SUSE SLES16 Security Update : php8 (SUSE-SU-2026:21612-1)

The remote SUSE Linux SLES16 / SLESSAP16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:21612-1 advisory. This update for php8 fixes the following issues - CVE-2025-14179: improper handling of NULL bytes by the PDO Firebird driver when...

[SECURITY] [DLA 4586-1] php7.4 security update

Debian LTS Advisory DLA-4586-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin May 16, 2026 https://wiki.debian.org/LTS Package : php7.4 Version : 7.4.33-1+deb11u11 CVE ID : CVE-2026-6722 CVE-2026-6735 CVE-2026-7258 CVE-2026-7261 CVE-2026-7262 CVE-2026-7568 Debian...

CVE-2021-47966

PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the loginuserid parameter of login.php that allows unauthenticated attackers to extract database contents. Attackers can submit crafted POST requests with SQL payloads using SLEEP functions or RLIKE...

HUSTOJ Admin users can zip-slip problem_import_qduoj.php, planting PHP files in webroot for RCE

A user with administrative privileges can abuse the problemimportqduoj.php CGI script using a crafted zip file zip-slip to traverse backwards through the filesystem, then to the webroot, where they can extract a PHP file that spawns a shell to get full RCE in the context of the webserver. Module...

CVE-2026-46360 phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQEDIT permission can upload malicious SVG files with deeply...

CVE-2021-47967 PHP Timeclock 1.04 Multiple Cross-Site Scripting via Parameters

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, o...

EUVD-2021-34822

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, o...

CVE-2021-47967 PHP Timeclock 1.04 Multiple Cross-Site Scripting via Parameters

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, o...

CVE-2021-47964 Schlix CMS 2.2.6-6 Remote Code Execution via core.blockmanager

Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager. Attackers can upload a crafted ZIP file containing PHP code in the packageinfo.inc file and...

AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA

Summary Type: Cross-site request forgery on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest call, no isTokenValid check, n...

GHSA-XW67-CG5F-4M2R AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL

Summary Type: Classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling escapeshellarg. A ' in any of the three interpolated values $usersid, $m3u8,...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the FileSystemTicketStore process. An attacker can read and unserialize files outside the intended directory, and conditionally delete files, by supplying crafted path traversal sequences in public CAS validation...

FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...

Debian dla-4586 : libapache2-mod-php7.4 - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4586 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4586-1 [email protected]...

PT-2026-41345

PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login userid parameter of login.php that allows unauthenticated attackers to extract database contents. Attackers can submit crafted POST requests with SQL payloads using SLEEP functions or RLIKE...

PT-2026-43462

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier Description A cross-site request forgery CSRF issue exists in the 2FA toggle functionality. The endpoint "plugin/LoginControl/set.json.php" accepts POST requests with the parameters type=set2FA and value=false ...

PT-2026-41391

Name of the Vulnerable Software and Affected Versions FrankenPHP versions 1.11.2 through 1.12.2 Description An unsafe Unicode handling flaw exists in the CGI path splitting process. The splitPos function in cgi.go incorrectly uses the golang.org/x/text/search library with search.IgnoreCase when...

📄 HUSTOJ Zip Slip / Remote Code Execution

This Metasploit module demonstrates a remote code execution vulnerability in HUSTOJ. A user with administrative privileges can abuse the problemimportqduoj.php CGI script using a crafted zip file zip-slip to traverse backwards through the filesystem, then to the webroot, where they can extract a...

Linux Distros Unpatched Vulnerability : CVE-2026-6811

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances whe...

CVE-2026-6722 affecting package php for versions less than 8.3.31-1

CVE-2026-6722 affecting package php for versions less than 8.3.31-1. A patched version of the package is available...