CVE-2026-31019

In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code...

PHP Point of Sale 跨站脚本漏洞

PHP Point of Sale is an online sales point system for small retail businesses managed by PHP Point of Sale Inc. Version PHP Point of Sale v19.4 contains a cross-site scripting vulnerability. This vulnerability stems from insufficient input validation of the startdateformatted and enddateformatted...

CVE-2026-31019

In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code...

PT-2026-33983

Name of the Vulnerable Software and Affected Versions Custom css-js-php versions prior to 2.0.8 Description The plugin fails to properly sanitize user input before incorporating it into a SQL query. The resulting output is then passed to the eval function, which enables unauthenticated users to...

WWBN AVideo 信息泄露漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to version 29 contain an information leakage vulnerability. This vulnerability stems from the git.json.php file located in the root directory, which executes and returns the complet...

CVE-2026-37748

Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/adminuserinsert.php and vms/php/update1.php. The moveuploadedfile function is called without any MIME type, extension, or content validation, allowing an authenticated admin to upload a PHP webshell a...

PT-2026-33990

Name of the Vulnerable Software and Affected Versions PHP Point of Sale version 19.4 Description An issue exists where a lack of proper validation of user input allows an attacker to render HTML in the victim's browser. This occurs when sending a request to the endpoint '/reports/generate/specifi...

CVE-2026-31019

Summary: CVE-2026-31019 affects the Website module of Dolibarr ERP & CRM, version 22.0.4 and below. An authenticated user who can edit PHP content can bypass blacklist-based filtering of dangerous PHP functions and achieve full remote code execution, enabling arbitrary OS commands on the server. ...

PT-2026-33991

SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'...

CVE-2026-37748

CVE-2026-37748 affects Visitor Management System 1.0 by sanjay1313. The vulnerability is an Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php, where move_uploaded_file() runs without MIME type, extension, or content validation. This allows an authenticated admin t...

Linux Distros Unpatched Vulnerability : CVE-2026-23500

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Dolibarr is an enterprise resource planning ERP and customer relationship management CRM software package. In versions prior to 23.0.0 , the ODT to PDF conversi...

CVE-2026-31018

In Dolibarr ERP & CRM <= 22.0.4, the Website module’s PHP code detection and editing permission enforcement is not consistently applied to all input parameters. This allows an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website ...

CVE-2026-31018

In Dolibarr ERP & CRM = 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page...

WWBN AVideo 跨站脚本漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 29.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the absence of a closing anchor point in the isValidDuration regular expression found i...

Zeon Academy Pro SQL注入漏洞

Zeon Academy Pro is an online learning and training management platform developed by the Indian company Zeon. Zeon Academy Pro has a SQL injection vulnerability. This vulnerability stems from the parameter “phonenumber” in the file /private/continue-upload.php, which allows attackers to retrieve,...

-Exploit-for-OSVDB-75095-LotusCMS-3.0-

LotusCMS 3.0 eval RCE — Defensive Research Overview This...

EUVD-2026-23942

Vvveb CMS v1.0.8 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by first...

CVE-2026-6257

Vvveb CMS v1.0.8.2 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by firs...

CVE-2026-6249 Vvveb CMS 1.0.8.2 Remote Code Execution via Media Upload

Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious...

CVE-2026-6249

Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious...