Skip to main content

PHP

24711 CVEs product

Monthly

CVE-2026-12776 LOW POC Monitor

SQL injection in Montodel House-Rental-Management exposes database contents and integrity to authenticated remote attackers via the unsanitized ID parameter at /index.php?page=houses. All tracked commits up to 90010017b81265eb1ef3810268909f7719a33863 are affected, with no patched release available as the vendor did not respond to coordinated disclosure. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), lowering the bar for exploitation; however, the required authenticated context and limited per-query impact keep the overall risk score low at CVSS 4.0 2.1.

SQLi PHP House Rental Management
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12775 MEDIUM POC This Month

SQL injection in Montodel House-Rental-Management's /login.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and interact with the underlying database without credentials. A public proof-of-concept exploit is available on GitHub, and the vendor was unresponsive to pre-disclosure contact, leaving no patch path. Any internet-exposed deployment of this PHP application should be treated as immediately at risk given the zero-barrier exploitation prerequisites and available exploit code.

SQLi PHP House Rental Management
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-56346 PHP MEDIUM This Month

Unauthenticated PGP decryption exposure in AVideo through version 25.0 allows any remote attacker to submit private key material, ciphertext, and passphrases to the publicly accessible decryptMessage.json.php endpoint and receive plaintext in the server response - no credentials, session, or token required. The dual impact is confidentiality loss (private key material processed in server memory may be captured in application or web server logs) and availability degradation via unconstrained CPU consumption from repeated cryptographic operations. A publicly available proof-of-concept exists per the GHSA advisory; no vendor patch has been released as of this analysis.

Authentication Bypass Denial Of Service PHP Avideo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-56345 PHP CRITICAL Act Now

Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.

Authentication Bypass PHP File Upload Avideo
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-56342 MEDIUM This Month

Full-read SSRF in AVideo through version 27.0 allows authenticated administrators to make the server fetch arbitrary URLs via the statsURL parameter in plugin/Live/test.php, including cloud metadata endpoints and internal network services. The endpoint bypasses the codebase's own isSSRFSafeURL() guard - used in seven other endpoints - and returns full response bodies in the HTML output, enabling retrieval of IAM credentials from cloud metadata services such as 169.254.169.254, internal service data, and network configuration details. No public exploit code has been formally labeled as proof-of-concept, but the GHSA advisory discloses the complete vulnerable code path with all three sink functions (file_get_contents, curl_exec, wget), making exploitation trivial for any party who has read the advisory.

PHP SSRF Avideo
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.2%
CVE-2026-56341 PHP HIGH This Week

Unauthenticated information disclosure in AVideo through 26.0 exposes payment transaction records via multiple list.json.php endpoints in the PayPalYPT, AuthorizeNet, and BTCPayments plugins that lack User::isAdmin() authorization checks. Remote attackers can issue direct GET requests to harvest PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin transaction records without credentials. No public exploit identified at time of analysis, but the GHSA advisory from WWBN/AVideo and VulnCheck disclosure provide full endpoint paths sufficient for trivial reproduction.

Authentication Bypass PHP Avideo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2022-50972 CRITICAL POC Act Now

WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE WordPress PHP Woocommerce
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.6%
CVE-2019-25763 CRITICAL POC PATCH Act Now

WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Google Authentication Bypass WordPress PHP Ultimate Addons For Beaver Builder
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-48908 CRITICAL POC KEV EUVD KEV THREAT Emergency

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through 6.6.1) allows attackers to upload PHP files that execute on the server, leading to full site compromise. CVSS 4.0 base score is 10.0 with the vendor flagging exploitation as Active (E:A), and no public exploit identified at time of analysis. Given the unauthenticated network vector and direct RCE outcome, this is a critical-priority issue for any Joomla site running the extension.

PHP Authentication Bypass Sp Page Builder Extension For Joomla
NVD VulDB GitHub
CVSS 4.0
10.0
EPSS
0.6%
Threat
5.0
CVE-2026-48939 CRITICAL POC KEV THREAT Emergency

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the event attachment feature to upload and execute server-side code, leading to full web application compromise. The flaw affects iCagenda 1.0.0-3.9.14 and 4.0.0-4.0.7 and carries a CVSS 4.0 score of 10.0 with exploitation marked as Attacked (E:A) in the vector, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Authentication Bypass PHP Icagenda Extension For Joomla
NVD VulDB GitHub
CVSS 4.0
10.0
EPSS
0.4%
Threat
5.0
CVE-2026-12119 MEDIUM This Month

Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contributors to delete, move, create folders, and download arbitrary server files by exploiting a missing authorization check on the 'frontmanage' shortcode attribute. The attack is non-trivial but fully described: an attacker creates a draft post embedding the 'eeSFL' shortcode, loads the WordPress post preview endpoint to harvest a valid nonce, then submits file operation requests to ee-list-ops-bar-process.php that bypass the intended privilege checks. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; a patch changeset (3579098) exists in the plugin repository, though the released fixed version is not independently confirmed.

Authentication Bypass WordPress PHP Simple File List
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-11911 HIGH This Week

Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows remote attackers to delete any file the web server can write to, including wp-config.php, which can escalate to remote code execution. The flaw lives in the eeSFL_DeleteFile function and is reachable via the simplefilelist_edit_job AJAX action registered through wp_ajax_nopriv_, with the is_admin() guard rendered ineffective because that function always returns true on admin-ajax.php. No public exploit identified at time of analysis, but the trivial reachability and high-value target (WordPress) make weaponization straightforward.

Path Traversal PHP WordPress RCE Simple File List
NVD VulDB
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-9843 HIGH This Week

Arbitrary file deletion in the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin (versions ≤1.5.1) allows remote unauthenticated attackers to poison form entries with traversal payloads that, when later viewed by an administrator, delete arbitrary server files and can be escalated to remote code execution by removing wp-config.php. Reported by Wordfence with publicly available exploit code exists via the Wordfence advisory; no public exploit identified at time of analysis as weaponized in-the-wild attacks, and the issue is not in CISA KEV.

Path Traversal PHP WordPress RCE Database For Contact Form 7 Wpforms Elementor Forms
NVD VulDB
CVSS 3.1
8.1
EPSS
0.7%
CVE-2026-55692 PHP HIGH POC PATCH GHSA This Week

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user with page-edit rights to inject arbitrary JavaScript into the data-mw-iframeconfig attribute by supplying a malformed URL or ID containing single quotes for the archiveorg, wistia, or sharepoint services. The flaw is present under the default $wgEmbedVideoRequireConsent=true configuration and executes in the wiki origin for every visitor that loads the affected page, with publicly available exploit code exists in the GHSA advisory.

Microsoft XSS PHP
NVD GitHub
CVSS 3.1
7.5
CVE-2026-55691 PHP HIGH POC PATCH GHSA This Week

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any wiki user to inject arbitrary HTML and JavaScript into rendered pages by abusing the unsanitized class attribute on embed tags such as <youtube>. Because the user-supplied class is concatenated into an HTML template via sprintf without escaping, an attacker can break out of the class attribute and execute script in the context of every visitor that views the page. No public exploit identified at time of analysis beyond the advisory's own PoC, and the issue is not listed in CISA KEV.

PHP XSS
NVD GitHub
CVSS 3.1
8.6
CVE-2026-55690 PHP HIGH POC PATCH GHSA This Week

{{#ev:}} or {{#evl:}} parser functions. The unsanitized service name is reflected into an error message that is rendered as raw HTML, executing in the wiki origin for every visitor to the affected page. No public exploit identified at time of analysis beyond the advisory's own PoC, but working PoC code is published in the GitHub Security Advisory GHSA-c29q-5xm7-5p62.

PHP XSS
NVD GitHub
CVSS 3.1
7.5
CVE-2023-54357 HIGH POC This Week

Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomla Com Booking Component
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2019-25762 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomproject
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2019-25761 HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Joomcrm
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2019-25760 MEDIUM POC This Month

Joomla!. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP LFI Easy Shop
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2019-25758 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Vbizz
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.7%
CVE-2019-25753 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Vmap
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-49260 PHP HIGH POC PATCH GHSA This Week

Shell command injection in pontedilana/php-weasyprint prior to 2.5.1 allows code execution as the PHP process when the WeasyPrint binary path is sourced from configuration, environment variables, or per-tenant settings. The library's buildCommand() inverted the order of escapeshellarg() and is_executable(), turning the 'safe' branch into dead code and passing the raw binary string into Symfony Process::fromShellCommandline(). No public exploit identified at time of analysis, but a PoC for the identical KnpLabs/snappy precursor flaw (GHSA-vpr4-p6fq-85jc) is published and directly applicable.

Command Injection PHP
NVD GitHub
CVSS 3.1
8.2
EPSS
0.2%
CVE-2017-20282 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20281 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20280 HIGH POC This Week

Joomla Component Myportfolio 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the pid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20279 HIGH POC This Week

Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20276 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20275 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20274 HIGH POC This Week

Joomla LMS King Professional 3.2.4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cp_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20273 HIGH POC This Week

Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20272 HIGH POC This Week

Joomla Ultimate Property Listing 1.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20271 HIGH POC This Week

Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20270 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2019-25752 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP SQLi Businessdirectory
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-49359 PHP MEDIUM POC PATCH GHSA This Month

PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 enables server-side request forgery and local file disclosure through its `attachment` option, which passes any URL-shaped value through PHP's `file_get_contents()` without restricting the URL scheme. Applications that expose the `attachment` option to user-controlled input allow an attacker to probe internal HTTP endpoints (including cloud instance metadata services) and read arbitrary local files by supplying schemes such as `file://` or `php://filter/...`, with exfiltrated content embedded directly into the generated PDF output. This is the same vulnerability class patched in KnpLabs/snappy (GHSA-c5fp-p67m-gq56); no public exploit or CISA KEV listing exists at time of analysis.

PHP SSRF Php Weasyprint
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49286 PHP HIGH PATCH GHSA This Week

PHAR deserialization in PhpWeasyPrint versions prior to 2.6.0 allows remote code execution by bypassing the case-sensitive phar:// blacklist introduced for CVE-2023-28115 - because PHP stream wrappers are case-insensitive, schemes like PHAR:// or PhAr:// pass the check and reach file_exists() in prepareOutput(). When the library runs on PHP 7.4+ and an attacker can influence the output filename argument passed to generation methods, a crafted PHAR archive's metadata is unserialized via a gadget chain, yielding code execution. No CISA KEV listing and no public exploit identified at time of analysis for this specific CVE, although the equivalent upstream KnpLabs/snappy advisory (GHSA-92rv-4j2h-8mjj) ships a working phpggc-based PoC that is directly portable.

PHP Deserialization RCE Php Weasyprint
NVD GitHub
CVSS 3.1
8.1
EPSS
0.6%
CVE-2017-20265 HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Flip Wall
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2017-20264 HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Sponsor Wall
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2017-20263 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Focalpoint Pro Free
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20262 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Ajax Quiz
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20259 HIGH POC This Week

Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Osdownloads
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20258 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rpc
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20255 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Jb Visa
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20254 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP User Bench
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20252 HIGH POC This Week

Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Nextgen Editor
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-49358 PHP LOW POC PATCH GHSA Monitor

Arbitrary file deletion in PhpWeasyPrint prior to version 2.6.0 allows any code holding a reference to a generator instance to inject arbitrary filesystem paths into the public `AbstractGenerator::$temporaryFiles` array, which are then passed to `unlink()` without path-containment validation during script shutdown or object destruction. The vulnerability mirrors a previously disclosed pattern in the related KnpLabs/snappy library (GHSA-87qc-37cw-84h4), and is exploitable by malicious dependencies, plugin code, or any PHP code co-located in the same process with access to the generator object. No public exploit has been identified at time of analysis, and exploitation is substantially constrained by the requirement for high privileges and local code access.

PHP RCE Php Weasyprint
NVD GitHub VulDB
CVSS 3.1
3.0
EPSS
0.1%
CVE-2026-55568 PHP MEDIUM PATCH GHSA This Month

Silent TLS downgrade in Guzzle's built-in cURL handlers exposes proxy credentials and tunneled connection metadata to network interception when the application is configured to use an https:// proxy but runs against libcurl older than 7.50.2. Affected deployments see proxy authentication headers (Proxy-Authorization, CURLOPT_PROXYUSERPWD), CONNECT target host/port for tunneled HTTPS, and full request headers and bodies for plain HTTP requests transmitted without encryption - with no runtime error or warning from Guzzle or libcurl. No public exploit identified at time of analysis and no CISA KEV listing; however, the CVSS confidentiality impact is rated High (C:H) due to full credential exposure on the proxy leg.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-54414 CRITICAL PATCH Act Now

Unauthenticated administrator account takeover in FileRise before 3.16.0 is possible via a path traversal flaw in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), where URL-encoded path separators bypass filename validation and allow arbitrary file write outside the upload directory. Any actor holding a valid, non-expired, upload-enabled shared-folder token - tokens explicitly designed to be shared publicly - can overwrite users/users.txt to plant an admin account and, depending on configuration, achieve remote code execution. No public exploit identified at time of analysis, but the upstream fix in v3.16.0 documents the exact bypass, lowering the bar for weaponization.

Path Traversal PHP RCE Filerise
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-7515 CRITICAL Act Now

Unauthenticated remote code execution in BetterDocs Pro for WordPress (versions through 3.8.0) is achievable by abusing the `doc_style` parameter to include arbitrary local PHP files. Wordfence has assigned a critical 9.8 CVSS score, and while no public exploit identified at time of analysis, the unauthenticated network-reachable nature of the flaw on a widely deployed WordPress documentation plugin makes opportunistic mass-exploitation likely once details propagate.

Information Disclosure WordPress RCE LFI PHP +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.9%
CVE-2026-8713 CRITICAL Act Now

Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. No public exploit identified at time of analysis, but the CVSS 9.1 score reflects trivial network exploitation with no authentication or user interaction.

Path Traversal PHP WordPress RCE Avada Fusion Builder
NVD
CVSS 3.1
9.1
EPSS
1.2%
CVE-2026-8118 MEDIUM This Month

Arbitrary file read in Royal Addons for Elementor versions 1.7.1058-1.7.1059 allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the PHP process - including wp-config.php and its database credentials - via a crafted wpr-data-table widget saved through Elementor's save_builder endpoint. The flaw is a regression: the vulnerable wpr_get_csv_handle() helper was itself introduced in version 1.7.1058 as the remediation for a prior CVE (CVE-2026-6229), meaning the security patch introduced a new, exploitable path. No public exploit has been identified at time of analysis, but the low privilege bar (Contributor) and high-value disclosure target (database credentials) elevate real-world risk on WordPress sites that permit open or low-friction contributor registration.

PHP WordPress Information Disclosure Royal Addons For Elementor Addons And Templates Kit For Elementor
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54003 PHP CRITICAL PATCH GHSA Act Now

External initialization in Kirby CMS (getkirby/cms <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3) lets a remote unauthenticated attacker complete the Panel installation and create the first admin user on not-yet-installed sites. The flaw is a bypass of Kirby's isLocal safeguard: when a site sits behind a reverse proxy that emits the Forwarded: for=..., X-Client-IP, or X-Real-IP header, Kirby wrongly treats the forwarded external request as local and permits admin creation. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it critical (CVSS 4.0 base 9.1) and a full source fix is public.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.5%
CVE-2026-55890 PHP MEDIUM PATCH GHSA This Month

Stored CSS injection in Grav CMS's MediaObjectTrait::style() exposes an incomplete fix: the original patch for CVE-2026-42841 (GHSA-r7fx-8g49-7hhr) explicitly denylisted 'style' in the attribute() code path but left the parallel style() method-reachable via the same Markdown ?style= image query parameter pipeline-entirely unsanitized. Any editor holding admin.pages permission can save a single Markdown image reference with an arbitrary CSS payload that persists in the CMS and renders into <img style='...'> for every subsequent viewer, including administrators and super-admins in their authenticated sessions. A deterministic proof-of-concept ships with the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis.

PHP XSS
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-55885 PHP MEDIUM PATCH GHSA This Month

Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.

CSRF Information Disclosure RCE XSS Path Traversal +1
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-40457 LOW PATCH Monitor

Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitrary JavaScript into the browsers of authenticated LMS users by crafting malicious links targeting the `dbrecover.php` and `netremap.php` modules. The `db`, `id`, and `mapto` GET parameters were directly concatenated into HTML anchor elements without sanitization, as confirmed by the upstream commit diff. No public exploit has been identified at time of analysis, exploitation is not confirmed in CISA KEV, and the CVSS 4.0 score of 2.1 reflects genuinely constrained impact due to the required victim interaction and specific attack preconditions.

PHP XSS Lms
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-40455 HIGH PATCH This Week

Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract sensitive database contents via the tarifflist.php module. The flaw stems from unsanitized concatenation of the POST tg[] array into a SQL query through implode(), and a CERT-PL-coordinated fix is upstream. No public exploit identified at time of analysis.

PHP SQLi Lms
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-54419 CRITICAL Act Now

Unauthenticated SQL injection in claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System) lets remote attackers read, modify, or delete arbitrary database records by tampering with HTTP parameters that are concatenated into legacy mysql_query() calls. The project ships with no authentication mechanism and no released versions, so any deployment exposing it to the network is fully compromisable; no public exploit identified at time of analysis, though CISA SSVC rates the technical impact as total and automatable.

PHP SQLi Piaf Hms
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-55746 PHP HIGH GHSA This Week

Stored cross-site scripting in Cotonti 1.0.0 (master branch, commit f43f1fc3) lets an authenticated user inject HTML/JavaScript into Personal File Storage (PFS) folder titles, which then execute in any viewer's browser when the folder listing is rendered. The flaw stems from the 'TXT' import filter not encoding HTML combined with unescaped template output, and no public exploit identified at time of analysis. Discovered by TuranSec; impact extends to other users browsing public folders, enabling session theft or account actions in their context.

PHP XSS Cotonti
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-55745 PHP MEDIUM This Month

Cross-site request forgery in Cotonti 1.0.0's Personal File Storage module allows remote attackers to hijack authenticated user sessions to silently modify folder metadata. The folder update action ('a=update') in modules/pfs/inc/pfs.editfolder.php processes state-changing requests without invoking Cotonti's built-in anti-CSRF token validation function cot_check_xg(), enabling an attacker to force a logged-in user to unknowingly expose private folders or alter their descriptions. No public exploit code has been confirmed and the vulnerability is not listed in CISA KEV, but the specific vulnerable code commit is publicly identified by the reporter TuranSec.

CSRF PHP Cotonti
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-55744 PHP HIGH GHSA This Week

Cross-Site Request Forgery in the Personal File Storage (PFS) module of Cotonti 1.0.0 (commit f43f1fc3) allows remote attackers to upload arbitrary files into an authenticated victim's storage by luring them to a malicious page. The 'a=upload' action in modules/pfs/inc/pfs.main.php omits the cot_check_xg() anti-CSRF token check that sibling actions like 'delete' enforce. No public exploit identified at time of analysis, though the root cause is documented in the public source code reference.

File Upload CSRF PHP Cotonti
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-55742 PHP CRITICAL GHSA Act Now

Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) lets a remote attacker escalate privileges to administrator by tricking a logged-in admin into loading an attacker-controlled page that submits a forged rights-update request to system/admin/admin.rights.php. Because Cotonti administrators can edit templates and configuration, the resulting account can be pivoted to remote code execution on the host. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

CSRF PHP RCE Cotonti
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2026-55741 HIGH This Week

Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) administration configuration handler allows a remote attacker to coerce an authenticated administrator's browser into silently modifying arbitrary core, module, or plugin configuration options. The flaw in system/admin/admin.config.php stems from the 'a=update' action invoking cot_config_update_options() without the cot_check_xg() anti-CSRF token check used elsewhere in the admin panel. No public exploit identified at time of analysis, though the root cause is well-documented at the source line level by the reporter (TuranSec).

CSRF PHP Cotonti
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-9815 MEDIUM POC This Month

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote code execution on any WordPress server running an affected installation whose form fields have an empty extension allowlist. The vulnerability is reachable via an unauthenticated AJAX endpoint, requires no privileges or user interaction, and a publicly available proof-of-concept exploit exists per WPScan. Despite the plugin's limited adoption, the combination of a public exploit, zero authentication requirement, and full server-side code execution makes this a materially higher-risk issue than the vendor-assigned CVSS score of 6.5 suggests.

PHP WordPress RCE Magicform
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-55740 CRITICAL Act Now

Unauthenticated SQL injection in Nur-Alam39's bus-ticket PHP application (no released versions; latest commit 459cabd) allows remote attackers to extract arbitrary data from the bus_service database via the busid POST parameter in bus_info.php. The flaw is exacerbated because the application connects as MySQL root with an empty password. No public exploit identified at time of analysis, though the description includes a working UNION-based payload demonstrating trivial exploitability.

PHP SQLi Bus Ticket
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-9860 HIGH This Week

Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.

File Upload PHP WordPress RCE Offload Ai Optimize With Cloudflare Images +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-48820 PHP MEDIUM PATCH GHSA This Month

Local file inclusion in CakePHP's View::_getElementFileName() allows remote attackers to include arbitrary PHP files from the server filesystem when applications render view elements using user-controlled data. Affected versions span multiple major release lines across 4.x and 5.x branches, with patched releases now available from the vendor. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the developer-pattern dependency — user input passed unsanitized into element names — limits but does not eliminate real-world risk.

PHP Information Disclosure LFI Cakephp
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-48979 PHP HIGH PATCH GHSA This Week

HTTP/2 request smuggling in PHP Standard Library (PSL) versions 6.1.0, 6.1.1, and 6.2.0 lets remote unauthenticated clients desynchronize stream boundaries in Psl\H2\ServerConnection by sending DATA frame totals that disagree with the declared content-length header. Only applications that consume the low-level H2 server connection directly to accept untrusted traffic are exposed; high-level PSL APIs are unaffected. No public exploit identified at time of analysis, and the maintainers state the issue was found during internal review prior to public exploitation.

PHP Request Smuggling Information Disclosure Php Standard Library Php Standard Library H2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-11407 PHP HIGH PATCH GHSA This Week

Twig sandbox bypass in Pimcore CMS/DXP 12.3.8 lets authenticated administrators escape the template sandbox by abusing empty checkMethodAllowed() and checkPropertyAllowed() implementations, enabling arbitrary method calls on internal PHP objects such as the DAO layer, Doctrine DBAL Connection, and PDO. Exploitation goes through a malicious Twig template injected via the DataObject ClassDefinition Layout\Text component and can lead to arbitrary file reads, arbitrary SQL execution, and potential remote code execution via PHP object gadget chains; the pimcore_* function wildcard broadens the bypass to every Pimcore Twig function. No public exploit identified at time of analysis, but VulnCheck has published an advisory describing the technique.

Ssti PHP RCE Pimcore Cms Dxp
NVD GitHub
CVSS 4.0
8.6
EPSS
0.6%
CVE-2026-48822 MEDIUM This Month

Stored XSS in Shaarli's Markdown rendering pipeline (versions 0.16.1 and prior) allows an authenticated user to inject malicious javascript: URIs via Markdown reference-style links in bookmark descriptions, bypassing the filterProtocols sanitization method in BookmarkMarkdownFormatter.php. When any user or guest visitor views the crafted bookmark, arbitrary JavaScript executes in their browser context, enabling session theft or unauthorized actions. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; vendor-released patch v0.16.2 is available as of 2026-05-23.

PHP XSS Shaarli
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-12529 MEDIUM This Month

Improper access control in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 exposes the Student Self-Registration Endpoint (/index.php) to unauthenticated remote exploitation. The CWE-284 root cause, combined with the 'Authentication Bypass' tag, indicates that the self-registration flow fails to enforce intended access boundaries, potentially allowing unauthenticated users to access, manipulate, or enumerate data beyond their authorized scope. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass PHP Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-54415 HIGH PATCH This Week

{id} endpoints, the attacker can mint AzLink server tokens and rewrite victims' credentials. No public exploit has been identified at the time of analysis.

Authentication Bypass PHP Azuriom Cms
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-54814 HIGH This Week

Local file inclusion in StylemixThemes Motors WordPress plugin versions up to and including 1.4.109 allows remote attackers to include arbitrary PHP files from the server filesystem. The flaw is classified as CWE-98 (PHP Remote File Inclusion) but is exploitable only as LFI per the vendor description, enabling source code disclosure, sensitive file read, and potential code execution if a writable PHP file can be reached. No public exploit identified at time of analysis and the vulnerability is not present in CISA KEV.

PHP Information Disclosure LFI Motors
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-49108 CRITICAL Act Now

Remote code execution via unauthenticated PHP Object Injection affects the Moderno WordPress theme in all versions prior to 1.43, enabling attackers to send crafted serialized payloads that trigger malicious object instantiation. With CVSS 9.8 and a fully remote, no-interaction attack vector, successful exploitation hinges on the presence of usable POP gadget chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Moderno
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-40757 HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes 'Château' WordPress theme (versions ≤ 1.2.1) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack with CVSS 8.1 (high) due to network-reachable, unauthenticated impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) reflects the dependency on a usable gadget chain. No public exploit identified at time of analysis.

PHP Deserialization Ch Teau
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-40756 HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes Zoya WordPress theme versions 1.4 and earlier allows remote attackers to inject crafted serialized objects that are deserialized by the application. Successful exploitation can lead to arbitrary code execution, data tampering, or denial of service depending on the gadget chains present in WordPress core, plugins, or other themes loaded on the site. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Zoya
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-40752 HIGH This Week

Unauthenticated PHP object injection in the Manufaktur Solutions WordPress theme (versions 1.1.1 and earlier) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, data tampering, or denial of service when a suitable PHP gadget chain is present. The CVSS 3.1 score of 8.1 reflects high impact across confidentiality, integrity, and availability, tempered by AC:H due to dependency on exploitable gadget chains in the WordPress runtime. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP Deserialization Manufaktur Solutions
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40738 HIGH This Week

Unauthenticated PHP Object Injection in the Eldon WordPress theme (versions <= 1.4.1) by Edge-Themes allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution, data theft, or site compromise when a suitable POP gadget chain is present in the WordPress environment. No public exploit identified at time of analysis, and Patchstack rates this CVSS 8.1 (High) with high attack complexity reflecting the need for a usable gadget chain.

PHP Deserialization Eldon
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40733 HIGH This Week

Unauthenticated PHP object injection in the Mikado Themes ShiftUp WordPress theme (versions ≤ 1.3) allows remote attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, potentially triggering gadget chains that can lead to remote code execution, data tampering, or site takeover. CVSS is rated 8.1 with high attack complexity but no privileges or user interaction required, and no public exploit identified at time of analysis. The issue was disclosed via Patchstack.

PHP Deserialization Shiftup
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39590 HIGH This Week

Local file inclusion in the Atomlab WordPress theme versions 2.4.5 and earlier allows remote unauthenticated attackers to include arbitrary PHP files on the server, potentially leading to sensitive information disclosure and remote code execution. The flaw is tracked under CWE-98 (improper control of filename for include/require) and carries a CVSS 3.1 base score of 8.1 (high). No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Information Disclosure LFI Atomlab
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39576 HIGH This Week

Unauthenticated PHP Object Injection in the SingleMalt WordPress theme (versions up to and including 1.5) allows remote attackers to deserialize attacker-controlled data, which can lead to compromise of confidentiality, integrity, and availability of affected WordPress sites. The flaw is exploitable without authentication or user interaction but has high attack complexity per its CVSS vector, and no public exploit identified at time of analysis.

PHP Deserialization Singlemalt
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39560 HIGH This Week

Unauthenticated PHP object injection in the Select Themes 'Hiroshi' WordPress theme through version 1.5.1 allows remote attackers to supply crafted serialized payloads that are deserialized by the theme, potentially leading to code execution, file manipulation, or data compromise when a suitable PHP magic-method gadget chain is present in the WordPress stack. The flaw is reachable without authentication per the CVSS vector, and no public exploit has been identified at time of analysis.

PHP Deserialization Hiroshi
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39559 HIGH This Week

Local File Inclusion in the CodeSupply Co. 'Uppercase' WordPress theme versions prior to 1.2.2 allows remote unauthenticated attackers to include and disclose arbitrary local files from the web server, potentially leading to source code disclosure, credential theft, or remote code execution where log/upload poisoning is feasible. The flaw is tagged as LFI/PHP/Information Disclosure by Patchstack and carries a CVSS 8.1 (High) rating; no public exploit identified at time of analysis.

PHP Information Disclosure LFI Uppercase
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39556 HIGH This Week

Unauthenticated PHP Object Injection affects the Konsept WordPress theme (by elated-themes) in versions 1.9 and earlier, allowing remote attackers to inject crafted serialized PHP objects without authentication. Successful exploitation can lead to a full compromise of the WordPress site - high impact on confidentiality, integrity, and availability - though CVSS rates attack complexity as high, indicating non-trivial conditions are required. No public exploit identified at time of analysis.

PHP Deserialization Konsept
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39523 HIGH This Week

Unauthenticated Local File Inclusion in the Solene Core WordPress plugin (versions <= 2.3.2) by elated-themes allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The CVSS 8.1 rating reflects full confidentiality, integrity, and availability impact, though high attack complexity suggests non-trivial exploitation prerequisites. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI Solene Core
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39445 HIGH This Week

Unauthenticated PHP Object Injection in the Alukas WordPress theme (versions prior to 3.0.0) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, file manipulation, or full site compromise when a usable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is tracked by Patchstack as a deserialization flaw affecting the presslayouts:alukas product line. Real-world impact depends on the gadget chains available in WordPress core or co-installed plugins.

PHP Deserialization Alukas
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39442 HIGH This Week

Unauthenticated PHP Object Injection in the PressMart WordPress theme versions 1.2.26 and earlier allows remote attackers to deliver malicious serialized payloads that are deserialized by the theme, potentially leading to property-oriented gadget chain abuse and full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis, and the high attack complexity reflects the need for a usable gadget chain to escalate from deserialization to concrete impact.

PHP Deserialization Pressmart
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69175 HIGH This Week

Unauthenticated local file inclusion in the Line Agency WordPress theme versions 1.3.1 and earlier allows remote attackers to include and disclose arbitrary local files on the underlying server, potentially leading to sensitive data exposure and, depending on PHP configuration, remote code execution. The flaw is reported by Patchstack and is mapped to CWE-98 (PHP Remote File Inclusion), with no public exploit identified at time of analysis and no listing in the CISA KEV catalog.

PHP Information Disclosure LFI Line Agency
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69174 HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Etude WordPress theme versions 1.6 and earlier allows remote attackers to coerce the application into including arbitrary PHP files, potentially leading to source disclosure, sensitive data exposure, and possible remote code execution depending on writable locations on the host. The high CVSS score of 8.1 reflects significant confidentiality, integrity, and availability impact, though the high attack complexity (AC:H) suggests non-trivial preconditions; no public exploit identified at time of analysis.

PHP Information Disclosure LFI Etude
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69170 HIGH This Week

Local File Inclusion in the ThemeRex Eventicity WordPress theme versions 1.5 and earlier allows remote unauthenticated attackers to include and execute arbitrary local files on the server. The flaw is reported by Patchstack and tagged as PHP information disclosure; no public exploit identified at time of analysis, though the unauthenticated network vector makes this a meaningful priority for affected WordPress sites. Successful exploitation can expose sensitive files such as wp-config.php and may enable code execution depending on what files can be reached.

PHP Information Disclosure LFI Eventicity
NVD
CVSS 3.1
8.1
EPSS
0.3%
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Montodel House-Rental-Management exposes database contents and integrity to authenticated remote attackers via the unsanitized ID parameter at /index.php?page=houses. All tracked commits up to 90010017b81265eb1ef3810268909f7719a33863 are affected, with no patched release available as the vendor did not respond to coordinated disclosure. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), lowering the bar for exploitation; however, the required authenticated context and limited per-query impact keep the overall risk score low at CVSS 4.0 2.1.

SQLi PHP House Rental Management
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Montodel House-Rental-Management's /login.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and interact with the underlying database without credentials. A public proof-of-concept exploit is available on GitHub, and the vendor was unresponsive to pre-disclosure contact, leaving no patch path. Any internet-exposed deployment of this PHP application should be treated as immediately at risk given the zero-barrier exploitation prerequisites and available exploit code.

SQLi PHP House Rental Management
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Unauthenticated PGP decryption exposure in AVideo through version 25.0 allows any remote attacker to submit private key material, ciphertext, and passphrases to the publicly accessible decryptMessage.json.php endpoint and receive plaintext in the server response - no credentials, session, or token required. The dual impact is confidentiality loss (private key material processed in server memory may be captured in application or web server logs) and availability degradation via unconstrained CPU consumption from repeated cryptographic operations. A publicly available proof-of-concept exists per the GHSA advisory; no vendor patch has been released as of this analysis.

Authentication Bypass Denial Of Service PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL Act Now

Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Full-read SSRF in AVideo through version 27.0 allows authenticated administrators to make the server fetch arbitrary URLs via the statsURL parameter in plugin/Live/test.php, including cloud metadata endpoints and internal network services. The endpoint bypasses the codebase's own isSSRFSafeURL() guard - used in seven other endpoints - and returns full response bodies in the HTML output, enabling retrieval of IAM credentials from cloud metadata services such as 169.254.169.254, internal service data, and network configuration details. No public exploit code has been formally labeled as proof-of-concept, but the GHSA advisory discloses the complete vulnerable code path with all three sink functions (file_get_contents, curl_exec, wget), making exploitation trivial for any party who has read the advisory.

PHP SSRF Avideo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Unauthenticated information disclosure in AVideo through 26.0 exposes payment transaction records via multiple list.json.php endpoints in the PayPalYPT, AuthorizeNet, and BTCPayments plugins that lack User::isAdmin() authorization checks. Remote attackers can issue direct GET requests to harvest PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin transaction records without credentials. No public exploit identified at time of analysis, but the GHSA advisory from WWBN/AVideo and VulnCheck disclosure provide full endpoint paths sufficient for trivial reproduction.

Authentication Bypass PHP Avideo
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE WordPress +2
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Google Authentication Bypass WordPress +2
NVD Exploit-DB VulDB
EPSS 1% 5.0 CVSS 10.0
CRITICAL POC KEV EUVD KEV THREAT Emergency

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through 6.6.1) allows attackers to upload PHP files that execute on the server, leading to full site compromise. CVSS 4.0 base score is 10.0 with the vendor flagging exploitation as Active (E:A), and no public exploit identified at time of analysis. Given the unauthenticated network vector and direct RCE outcome, this is a critical-priority issue for any Joomla site running the extension.

PHP Authentication Bypass Sp Page Builder Extension For Joomla
NVD VulDB GitHub
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the event attachment feature to upload and execute server-side code, leading to full web application compromise. The flaw affects iCagenda 1.0.0-3.9.14 and 4.0.0-4.0.7 and carries a CVSS 4.0 score of 10.0 with exploitation marked as Attacked (E:A) in the vector, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Authentication Bypass PHP Icagenda Extension For Joomla
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contributors to delete, move, create folders, and download arbitrary server files by exploiting a missing authorization check on the 'frontmanage' shortcode attribute. The attack is non-trivial but fully described: an attacker creates a draft post embedding the 'eeSFL' shortcode, loads the WordPress post preview endpoint to harvest a valid nonce, then submits file operation requests to ee-list-ops-bar-process.php that bypass the intended privilege checks. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; a patch changeset (3579098) exists in the plugin repository, though the released fixed version is not independently confirmed.

Authentication Bypass WordPress PHP +1
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows remote attackers to delete any file the web server can write to, including wp-config.php, which can escalate to remote code execution. The flaw lives in the eeSFL_DeleteFile function and is reachable via the simplefilelist_edit_job AJAX action registered through wp_ajax_nopriv_, with the is_admin() guard rendered ineffective because that function always returns true on admin-ajax.php. No public exploit identified at time of analysis, but the trivial reachability and high-value target (WordPress) make weaponization straightforward.

Path Traversal PHP WordPress +2
NVD VulDB
EPSS 1% CVSS 8.1
HIGH This Week

Arbitrary file deletion in the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin (versions ≤1.5.1) allows remote unauthenticated attackers to poison form entries with traversal payloads that, when later viewed by an administrator, delete arbitrary server files and can be escalated to remote code execution by removing wp-config.php. Reported by Wordfence with publicly available exploit code exists via the Wordfence advisory; no public exploit identified at time of analysis as weaponized in-the-wild attacks, and the issue is not in CISA KEV.

Path Traversal PHP WordPress +2
NVD VulDB
CVSS 7.5
HIGH POC PATCH This Week

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user with page-edit rights to inject arbitrary JavaScript into the data-mw-iframeconfig attribute by supplying a malformed URL or ID containing single quotes for the archiveorg, wistia, or sharepoint services. The flaw is present under the default $wgEmbedVideoRequireConsent=true configuration and executes in the wiki origin for every visitor that loads the affected page, with publicly available exploit code exists in the GHSA advisory.

Microsoft XSS PHP
NVD GitHub
CVSS 8.6
HIGH POC PATCH This Week

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any wiki user to inject arbitrary HTML and JavaScript into rendered pages by abusing the unsanitized class attribute on embed tags such as <youtube>. Because the user-supplied class is concatenated into an HTML template via sprintf without escaping, an attacker can break out of the class attribute and execute script in the context of every visitor that views the page. No public exploit identified at time of analysis beyond the advisory's own PoC, and the issue is not listed in CISA KEV.

PHP XSS
NVD GitHub
CVSS 7.5
HIGH POC PATCH This Week

{{#ev:}} or {{#evl:}} parser functions. The unsanitized service name is reflected into an error message that is rendered as raw HTML, executing in the wiki origin for every visitor to the affected page. No public exploit identified at time of analysis beyond the advisory's own PoC, but working PoC code is published in the GitHub Security Advisory GHSA-c29q-5xm7-5p62.

PHP XSS
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomla Com Booking Component
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomproject
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Joomcrm
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Joomla!. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP LFI +1
NVD Exploit-DB
EPSS 1% CVSS 8.7
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Vmap
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Shell command injection in pontedilana/php-weasyprint prior to 2.5.1 allows code execution as the PHP process when the WeasyPrint binary path is sourced from configuration, environment variables, or per-tenant settings. The library's buildCommand() inverted the order of escapeshellarg() and is_executable(), turning the 'safe' branch into dead code and passing the raw binary string into Symfony Process::fromShellCommandline(). No public exploit identified at time of analysis, but a PoC for the identical KnpLabs/snappy precursor flaw (GHSA-vpr4-p6fq-85jc) is published and directly applicable.

Command Injection PHP
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Component Myportfolio 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the pid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla LMS King Professional 3.2.4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cp_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Ultimate Property Listing 1.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP SQLi +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 enables server-side request forgery and local file disclosure through its `attachment` option, which passes any URL-shaped value through PHP's `file_get_contents()` without restricting the URL scheme. Applications that expose the `attachment` option to user-controlled input allow an attacker to probe internal HTTP endpoints (including cloud instance metadata services) and read arbitrary local files by supplying schemes such as `file://` or `php://filter/...`, with exfiltrated content embedded directly into the generated PDF output. This is the same vulnerability class patched in KnpLabs/snappy (GHSA-c5fp-p67m-gq56); no public exploit or CISA KEV listing exists at time of analysis.

PHP SSRF Php Weasyprint
NVD GitHub VulDB
EPSS 1% CVSS 8.1
HIGH PATCH This Week

PHAR deserialization in PhpWeasyPrint versions prior to 2.6.0 allows remote code execution by bypassing the case-sensitive phar:// blacklist introduced for CVE-2023-28115 - because PHP stream wrappers are case-insensitive, schemes like PHAR:// or PhAr:// pass the check and reach file_exists() in prepareOutput(). When the library runs on PHP 7.4+ and an attacker can influence the output filename argument passed to generation methods, a crafted PHAR archive's metadata is unserialized via a gadget chain, yielding code execution. No CISA KEV listing and no public exploit identified at time of analysis for this specific CVE, although the equivalent upstream KnpLabs/snappy advisory (GHSA-92rv-4j2h-8mjj) ships a working phpggc-based PoC that is directly portable.

PHP Deserialization RCE +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Flip Wall
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Sponsor Wall
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Focalpoint Pro Free
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Ajax Quiz
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Osdownloads
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rpc
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Jb Visa
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP User Bench
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Nextgen Editor
NVD Exploit-DB
EPSS 0% CVSS 3.0
LOW POC PATCH Monitor

Arbitrary file deletion in PhpWeasyPrint prior to version 2.6.0 allows any code holding a reference to a generator instance to inject arbitrary filesystem paths into the public `AbstractGenerator::$temporaryFiles` array, which are then passed to `unlink()` without path-containment validation during script shutdown or object destruction. The vulnerability mirrors a previously disclosed pattern in the related KnpLabs/snappy library (GHSA-87qc-37cw-84h4), and is exploitable by malicious dependencies, plugin code, or any PHP code co-located in the same process with access to the generator object. No public exploit has been identified at time of analysis, and exploitation is substantially constrained by the requirement for high privileges and local code access.

PHP RCE Php Weasyprint
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Silent TLS downgrade in Guzzle's built-in cURL handlers exposes proxy credentials and tunneled connection metadata to network interception when the application is configured to use an https:// proxy but runs against libcurl older than 7.50.2. Affected deployments see proxy authentication headers (Proxy-Authorization, CURLOPT_PROXYUSERPWD), CONNECT target host/port for tunneled HTTPS, and full request headers and bodies for plain HTTP requests transmitted without encryption - with no runtime error or warning from Guzzle or libcurl. No public exploit identified at time of analysis and no CISA KEV listing; however, the CVSS confidentiality impact is rated High (C:H) due to full credential exposure on the proxy leg.

PHP Information Disclosure
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated administrator account takeover in FileRise before 3.16.0 is possible via a path traversal flaw in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), where URL-encoded path separators bypass filename validation and allow arbitrary file write outside the upload directory. Any actor holding a valid, non-expired, upload-enabled shared-folder token - tokens explicitly designed to be shared publicly - can overwrite users/users.txt to plant an admin account and, depending on configuration, achieve remote code execution. No public exploit identified at time of analysis, but the upstream fix in v3.16.0 documents the exact bypass, lowering the bar for weaponization.

Path Traversal PHP RCE +1
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution in BetterDocs Pro for WordPress (versions through 3.8.0) is achievable by abusing the `doc_style` parameter to include arbitrary local PHP files. Wordfence has assigned a critical 9.8 CVSS score, and while no public exploit identified at time of analysis, the unauthenticated network-reachable nature of the flaw on a widely deployed WordPress documentation plugin makes opportunistic mass-exploitation likely once details propagate.

Information Disclosure WordPress RCE +3
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. No public exploit identified at time of analysis, but the CVSS 9.1 score reflects trivial network exploitation with no authentication or user interaction.

Path Traversal PHP WordPress +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary file read in Royal Addons for Elementor versions 1.7.1058-1.7.1059 allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the PHP process - including wp-config.php and its database credentials - via a crafted wpr-data-table widget saved through Elementor's save_builder endpoint. The flaw is a regression: the vulnerable wpr_get_csv_handle() helper was itself introduced in version 1.7.1058 as the remediation for a prior CVE (CVE-2026-6229), meaning the security patch introduced a new, exploitable path. No public exploit has been identified at time of analysis, but the low privilege bar (Contributor) and high-value disclosure target (database credentials) elevate real-world risk on WordPress sites that permit open or low-friction contributor registration.

PHP WordPress Information Disclosure +1
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

External initialization in Kirby CMS (getkirby/cms <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3) lets a remote unauthenticated attacker complete the Panel installation and create the first admin user on not-yet-installed sites. The flaw is a bypass of Kirby's isLocal safeguard: when a site sits behind a reverse proxy that emits the Forwarded: for=..., X-Client-IP, or X-Real-IP header, Kirby wrongly treats the forwarded external request as local and permits admin creation. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it critical (CVSS 4.0 base 9.1) and a full source fix is public.

PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored CSS injection in Grav CMS's MediaObjectTrait::style() exposes an incomplete fix: the original patch for CVE-2026-42841 (GHSA-r7fx-8g49-7hhr) explicitly denylisted 'style' in the attribute() code path but left the parallel style() method-reachable via the same Markdown ?style= image query parameter pipeline-entirely unsanitized. Any editor holding admin.pages permission can save a single Markdown image reference with an arbitrary CSS payload that persists in the CMS and renders into <img style='...'> for every subsequent viewer, including administrators and super-admins in their authenticated sessions. A deterministic proof-of-concept ships with the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.

CSRF Information Disclosure RCE +3
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitrary JavaScript into the browsers of authenticated LMS users by crafting malicious links targeting the `dbrecover.php` and `netremap.php` modules. The `db`, `id`, and `mapto` GET parameters were directly concatenated into HTML anchor elements without sanitization, as confirmed by the upstream commit diff. No public exploit has been identified at time of analysis, exploitation is not confirmed in CISA KEV, and the CVSS 4.0 score of 2.1 reflects genuinely constrained impact due to the required victim interaction and specific attack preconditions.

PHP XSS Lms
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract sensitive database contents via the tarifflist.php module. The flaw stems from unsanitized concatenation of the POST tg[] array into a SQL query through implode(), and a CERT-PL-coordinated fix is upstream. No public exploit identified at time of analysis.

PHP SQLi Lms
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System) lets remote attackers read, modify, or delete arbitrary database records by tampering with HTTP parameters that are concatenated into legacy mysql_query() calls. The project ships with no authentication mechanism and no released versions, so any deployment exposing it to the network is fully compromisable; no public exploit identified at time of analysis, though CISA SSVC rates the technical impact as total and automatable.

PHP SQLi Piaf Hms
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Stored cross-site scripting in Cotonti 1.0.0 (master branch, commit f43f1fc3) lets an authenticated user inject HTML/JavaScript into Personal File Storage (PFS) folder titles, which then execute in any viewer's browser when the folder listing is rendered. The flaw stems from the 'TXT' import filter not encoding HTML combined with unescaped template output, and no public exploit identified at time of analysis. Discovered by TuranSec; impact extends to other users browsing public folders, enabling session theft or account actions in their context.

PHP XSS Cotonti
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Cross-site request forgery in Cotonti 1.0.0's Personal File Storage module allows remote attackers to hijack authenticated user sessions to silently modify folder metadata. The folder update action ('a=update') in modules/pfs/inc/pfs.editfolder.php processes state-changing requests without invoking Cotonti's built-in anti-CSRF token validation function cot_check_xg(), enabling an attacker to force a logged-in user to unknowingly expose private folders or alter their descriptions. No public exploit code has been confirmed and the vulnerability is not listed in CISA KEV, but the specific vulnerable code commit is publicly identified by the reporter TuranSec.

CSRF PHP Cotonti
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Cross-Site Request Forgery in the Personal File Storage (PFS) module of Cotonti 1.0.0 (commit f43f1fc3) allows remote attackers to upload arbitrary files into an authenticated victim's storage by luring them to a malicious page. The 'a=upload' action in modules/pfs/inc/pfs.main.php omits the cot_check_xg() anti-CSRF token check that sibling actions like 'delete' enforce. No public exploit identified at time of analysis, though the root cause is documented in the public source code reference.

File Upload CSRF PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) lets a remote attacker escalate privileges to administrator by tricking a logged-in admin into loading an attacker-controlled page that submits a forged rights-update request to system/admin/admin.rights.php. Because Cotonti administrators can edit templates and configuration, the resulting account can be pivoted to remote code execution on the host. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

CSRF PHP RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) administration configuration handler allows a remote attacker to coerce an authenticated administrator's browser into silently modifying arbitrary core, module, or plugin configuration options. The flaw in system/admin/admin.config.php stems from the 'a=update' action invoking cot_config_update_options() without the cot_check_xg() anti-CSRF token check used elsewhere in the admin panel. No public exploit identified at time of analysis, though the root cause is well-documented at the source line level by the reporter (TuranSec).

CSRF PHP Cotonti
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote code execution on any WordPress server running an affected installation whose form fields have an empty extension allowlist. The vulnerability is reachable via an unauthenticated AJAX endpoint, requires no privileges or user interaction, and a publicly available proof-of-concept exploit exists per WPScan. Despite the plugin's limited adoption, the combination of a public exploit, zero authentication requirement, and full server-side code execution makes this a materially higher-risk issue than the vendor-assigned CVSS score of 6.5 suggests.

PHP WordPress RCE +1
NVD WPScan VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in Nur-Alam39's bus-ticket PHP application (no released versions; latest commit 459cabd) allows remote attackers to extract arbitrary data from the bus_service database via the busid POST parameter in bus_info.php. The flaw is exacerbated because the application connects as MySQL root with an empty password. No public exploit identified at time of analysis, though the description includes a working UNION-based payload demonstrating trivial exploitability.

PHP SQLi Bus Ticket
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.

File Upload PHP WordPress +3
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Local file inclusion in CakePHP's View::_getElementFileName() allows remote attackers to include arbitrary PHP files from the server filesystem when applications render view elements using user-controlled data. Affected versions span multiple major release lines across 4.x and 5.x branches, with patched releases now available from the vendor. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the developer-pattern dependency — user input passed unsanitized into element names — limits but does not eliminate real-world risk.

PHP Information Disclosure LFI +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

HTTP/2 request smuggling in PHP Standard Library (PSL) versions 6.1.0, 6.1.1, and 6.2.0 lets remote unauthenticated clients desynchronize stream boundaries in Psl\H2\ServerConnection by sending DATA frame totals that disagree with the declared content-length header. Only applications that consume the low-level H2 server connection directly to accept untrusted traffic are exposed; high-level PSL APIs are unaffected. No public exploit identified at time of analysis, and the maintainers state the issue was found during internal review prior to public exploitation.

PHP Request Smuggling Information Disclosure +2
NVD GitHub VulDB
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Twig sandbox bypass in Pimcore CMS/DXP 12.3.8 lets authenticated administrators escape the template sandbox by abusing empty checkMethodAllowed() and checkPropertyAllowed() implementations, enabling arbitrary method calls on internal PHP objects such as the DAO layer, Doctrine DBAL Connection, and PDO. Exploitation goes through a malicious Twig template injected via the DataObject ClassDefinition Layout\Text component and can lead to arbitrary file reads, arbitrary SQL execution, and potential remote code execution via PHP object gadget chains; the pimcore_* function wildcard broadens the bypass to every Pimcore Twig function. No public exploit identified at time of analysis, but VulnCheck has published an advisory describing the technique.

Ssti PHP RCE +1
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM This Month

Stored XSS in Shaarli's Markdown rendering pipeline (versions 0.16.1 and prior) allows an authenticated user to inject malicious javascript: URIs via Markdown reference-style links in bookmark descriptions, bypassing the filterProtocols sanitization method in BookmarkMarkdownFormatter.php. When any user or guest visitor views the crafted bookmark, arbitrary JavaScript executes in their browser context, enabling session theft or unauthorized actions. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; vendor-released patch v0.16.2 is available as of 2026-05-23.

PHP XSS Shaarli
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Improper access control in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 exposes the Student Self-Registration Endpoint (/index.php) to unauthenticated remote exploitation. The CWE-284 root cause, combined with the 'Authentication Bypass' tag, indicates that the self-registration flow fails to enforce intended access boundaries, potentially allowing unauthenticated users to access, manipulate, or enumerate data beyond their authorized scope. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass PHP Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

{id} endpoints, the attacker can mint AzLink server tokens and rewrite victims' credentials. No public exploit has been identified at the time of analysis.

Authentication Bypass PHP Azuriom Cms
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in StylemixThemes Motors WordPress plugin versions up to and including 1.4.109 allows remote attackers to include arbitrary PHP files from the server filesystem. The flaw is classified as CWE-98 (PHP Remote File Inclusion) but is exploitable only as LFI per the vendor description, enabling source code disclosure, sensitive file read, and potential code execution if a writable PHP file can be reached. No public exploit identified at time of analysis and the vulnerability is not present in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution via unauthenticated PHP Object Injection affects the Moderno WordPress theme in all versions prior to 1.43, enabling attackers to send crafted serialized payloads that trigger malicious object instantiation. With CVSS 9.8 and a fully remote, no-interaction attack vector, successful exploitation hinges on the presence of usable POP gadget chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Moderno
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes 'Château' WordPress theme (versions ≤ 1.2.1) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack with CVSS 8.1 (high) due to network-reachable, unauthenticated impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) reflects the dependency on a usable gadget chain. No public exploit identified at time of analysis.

PHP Deserialization Ch Teau
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes Zoya WordPress theme versions 1.4 and earlier allows remote attackers to inject crafted serialized objects that are deserialized by the application. Successful exploitation can lead to arbitrary code execution, data tampering, or denial of service depending on the gadget chains present in WordPress core, plugins, or other themes loaded on the site. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Zoya
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in the Manufaktur Solutions WordPress theme (versions 1.1.1 and earlier) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, data tampering, or denial of service when a suitable PHP gadget chain is present. The CVSS 3.1 score of 8.1 reflects high impact across confidentiality, integrity, and availability, tempered by AC:H due to dependency on exploitable gadget chains in the WordPress runtime. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP Deserialization Manufaktur Solutions
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the Eldon WordPress theme (versions <= 1.4.1) by Edge-Themes allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution, data theft, or site compromise when a suitable POP gadget chain is present in the WordPress environment. No public exploit identified at time of analysis, and Patchstack rates this CVSS 8.1 (High) with high attack complexity reflecting the need for a usable gadget chain.

PHP Deserialization Eldon
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in the Mikado Themes ShiftUp WordPress theme (versions ≤ 1.3) allows remote attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, potentially triggering gadget chains that can lead to remote code execution, data tampering, or site takeover. CVSS is rated 8.1 with high attack complexity but no privileges or user interaction required, and no public exploit identified at time of analysis. The issue was disclosed via Patchstack.

PHP Deserialization Shiftup
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in the Atomlab WordPress theme versions 2.4.5 and earlier allows remote unauthenticated attackers to include arbitrary PHP files on the server, potentially leading to sensitive information disclosure and remote code execution. The flaw is tracked under CWE-98 (improper control of filename for include/require) and carries a CVSS 3.1 base score of 8.1 (high). No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the SingleMalt WordPress theme (versions up to and including 1.5) allows remote attackers to deserialize attacker-controlled data, which can lead to compromise of confidentiality, integrity, and availability of affected WordPress sites. The flaw is exploitable without authentication or user interaction but has high attack complexity per its CVSS vector, and no public exploit identified at time of analysis.

PHP Deserialization Singlemalt
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in the Select Themes 'Hiroshi' WordPress theme through version 1.5.1 allows remote attackers to supply crafted serialized payloads that are deserialized by the theme, potentially leading to code execution, file manipulation, or data compromise when a suitable PHP magic-method gadget chain is present in the WordPress stack. The flaw is reachable without authentication per the CVSS vector, and no public exploit has been identified at time of analysis.

PHP Deserialization Hiroshi
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the CodeSupply Co. 'Uppercase' WordPress theme versions prior to 1.2.2 allows remote unauthenticated attackers to include and disclose arbitrary local files from the web server, potentially leading to source code disclosure, credential theft, or remote code execution where log/upload poisoning is feasible. The flaw is tagged as LFI/PHP/Information Disclosure by Patchstack and carries a CVSS 8.1 (High) rating; no public exploit identified at time of analysis.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection affects the Konsept WordPress theme (by elated-themes) in versions 1.9 and earlier, allowing remote attackers to inject crafted serialized PHP objects without authentication. Successful exploitation can lead to a full compromise of the WordPress site - high impact on confidentiality, integrity, and availability - though CVSS rates attack complexity as high, indicating non-trivial conditions are required. No public exploit identified at time of analysis.

PHP Deserialization Konsept
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Solene Core WordPress plugin (versions <= 2.3.2) by elated-themes allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The CVSS 8.1 rating reflects full confidentiality, integrity, and availability impact, though high attack complexity suggests non-trivial exploitation prerequisites. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the Alukas WordPress theme (versions prior to 3.0.0) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, file manipulation, or full site compromise when a usable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is tracked by Patchstack as a deserialization flaw affecting the presslayouts:alukas product line. Real-world impact depends on the gadget chains available in WordPress core or co-installed plugins.

PHP Deserialization Alukas
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the PressMart WordPress theme versions 1.2.26 and earlier allows remote attackers to deliver malicious serialized payloads that are deserialized by the theme, potentially leading to property-oriented gadget chain abuse and full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis, and the high attack complexity reflects the need for a usable gadget chain to escalate from deserialization to concrete impact.

PHP Deserialization Pressmart
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Line Agency WordPress theme versions 1.3.1 and earlier allows remote attackers to include and disclose arbitrary local files on the underlying server, potentially leading to sensitive data exposure and, depending on PHP configuration, remote code execution. The flaw is reported by Patchstack and is mapped to CWE-98 (PHP Remote File Inclusion), with no public exploit identified at time of analysis and no listing in the CISA KEV catalog.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Etude WordPress theme versions 1.6 and earlier allows remote attackers to coerce the application into including arbitrary PHP files, potentially leading to source disclosure, sensitive data exposure, and possible remote code execution depending on writable locations on the host. The high CVSS score of 8.1 reflects significant confidentiality, integrity, and availability impact, though the high attack complexity (AC:H) suggests non-trivial preconditions; no public exploit identified at time of analysis.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the ThemeRex Eventicity WordPress theme versions 1.5 and earlier allows remote unauthenticated attackers to include and execute arbitrary local files on the server. The flaw is reported by Patchstack and tagged as PHP information disclosure; no public exploit identified at time of analysis, though the unauthenticated network vector makes this a meaningful priority for affected WordPress sites. Successful exploitation can expose sensitive files such as wp-config.php and may enable code execution depending on what files can be reached.

PHP Information Disclosure LFI +1
NVD
Prev Page 6 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy