix inside an image src URL when composing mail. A weak stripos() prefix check fails to block traversal appended after the allowed prefix, so file_get_contents() pulls in files like /etc/passwd or configuration secrets and attaches them as MIME parts on the outgoing message. No public exploit identified at time of analysis, but VulnCheck published an advisory and the flaw is CSRF-triggerable against a live session, raising practical exposure for internet-facing Horde deployments.

CSRF Path Traversal PHP +1
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

Unauthenticated OS command injection in the Guardian language-system PHP application lets remote attackers run arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter of text_to_subtitles.php, which is concatenated directly into a PHP exec() call. Any internet-reachable instance can be fully compromised without credentials or user interaction, and the CVSS 4.0 base score of 9.3 reflects full confidentiality, integrity, and availability loss. No public exploit identified at time of analysis, though a VulnCheck advisory and a technical gist describe the exact vulnerable code path.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in Guardian language-system's transcribe.php lets an unauthenticated remote attacker inject arbitrary shell commands through the 'id' GET parameter, which is concatenated directly into a PHP exec() call. Because no authentication or user interaction is required and the flaw yields full command execution, it maps to a CVSS 4.0 score of 9.3 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis, though a public gist writeup and a VulnCheck advisory document the issue.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in Guardian language-system's transcribe_amazon.php allows an unauthenticated remote attacker to run arbitrary operating-system commands on the host. The id GET parameter is concatenated directly into a PHP exec() call that shells out to a transcription job, so appending shell metacharacters (e.g. ; | `) yields command execution with the privileges of the web server. No authentication or user interaction is required (PR:N/UI:N), and a public gist reference exists that may contain proof-of-concept details, though active exploitation is not confirmed in CISA KEV.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in Guardian Language System's translate_text.php allows unauthenticated remote attackers to execute arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter, which is concatenated directly into a PHP exec() call. Because no authentication is required and the CVSS 4.0 vector is AV:N/AC:L/PR:N/UI:N, exploitation is trivial and yields full command execution in the web server's context. There is no public exploit identified at time of analysis, though a VulnCheck advisory and a public gist document the flaw.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

Unauthenticated OS command injection in Guardian language-system's speech_text.php allows remote attackers to execute arbitrary shell commands by injecting metacharacters into the id GET parameter, which is passed unsanitized into a PHP exec() call. No authentication is required (CVSS 4.0 base 9.3), giving full read/write/availability impact on the host. A referenced GitHub gist and a VulnCheck advisory document the flaw, indicating publicly available exploit details, though it is not listed in CISA KEV.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in the Guardian language-system's speechmac.php enables unauthenticated remote attackers to run arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter, which is concatenated directly into a PHP exec() call. No credentials or user interaction are required, so any network-reachable instance can be fully compromised. This is a CWE-78 flaw carrying a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis, though a referenced gist may contain proof-of-concept material.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in the Guardian language-system lets unauthenticated remote attackers run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter, which speechmac_text.php concatenates directly into a PHP exec() call. The CVSS 4.0 base score is 9.3 (critical) with full compromise of confidentiality, integrity, and availability, and no authentication or user interaction is needed. No public exploit identified at time of analysis, though a referenced gist and the VulnCheck advisory may contain technical exploitation detail.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in Guardian language-system allows an unauthenticated remote attacker to execute arbitrary shell commands by injecting metacharacters into the 'id' GET parameter of complex_start.php, which is passed unsanitized into a PHP exec() call. No authentication or user interaction is required, and the CVSS 4.0 score of 9.3 (Critical) reflects full compromise of confidentiality, integrity, and availability. A public gist demonstrating the flaw means publicly available exploit code exists, though it is not listed in CISA KEV.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in the Guardian language-system lets an unauthenticated remote attacker run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter, which speech.php passes unsanitized into a PHP exec() call. Rated CVSS 4.0 9.3 (Critical) with a fully remote, no-privilege, no-interaction vector, this is a direct pre-auth RCE. No CISA KEV listing or EPSS score is present in the provided data, and no confirmed public exploit is identified, though a referenced GitHub gist and a VulnCheck advisory document the flaw.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in the Guardian language-system lets an unauthenticated remote attacker execute arbitrary operating-system commands on the hosting server. The flaw arises because text.php passes the user-controlled 'id' GET parameter straight into a PHP exec() call without sanitization, allowing shell metacharacters to break out of the intended command. The CVSS 4.0 base score is 9.3 (network vector, no privileges, no user interaction); no public exploit is identified at time of analysis, though a referenced gist and a VulnCheck advisory document the issue.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

OS command injection in Guardian language-system lets unauthenticated remote attackers run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter of translate.php, which is concatenated directly into a PHP exec() call. Publicly available exploit code exists (published as a gist via VulnCheck), and the CVSS 4.0 base score of 9.3 reflects full compromise of confidentiality, integrity, and availability with no authentication or user interaction. There is no public exploit identified as actively exploited in CISA KEV, so the current risk is driven by ease of exploitation and public PoC rather than confirmed in-the-wild abuse.

Command Injection PHP Language System
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

Remote code execution in Guardian language-system allows unauthenticated attackers to run arbitrary OS commands by injecting shell metacharacters into the 'id' GET parameter of subtitles.php, which is concatenated directly into a PHP exec() call invoking jobs/subtitle_rendering.php. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation, and publicly available exploit code exists (published via VulnCheck), though there is no public exploit identified as being actively used in the wild at time of analysis.

Command Injection PHP Language System
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

SQL injection in the Guardian language-system (translate_text.php) lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The CVSS 4.0 vector scores this 9.3 (Critical) with PR:N, and the VulnCheck advisory title labels it unauthenticated, though the CVE description states an authenticated attacker is required - this discrepancy should be verified. Publicly available exploit code exists, but there is no public exploit identified as being actively used in attacks (not in CISA KEV).

SQLi PHP Language System
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

SQL injection in Guardian Language-System's designer.php exposes the entire backend database to attackers who supply a crafted 'name' GET parameter, which is concatenated directly into a SELECT query without sanitization (CWE-89). VulnCheck reports this as remotely reachable and publicly available exploit code exists, though no public exploit is confirmed as actively used in the wild (not in CISA KEV). Note a source conflict: the CVE description labels the attacker 'authenticated' while the VulnCheck advisory and CVSS 4.0 vector (PR:N) describe it as unauthenticated.

SQLi PHP Language System
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

SQL injection in Guardian Language-System's subtitles.php lets attackers extract arbitrary database contents by tampering with the id GET parameter, which is concatenated directly into a SELECT query without sanitization. The flaw is error-based and rated critical (CVSS 4.0 base 9.3, VC:H/VI:H/VA:H), publicly available exploit code exists (VulnCheck advisory plus a public gist PoC), and there is no public exploit identified as being used in active attacks. Note a source conflict: the CVE description labels the attacker 'authenticated,' but the CVSS vector (PR:N) and VulnCheck's advisory title both describe it as unauthenticated.

SQLi PHP Language System
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

SQL injection in Guardian language-system via the 'id' GET parameter in job_info_get.php lets attackers inject arbitrary SQL into a query against the 'jobs' table, enabling error-based extraction of database contents. The CVSS 4.0 vector (AV:N/PR:N) and VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description text describes an 'authenticated attacker' - a discrepancy defenders should verify. Publicly available exploit code exists (VulnCheck/gist PoC), raising the practical risk despite no confirmed active exploitation.

SQLi PHP Language System
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

SQL injection in Guardian language-system's text_file.php lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The flaw is a classic error-based SQLi (CWE-89) where user input is concatenated directly into a SELECT statement, and publicly available exploit code exists (reported by VulnCheck). No CISA KEV listing exists, so this represents publicly available exploit code rather than confirmed active exploitation.

SQLi PHP Language System
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Error-based SQL injection in Guardian Language System's media.php allows attackers to extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter (CWE-89). Publicly available exploit code exists (published via a GitHub gist by VulnCheck), and the CVSS 4.0 vector (AV:N/AC:L/PR:N) plus the VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description conversely refers to an 'authenticated attacker' - a discrepancy defenders should verify. No public evidence of active in-the-wild exploitation (not listed in CISA KEV).

SQLi PHP Language System
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Unauthenticated SQL injection in Guardian Language System lets remote attackers manipulate the backend database by injecting into the `id` GET parameter of job_info.php, which is concatenated directly into a SQL query with no sanitization. Because no authentication is required (CVSS 4.0 PR:N) and publicly available exploit code exists, any attacker who can reach the endpoint can extract database version, current user, schema names, and table contents via error-based injection. Reported by VulnCheck with a CVSS of 9.3; no public exploit identified as actively used in the wild (not in CISA KEV).

SQLi PHP Language System
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Reflected cross-site scripting in Guardian Language-System's media.php allows authenticated attackers to inject arbitrary JavaScript into the victim's browser session by crafting a malicious URL with a script payload in the id GET parameter. The flaw exists because the id parameter is written unsanitized directly into HTML source and form action attributes at lines 119 and 129 of media.php. A publicly available proof-of-concept exploit exists on GitHub, though no KEV listing indicates broad active exploitation at time of analysis.

XSS PHP Language System
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Reflected XSS in Guardian Language-System's text_file.php allows an authenticated attacker to inject arbitrary script tags into at least six distinct form action attributes (lines 94, 101, 323, 403, 826, 852) by crafting a malicious URL with a payload in the id GET parameter. When a second authenticated victim is socially engineered into following the crafted link, the script executes within their browser session against the Guardian Language-System origin, enabling session token theft or unauthorized actions on the victim's behalf. A publicly available proof-of-concept exploit exists on GitHub; no CISA KEV listing has been identified, meaning active exploitation is not confirmed at time of analysis.

XSS PHP Language System
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Reflected XSS in Guardian language-system's designer.php allows authenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session by crafting a malicious URL. The `name` GET parameter is echoed unsanitized directly into an HTML input value attribute at line 57, enabling classic reflected cross-site scripting. A publicly available proof-of-concept exploit exists on GitHub (via VulnCheck advisory); the vulnerability is not currently listed in CISA KEV, and real-world impact is constrained by the requirement for victim interaction and authentication.

XSS PHP Language System
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Deserialization of untrusted data in MediaWiki's wiki import subsystem and logging infrastructure exposes installations to PHP object injection, with high integrity impact on affected systems. Specifically, the WikiImporter, WikiRevision, and LogEntryBase components process attacker-controlled serialized data without sufficient validation, allowing a high-privileged authenticated user to trigger unintended object instantiation or code execution paths. No active exploitation (CISA KEV) or public proof-of-concept has been identified at time of analysis; however, vendor-confirmed patches are available in releases 1.43.9, 1.44.6, 1.45.4, and 1.46.0.

Deserialization PHP Mediawiki
NVD VulDB
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Authentication API endpoints and Special pages in MediaWiki expose low-severity confidentiality and integrity weaknesses exploitable by unauthenticated remote attackers who can induce victim user interaction. Five files spanning account-linking and credential management operations - ApiChangeAuthenticationData, ApiLinkAccount, ApiRemoveAuthenticationData, SpecialLinkAccounts, and SpecialUnlinkAccounts - are affected across all MediaWiki releases prior to the fixed branches 1.43.9, 1.44.6, 1.45.4, and the forthcoming 1.46.0. No public exploit code and no active exploitation have been identified at time of analysis; real-world risk is constrained by the user-interaction prerequisite and the limited impact scope.

PHP Mediawiki Authentication Bypass
NVD VulDB
EPSS 0%
NONE PATCH Awaiting Data

Cross-site scripting in Wikimedia Foundation MediaWiki and the CentralAuth extension allows authenticated low-privileged users to inject malicious scripts into rendered wiki pages or API output through unsanitized input in API formatting, ResourceLoader module handling, page display hooks, and permission change log formatting. Affected versions span all releases of both products prior to the 1.46.0, 1.45.4, 1.44.6, and 1.43.9 patch series. No public exploit code or CISA KEV listing has been identified at time of analysis, though the five affected PHP files suggest a broad attack surface across core MediaWiki subsystems.

XSS PHP Mediawiki +1
NVD VulDB
EPSS 1% CVSS 9.3
CRITICAL POC PATCH Act Now

Unauthenticated blind SQL injection in Control Web Panel (CWP) before 0.9.8.1225 lets remote attackers inject arbitrary SQL through the userRes POST parameter of the user endpoint, and because CWP's MySQL connection runs with root privileges the flaw escalates to full remote code execution via INTO DUMPFILE. Attackers write a PHP webshell into the web-accessible roundcube logs directory and execute commands as the cwpsvc account. Publicly available exploit code exists and a vendor patch has been released; this is a network, no-authentication, low-complexity issue (CVSS 4.0 9.3).

SQLi RCE PHP +1
NVD
EPSS 0%
NONE PATCH Awaiting Data

Information disclosure in MediaWiki's core parser component (includes/Parser/Parser.php) allows authenticated low-privilege users, under conditions requiring user interaction, to obtain sensitive information not intended for their access level. All MediaWiki branches are affected up to versions 1.43.9, 1.44.6, 1.45.4, and 1.46.0, covering a broad installation base including self-hosted wikis worldwide. No public exploit code exists and no active exploitation has been confirmed at time of analysis; however, the provided CVSS 4.0 vector contains a contradictory zero-impact scoring that warrants independent verification against the upstream advisory.

PHP Information Disclosure Mediawiki
NVD VulDB
EPSS 0%
NONE PATCH Awaiting Data

Code injection in the Wikimedia Foundation Timeline extension (EasyTimeline) allows authenticated wiki editors to execute arbitrary server-side code via crafted timeline syntax processed by the Perl-based EasyTimeline.Pl script and its PHP integration layer Timeline.Php. The vulnerability stems from CWE-94 improper code generation control, where user-supplied timeline markup is passed to the backend Perl interpreter without sufficient sanitization, enabling remote code execution on the MediaWiki server. No public exploit code has been identified at time of analysis, but the RCE tag and network-accessible attack vector make this a high-priority patching target for any publicly editable or semi-public MediaWiki instance.

Code Injection PHP RCE +1
NVD VulDB
EPSS 0%
NONE PATCH Awaiting Data

Stored cross-site scripting in the Wikimedia Foundation Timeline extension exposes MediaWiki installations to session hijacking and credential theft. The flaw exists in Timeline.php and EasyTimeline.pl, where user-supplied timeline markup syntax is not properly neutralized before HTML output, allowing an authenticated wiki editor to inject arbitrary JavaScript executed in other users' browsers. No public exploit has been identified at time of analysis, and KEV listing is absent, but the network-accessible nature and low-privilege entry point make this a credible risk on publicly editable wikis.

XSS PHP Timeline
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Sensitive abuse filter configuration data in Wikimedia Foundation's AbuseFilter MediaWiki extension is exposed to authenticated low-privilege users via the QueryAbuseFilters API endpoint (includes/Api/QueryAbuseFilters.php). Authenticated wiki users on affected installations (all versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9) can retrieve private or restricted filter rule details they should not be authorized to access. No active exploitation has been confirmed (not listed in CISA KEV) and no public proof-of-concept exploit is known at time of analysis, but the moderate CVSS 4.0 score of 5.3 reflects real risk to wikis relying on confidential filter logic for abuse prevention.

PHP Information Disclosure Abusefilter
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site scripting in the Wikimedia Foundation SyntaxHighlight_GeSHi MediaWiki extension allows authenticated users to inject unsanitized input via the syntax highlighting interface, with malicious script executing in victims' browsers upon page view. The flaw originates in includes/SyntaxHighlight.php and affects all versions prior to branch-specific fixes at 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS 4.0 score of 5.3 (Medium) reflects limited confidentiality impact scoped to the vulnerable system.

XSS PHP Syntaxhighlight Geshi
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Sensitive information exposure in MediaWiki's InfoAction.php allows unauthenticated remote actors to obtain restricted page metadata through the 'Info' action endpoint. All MediaWiki versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9 are affected across all deployment configurations. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the low attack complexity and lack of authentication requirements make opportunistic discovery straightforward for any actor who can reach the wiki.

PHP Information Disclosure Mediawiki
NVD VulDB
EPSS 0%
NONE PATCH Awaiting Data

Cross-site scripting vulnerabilities across multiple log formatter and language components in MediaWiki allow authenticated low-privilege users to inject malicious JavaScript that executes in the browser of any user who views affected log pages or the SpecialVersion special page. The vulnerability spans seven PHP files covering block, patrol, rename-user, and tag log formatters, the base LogFormatter, the Language class, and SpecialVersion - indicating widespread unsanitized output rendering in administrative and logging interfaces. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the breadth of affected components and the multiple concurrent fix branches (1.43.9, 1.44.6, 1.45.4, 1.46.0) signal a significant audit-driven remediation effort.

XSS PHP Mediawiki
NVD VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Insufficient permission enforcement in MediaWiki's user query API endpoints allows low-privileged authenticated users to access sensitive user information - such as group memberships or account details - that permission controls should restrict. The vulnerability spans four source files: ApiQueryAllUsers.php, ApiQueryUsers.php, PermissionManager.php, and UserGroupManager.php, indicating that the flaw lies in how permission checks are applied (or bypassed) when the API serializes user data. No public exploit code exists and the CVSS 4.0 score of 2.1 reflects the constrained real-world exploitability. No confirmed active exploitation (CISA KEV) has been reported.

PHP Information Disclosure Mediawiki
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Information disclosure in MediaWiki's ApiUserrights.php exposes sensitive user rights data to authenticated actors who should not have access to it. All MediaWiki installations running versions prior to 1.43.9, 1.44.6, 1.45.4, and 1.46.0 are affected. The CVSS 4.0 score of 5.1 with low confidentiality impact (VC:L) reflects a bounded but real data leakage risk; no public exploit identified at time of analysis.

PHP Information Disclosure Mediawiki
NVD VulDB
EPSS 0%
NONE Awaiting Data

Session fixation in the Wikimedia Foundation OAuth MediaWiki extension (src/Backend/MWOAuthServer.php) allows a network-accessible, low-privileged attacker to manipulate the OAuth authorization handshake so that a victim's authentication binds to an attacker-controlled session identifier. All four actively maintained release branches are affected through versions 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit or CISA KEV listing exists at time of analysis; however, the 'Information Disclosure' tag applied to this CVE creates tension with the vendor-supplied CVSS 4.0 zero-impact scoring and warrants independent verification.

Session Fixation Information Disclosure PHP +1
NVD VulDB
EPSS 0%
NONE Awaiting Data

Improper input validation in Wikimedia Foundation's UrlShortener extension (includes/UrlShortenerUtils.php) exposes a potential information disclosure path accessible to low-privileged authenticated users over the network. The vulnerability is classified under CWE-20 and tagged as an information disclosure issue, though the provided CVSS 4.0 vector records zero impact across all dimensions - a notable contradiction with the 'Information Disclosure' tag that warrants independent verification. No public exploit code exists and no active exploitation has been confirmed.

Information Disclosure PHP Urlshortener
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the WP-BusinessDirectory (Business Directory) plugin for WordPress (versions ≤ 4.0.1) lets unauthenticated remote attackers delete any file the web server can access, including wp-config.php. The flaw stems from the frontend-accessible task=upload.remove endpoint accepting an unsanitized _filename parameter that permits ../ path traversal. No public exploit is identified at time of analysis, but the CVSS 9.1 rating and trivial exploitation (network, no auth, no user interaction) make it high priority; deleting wp-config.php can force WordPress into its installer, enabling site takeover.

WordPress Path Traversal PHP +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary zero-argument PHP function invocation in the Youtube Showcase (Video Gallery - YouTube Gallery, Playlist & Video Grid) plugin for WordPress affects all versions up to and including 4.0.3, letting authenticated Subscriber-level users abuse the emd_delete_file() AJAX handler to call any callable PHP function name with no arguments. Because the handler validates only a nonce and omits a current_user_can() capability check, low-privileged accounts can trigger functions such as phpinfo(), get_defined_vars(), or error_get_last() to disclose sensitive server and application data. No public exploit identified at time of analysis and the issue is not in CISA KEV, so risk is currently theoretical but credible given the low privilege bar.

WordPress LFI Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in Wp Google Places Review Slider (WordPress plugin, versions ≤ 18.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `place` GET parameter in `admin/partials/googlecrawl_dfs.php`. The raw user input is URL-decoded and passed through `stripslashes()` before being echoed directly into an HTML value attribute — bypassing WordPress's standard `esc_attr()` — but only when the supplied place value is not already present as a key in the `wprev_google_crawls` stored option. No public exploit identified at time of analysis; successful exploitation requires tricking an authenticated WordPress administrator into clicking a specially crafted link.

WordPress XSS PHP +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution is claimed in DokuWiki 2025-05-14b "Librarian" (build 56.2) via the register function in inc/auth.php, which security intelligence maps to CWE-640 (weak password-recovery mechanism) - a mismatch that suggests account-takeover-to-code-execution rather than a direct memory-corruption RCE. The CVSS 3.1 score of 9.8 (network, no authentication, no user interaction) implies any internet-facing DokuWiki instance is at risk, and publicly available exploit code exists (a public gist proof-of-concept plus SSVC 'poc' exploitation status), though EPSS remains low at 0.26% (17th percentile), indicating no observed mass exploitation yet. Reported by MITRE and tracked as ENISA EUVD-2026-40863, it is tagged PHP/RCE but is not listed in CISA KEV.

RCE PHP
NVD GitHub VulDB
EPSS 2% CVSS 9.3
CRITICAL PATCH Act Now

Arbitrary code execution in Grav CMS before 2.0.0-beta.2 stems from three distinct flaw classes: PHP object injection via unsafe unserialize() of attacker-controllable data in the Scheduler JobQueue, FileCache adapter, and Session components, an OS command injection in the plugin/theme InstallCommand git clone routine, and a Twig sandbox blocklist bypass enabling server-side template injection. An attacker who can influence the serialized input can chain available gadgets to run arbitrary PHP, while the command-injection path is reachable by authenticated administrators through plugin/theme installation. No public exploit identified at time of analysis; the issues were privately reported by VulnCheck and are fixed in 2.0.0-beta.2.

Command Injection Deserialization RCE +2
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

Credit double-spend via race condition in Paymenter allows any authenticated user with a non-zero credit balance to settle multiple invoices for the cost of one. The root cause is that `lockForUpdate()` in `app/Livewire/Invoices/Show.php` is called outside a database transaction, rendering the pessimistic lock a no-op in MySQL/MariaDB and leaving the read-check-deduct sequence unprotected against concurrent execution. Successful exploitation results in direct financial or resource loss to the platform operator as `ExtensionHelper::addPayment()` provisions services or digital goods for each winning request. No public exploit has been identified at time of analysis.

Authentication Bypass Race Condition PHP
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sandbox policy bypass in Twig PHP template engine allows sandboxed template authors to trigger `__toString()` calls on objects explicitly blocked by `SecurityPolicy::$allowedMethods`, through two distinct coercion paths: `Traversable` inputs to the `join` and `replace` filters, and PHP's implicit spaceship-operator coercion inside the `in`/`not in` operator implementation. Beyond unauthorized method invocation, the `in` operator can be chained into a character-by-character equality oracle, enabling reconstruction of the full string value of sensitive objects - such as tokens or credentials passed into the render context - without any direct method invocation being permitted. This is a residual bypass of CVE-2026-47732; no public exploit code has been identified at time of analysis, and the issue is patched in Twig v3.27.0.

Oracle Information Disclosure PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sandbox __toString() policy enforcement in Twig is bypassed via dynamic array mapping keys, allowing sandboxed template authors to invoke __toString() on arbitrary context objects without sandbox policy checks. This is a residual bypass of the previously patched CVE-2026-47732, rooted in ArrayExpression failing to declare dynamic mapping keys as string-coercion sites through CoercesChildrenToStringInterface. The reliable demonstrated impact is unauthorized disclosure of sensitive data returned by __toString() on objects that the sandbox was explicitly configured to protect - no public KEV listing exists, but a clear proof-of-concept is embedded in the advisory.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Sandbox bypass in Twig 3.26.x allows string callables to circumvent the Closure-only restriction when applications use the deprecated `twig_array_some()` and `twig_array_every()` wrapper functions over a sandboxed Environment. The 3.26.0 source-policy hardening changed `CoreExtension::checkArrow()` to accept a boolean sandbox state, but the legacy wrappers in `src/Resources/core.php` were not updated, causing them to silently pass `false` for `$isSandboxed` and accept arbitrary string callables such as `'exec'` or `'system'` that the sandbox was designed to block. No public exploit has been identified at time of analysis, and impact is limited to the narrow subset of applications calling the deprecated wrappers with sandbox mode active.

Authentication Bypass PHP
NVD GitHub
CVSS 8.5
HIGH PATCH This Week

Server provisioning parameter tampering in Paymenter (a PHP/Laravel billing and hosting-management platform) lets any authenticated customer override administrator-defined hosting plans and resource limits during checkout. By injecting arbitrary key-value pairs into the URL-bound checkout configuration, a low-privileged user can escalate CPU, RAM, storage, or package tiers without admin rights. Rated CVSS 8.5 (CWE-20); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

SQL injection in Dolibarr ERP/CRM through version 23.0.3 lets authenticated REST API users exfiltrate arbitrary database contents - including password hashes and API keys - by abusing the sqlfilters parameter on the setup dictionary and multicurrencies list endpoints. The flawed filter only checked for balanced parentheses and rewrote matched triplets, so an appended UNION SELECT placed outside the expected pattern was concatenated into the WHERE clause unmodified. Publicly available exploit code exists and a vendor fix has been committed; the issue is not listed in CISA KEV.

SQLi Information Disclosure PHP +1
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

{uuid}`. The DeployController.php endpoint performs no team-ownership validation against the requesting user's session, making this a textbook CWE-639 Insecure Direct Object Reference (IDOR) across tenant boundaries. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the attack is mechanically trivial once a target UUID is known.

Authentication Bypass PHP Coolify
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Remote code execution in Redeight CMS 1.0 lets an authenticated attacker upload arbitrary PHP scripts through the admin Pages module's FileAdd endpoint, which performs no extension or MIME-type validation. The uploaded file lands in the web-accessible /uploads/files/ directory and is executed directly by the web server, yielding full server-side code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

PHP RCE File Upload +1
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in Redeight CMS 1.0 lets unauthenticated remote attackers extract sensitive database contents by injecting through the 'userEmail' POST parameter of the /admin/index.php login endpoint. Because user input is interpolated directly into SQL without prepared statements, an attacker needs no credentials and no user interaction to read or manipulate backend data, including admin authentication material. The flaw was reported by CERT-PL and carries a CVSS 4.0 base score of 9.3 (Critical); no public exploit identified at time of analysis.

SQLi PHP Redeight Cms
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Arbitrary file deletion in the Export User Data plugin for WordPress (versions up to and including 2.2.6) allows an authenticated subscriber-level attacker to delete any file on the server, including wp-config.php, which can escalate to remote code execution. The flaw stems from unsafe deserialization of a PHP object embedded in a user's display name that is processed when an administrator exports user data. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation is gated by required administrator interaction.

WordPress Deserialization RCE +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in Plugin for Google Analytics by IO Technologies (WordPress) versions up to and including 1.1 allows unauthenticated remote attackers to overwrite the site's Google Analytics tracking ID by tricking a logged-in administrator into clicking a crafted link. The flaw stems from absent nonce validation on the ga.php settings handler, meaning forged POST requests bypass WordPress's standard CSRF protections entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 4.3 reflects the required administrator interaction and limited integrity-only impact.

WordPress CSRF PHP +2
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated patient users to database-level attacks via the `/patientchangepassword.php` endpoint. The `newpassword` parameter is passed unsanitized into SQL queries, allowing an authenticated attacker to manipulate backend database operations - potentially reading, modifying, or deleting patient records. A public proof-of-concept exploit exists (GitHub issue linked from VulDB report), though no active exploitation has been confirmed by CISA KEV. The CVSS 4.0 score of 2.1 reflects the limited real-world severity due to the authentication prerequisite and constrained impact scope.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientdetail.php` endpoint to database manipulation via the unsanitized `editid` parameter, reachable by any low-privileged authenticated user over the network. A public proof-of-concept exploit is available (referenced via GitHub issue), lowering the skill barrier for exploitation against any deployed instance. The CVSS 4.0 score of 2.1 reflects low per-impact ratings across confidentiality, integrity, and availability, but SQL injection vulnerabilities routinely exceed their scored impact bounds when database accounts carry excess privileges - no public exploitation has been confirmed in CISA KEV.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the billing endpoint /insertbillingrecord.php to database manipulation by low-privileged remote attackers via the unsanitized patientid parameter. A public exploit has been disclosed on GitHub, lowering the barrier to exploitation significantly despite a low CVSS 4.0 base score of 2.1. No CISA KEV listing exists, but the combination of a publicly available proof-of-concept and access to potentially sensitive patient health and billing records elevates real-world concern beyond what the numeric score alone conveys.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Price parameter manipulation in SourceCodester Simple Food Ordering System 1.0 allows unauthenticated remote attackers to submit orders at arbitrary prices by modifying the item_price argument in POST requests to /cart.php. The server trusts client-supplied price data without server-side validation, enabling business logic bypass (CWE-840) that could result in financial loss for system operators. A public proof-of-concept exploit is available on GitHub; however, this vulnerability is not currently listed in the CISA KEV catalog.

Information Disclosure PHP Simple Food Ordering System
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

Stored cross-site scripting in SourceCodester Inventory Management System 1.0 allows a low-privileged remote attacker to inject arbitrary JavaScript via the `full_name` parameter of the User Registration Endpoint at `/api/users_handler.php`. When a privileged user such as an administrator subsequently views the stored user data, the malicious script executes in their browser context, enabling session hijacking, credential theft, or UI redress. Public exploit code exists per VulDB (E:P in CVSS 4.0 vector); however, this vulnerability is not listed in CISA KEV and carries a low CVSS 4.0 base score of 2.0, indicating limited real-world severity.

XSS PHP Inventory Management System
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in EyouCMS up to version 1.7.1 allows remote authenticated attackers with high privileges to manipulate database queries via the click_like argument in the /index.php API component. The CVSS 4.0 score is 2.0, heavily discounted by the PR:H requirement, yet confidentiality, integrity, and availability impacts are all rated Low. A public proof-of-concept exists via a GitHub issue report; the vendor has not acknowledged or patched the vulnerability. No active exploitation has been confirmed (not listed in CISA KEV).

SQLi PHP Eyoucms
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Privilege escalation via role parameter manipulation in SourceCodester Inventory Management System 1.0 allows unauthenticated remote attackers to self-assign elevated roles during user registration. The vulnerability resides in /api/users_handler.php, where the application fails to enforce server-side restrictions on the role argument at the User Registration Endpoint, enabling account creation with admin-level privileges. A public proof-of-concept exploit is available, lowering the skill bar for abuse against any exposed instance; no CISA KEV listing exists, so confirmed active exploitation in the wild has not been established.

Authentication Bypass PHP Inventory Management System
NVD VulDB
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Remote code execution in FrontAccounting before 2.4.20 lets an authenticated user abuse the attachment upload handler to plant a PHP web shell. The handler fails to validate the unique_name parameter, so traversal sequences write attacker-controlled files outside the attachments directory and into the web root, and because file extensions are not validated, an uploaded PHP file executes as the web server user. Publicly available exploit code exists and a vendor patch is available, though the issue is not listed in CISA KEV.

Path Traversal RCE PHP +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in code-projects Online Music Site 1.0 allows unauthenticated remote attackers to inject malicious scripts via the feedback form's fname, femail, faddress, or fmessage parameters handled by /Frontend/Feedback.php. The CVSS 4.0 score of 2.1 (Low) reflects the UI:P requirement - a victim must interact with the crafted content for the payload to execute, limiting autonomous exploitation. A public proof-of-concept is available via GitHub, though no confirmed active exploitation (CISA KEV) has been recorded.

XSS PHP Online Music Site
NVD VulDB GitHub
Prev Page 4 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy