397 matches found
CVE-2010-1063
Multiple directory traversal vulnerabilities in Phpkobo Free Real Estate Contact Form 1.09, when magicquotesgpc is disabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the LANGCODE parameter to 1 codelib/cfg/common.inc.php, 2...
PT-2025-22325
Name of the Vulnerable Software and Affected Versions Madara – Responsive and modern WordPress theme for manga sites versions 2.2.2 and earlier Description The issue allows unauthenticated attackers to include and execute arbitrary files on the server via the template parameter, making it possibl...
CVE-2025-47788
Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the $target parameter in /controller.php was not properly validated, which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for th...
CVE-2025-47788
Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the $target parameter in /controller.php was not properly validated, which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for th...
CVE-2025-47788 Missing Path Validation Enables Path Traversal in Controller.php
Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the $target parameter in /controller.php was not properly validated, which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for th...
PT-2025-21368 · Atheros · Atheos
Name of the Vulnerable Software and Affected Versions: Atheos versions prior to v602 Description: Atheos is a self-hosted browser-based cloud IDE. The $target parameter in "/controller.php" was not properly validated, which could allow an attacker to execute arbitrary files on the server via path...
Atheos 安全漏洞
Atheos is an open source browser-based self-hosted cloud IDE from Atheos. A security vulnerability exists in Atheos versions prior to v602, which stems from the $target parameter in /controller.php not being properly validated, which could lead to the execution of arbitrary files via path travers...
Adobe ColdFusion 2021.x < 2021u20 / 2023.x < 2023u14 / 2025.x < 2025u2 Multiple Vulnerabilities (APSB25-52)
The version of Adobe ColdFusion installed on the remote Windows host is prior to 2021.x update 20, 2023.x update 14, or 2025.x update 2. It is, therefore, affected by multiple vulnerabilities as referenced in the APSB25-52 advisory. - ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are...
CVE-2025-2636
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files ...
CVE-2025-2294
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubiohybridthemeloadtemplate function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...
CVE-2025-2294
The CVE-2025-2294 entry is supported by concrete technical details in connected documents: Kubio AI Page Builder for WordPress (plugin ≤ 2.5.1) is vulnerable to Local File Inclusion via the kubio_hybrid_theme_load_template function. The flaw allows unauthenticated attackers to include and execute...
GHSA-M37H-8R48-2CXJ H2O Vulnerable to Execution of Arbitrary Files
In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vulnerability makes it possible for an attacke...
H2O Vulnerable to Execution of Arbitrary Files
In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vulnerability makes it possible for an attacke...
CVE-2025-1770
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to...
CVE-2024-13913
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for...
CVE-2024-13913
CVE-2024-13913 (InstaWP Connect – 1-click WP Staging & Migration for WordPress) is a CSRF-to-LFI vulnerability affecting versions up to 0.1.0.83. The root cause is missing or incorrect nonce validation in the file /migrate/templates/main.php, enabling an unauthenticated attacker to coerce the app...
WordPress plugin InstaWP Connect 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site reques...
CVE-2025-1707
The Review Schema plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.4 via post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing...
CVE-2024-12811 Traveler <= 3.1.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotelaloneslider' shortcode 'style' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute...
CVE-2024-13592 Team Builder For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 - Authenticated (Contributor+) Local File Inclusion
The Team Builder For WPBakery Page BuilderFormerly Visual Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'team-builder-vc' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above,...