CVE-2026-42224

ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no...

CVE-2026-42287

Summary: CVE-2026-42287 affects Emlog before version 2.6.11, where direct SQL injection in article creation and update can occur via the log_model.php functions addLog() and updateLog(). The underlying issue is unsafeguarded SQL construction that allows attackers to execute arbitrary SQL commands...

EUVD-2026-28830

Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11...

CLSA-2026-1778261513 Update of alt-php

Miscellaneous Ubuntu changes - Packaging: add tuxcare suffix Miscellaneous upstream changes - xfrm: esp: avoid in-place decrypt on shared skb frags - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present...

[SECURITY] [DSA 6256-1] php8.4 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6256-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 08, 2026 https://www.debian.org/security/faq -...

[SECURITY] [DSA 6255-1] php8.2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6255-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 08, 2026 https://www.debian.org/security/faq -...

SUSE-SU-2026:1784-1 Security update for php-composer2

This update for php-composer2 fixes the following issues: - CVE-2026-40176: arbitrary command injection via malicious Perforce repository definition bsc1262254. - CVE-2026-40261: arbitrary command injection via malicious Perforce source reference/url bsc1262255...

EUVD-2026-28806

novaGallery is a php image gallery. Prior to version 2.1.1, a path traversal vulnerability has been identified in novaGallery. This allows unauthenticated users to read image files outside the intended gallery root directory. This issue has been patched in version 2.1.1...

CVE-2026-41570 PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes

PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string...

CVE-2025-67486 Dolibarr has an Authenticated Remote Code Execution via eval() injection in user extrafields

Dolibarr is an enterprise resource planning ERP and customer relationship management CRM software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is pass...

Exploit for CVE-2026-3844

CVE-2026-3844 — Breeze Cache Unauthenticated Arbitrary File Up...

CLSA-2026-1778240943 php: Fix of CVE-2025-1219

CVE-2025-1219: fix wrong content-type header on libxml streams redirect...

php: Fix of 3 CVEs

CVE-2018-5711: Fix infinite loop in gdImageCreateFromGifCtx libgd when reading crafted GIF - CVE-2018-17082: Fix XSS via Transfer-Encoding: chunked in apache2 SAPI - CVE-2018-10545: Do not set PRSETDUMPABLE by default in php-fpm child...

CLSA-2026-1778055087 php: Fix of 3 CVEs

CVE-2018-5711: Fix infinite loop in gdImageCreateFromGifCtx libgd when reading crafted GIF - CVE-2018-17082: Fix XSS via Transfer-Encoding: chunked in apache2 SAPI - CVE-2018-10545: Do not set PRSETDUMPABLE by default in php-fpm child...

EUVD-2025-209736

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

WordPress User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection vulnerability

Authenticated Subscriber+ PHP Object Injection vulnerability discovered by d.v4ns3c in WordPress Plugin WP User Frontend versions = 4.3.1...

CVE-2026-5127 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuffiles...

CVE-2026-5127 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuffiles...

CVE-2025-67886

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged...

CVE-2024-33288

Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page...