CVE-2026-34598 YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter"

YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected...

Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments

In this article 1. Cookie-controlled execution behavior 2. Observed variants of cookie-controlled PHP web shells 3. Mitigation and protection guidance 4. Microsoft Defender XDR detections 5. Microsoft Security Copilot prompts 6. Microsoft Defender XDR threat analytics 7. MITRE ATT&CK™ Techniques...

Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments

In this article 1. Cookie-controlled execution behavior 2. Observed variants of cookie-controlled PHP web shells 3. Mitigation and protection guidance 4. Microsoft Defender XDR detections 5. Microsoft Security Copilot prompts 6. Microsoft Defender XDR threat analytics 7. MITRE ATT&CK™ Techniques...

CVE-2026-5332

A vulnerability was identified in Xiaopi Panel 1.0.0. This vulnerability affects unknown code of the file /demo.php of the component WAF Firewall. The manipulation of the argument param leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available...

CVE-2026-5332

A vulnerability was identified in Xiaopi Panel 1.0.0. This vulnerability affects unknown code of the file /demo.php of the component WAF Firewall. The manipulation of the argument param leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available...

CVE-2026-5331

CVE-2026-5331 affects OpenCart 4.1.0.3, specifically the Extension Installer Page component and its file installer.php. The vulnerability is a path traversal issue introduced by a manipulated input, with the attack potentially executable remotely. Public disclosure of the exploit is noted, and th...

PT-2026-29784

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages method in phpmyfaq/src/phpMyFAQ/Search.php uses real escape string via escape to sanitize the search term before embedding it in LIKE clauses. However, real escape string does not escape SQL LIKE...

PT-2026-29859

A vulnerability was determined in projectworlds Car Rental Project 1.0. The affected element is an unknown function of the file /login.php of the component Parameter Handler. This manipulation of the argument uname causes sql injection. Remote exploitation of the attack is possible. The exploit h...

Content Management System 命令注入漏洞

Content Management System is a lightweight content management system developed by DefaultFunction’s individual developer. Version 1.0 of Content Management System has a command injection vulnerability. This vulnerability stems from improper handling of the ‘host’ parameter in the ‘admin/tools.php...

Henan Xiaopi Panel 代码注入漏洞

Henan Xiaopi Panel is a Linux graphical interface developed by Henan Xiaopi in Henan, China. Version 1.0.0 of Henan Xiaopi Panel contains a code injection vulnerability. This vulnerability stems from improper handling of the parameter “param” in the file/demo.php of the component WAF Firewall,...

EUVD-2026-17652

AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard...

GHSA-G2MG-CGR6-VMV7 AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints

Summary The AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses th...

Missing Authentication for Critical Function

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the absence of authentication checks in the list.json.php template used by multiple plugin endpoints. An attack...

Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption

Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. Am I Affected? Consumers are affected if their application meets the following preconditions: - The...

Insufficient Entropy

Overview Affected versions of this package are vulnerable to Insufficient Entropy in the cookie encryption. An attacker can gain unauthorized access to user sessions by brute-forcing the encryption key and forging valid session cookies. Remediation Upgrade auth0/auth0-php to version 8.19.0 or...

CVE-2026-34236

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session...

CVE-2026-34236

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session...

CVE-2026-34236

Auth0-PHP SDK versions 8.0.0–8.18.x encrypt cookies with insufficient entropy, enabling potential brute-forcing of the encryption key and forging session cookies. Impact is session integrity/confidentiality, with high severity (CVSS 3.1: HIGH). The issue is fixed in version 8.19.0. Affected devel...

CVE-2026-34236 Auth0 PHP SDK Insufficient Entropy in Cookie Encryption

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session...

EUVD-2026-17875

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...