CVE-2025-50286

A Remote Code Execution RCE vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access...

CVE-2025-50286

A Remote Code Execution RCE vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access...

CVE-2025-51502

Reflected Cross-Site Scripting XSS in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users...

Cross-site Scripting (XSS)

Overview microweber/microweber is a new generation CMS with drag and drop. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the layout parameter on the /admin/page/create page. An attacker can execute arbitrary JavaScript in the context of authenticated admin users...

Microweber has Reflected XSS Vulnerability in the layout Parameter

Reflected Cross-Site Scripting XSS in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users...

CVE-2025-54593

FreshRSS up to version 1.26.1 is vulnerable to RCE via an authenticated administrator who can modify the update URL to execute arbitrary code on the server; successful exploitation can lead to data exfiltration (including hashed passwords) and possible defacement. The issue is fixed in version 1....

CVE-2025-54593 FreshRSS is vulnerable to RCE attacks by authenticated admin

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code...

CVE-2025-54593 FreshRSS is vulnerable to RCE attacks by authenticated admin

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code...

📄 ISPConfig language_edit.php PHP Code Injection

This Metasploit module exploits a PHP code injection vulnerability in the ISPConfig languageedit.php file. The vulnerability occurs when the adminallowlangedit setting is enabled, allowing authenticated administrators to inject arbitrary PHP code through the language editor interface. This...

CVE-2025-0292

SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services...

CVE-2025-5451

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to trigger a denial of service...

CVE-2025-5450

Ivanti Connect Secure and Ivanti Policy Secure are affected by CVE-2025-5450 due to improper access control in the certificate management component. A remote authenticated admin with read-only rights can modify settings that should be restricted on versions prior to 22.7R2.8 (ICS) and 22.7R1.5 (I...

Expired Pointer Dereference

Overview org.lucee:lucee is a Lucee Server is a dynamic, Java based JSR-223, tag and scripting language used for rapid web application development. Affected versions of this package are vulnerable to Expired Pointer Dereference via the scheduled task process. An authenticated attacker with an...

CVE-2025-50370

A Cross-Site Request Forgery CSRF vulnerability exists in the Inquiry Management functionality /mcgs/admin/readenq.php of the Phpgurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authenticated admin to delete inquiry records via a simple GET request, without requiring ...

CVE-2025-50370

CVE-2025-50370 affects Phpgurukul Medical Card Generation System 1.0, specifically the Inquiry Management endpoint /mcgs/admin/readenq.php. A CSRF flaw exists where an authenticated admin can delete inquiry records via a simple GET request without CSRF token or origin validation. This is supporte...

WordPress plugin Beaver Builder Plugin 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A code issue vulnerability exists in the WordPress Beaver Builder plugin that stems from a lack of file type validation, which can be exploited by an attacker to cause an...

CVE-2025-6050

Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting XSS vulnerability in the admin interface. The vulnerability exists in the "displayablelinksjs" function, which fails to properly sanitize blog post titles before including them in JSON responses served via...

CVE-2025-4231

A command injection vulnerability in Palo Alto Networks PAN-OS® enables an authenticated administrative user to perform actions as the root user. The attacker must have network access to the management web interface and successfully authenticate to exploit this issue. Cloud NGFW and Prisma Access...

CVE-2025-4230

A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI. The security risk posed by this...

CVE-2025-4230

CVE-2025-4230 – PAN-OS command injection via CLI : Multiple connected sources confirm a vulnerability in Palo Alto Networks PAN-OS software where an authenticated administrator with PAN-OS CLI access can bypass restrictions and execute arbitrary root commands. The issue is a local attack with hig...