Lucene search
K

430 matches found

Nuclei
Nuclei
added yesterday6 views

Xerte Online Toolkits <= 3.15 - Remote Code Execution

Xerte Online Toolkits versions 3.15 and earlier expose the elFinder file manager connector at /editor/elfinder/php/connector.php without authentication CVE-2026-34413, because the access-control redirect for unauthenticated users does not call exit/die and execution continues server-side. This is...

9.8CVSS6.3AI score0.03575EPSS
Exploits2References6
Nuclei
Nuclei
added yesterday218 views

Studio-42 elFinder <2.1.60 - Arbitrary File Upload

Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code. id: CVE-2021-43421 info: name: Studio-42 elFinder 2.1.60 - Arbitrary File Upload author: akincibor severity:...

9.8CVSS7.2AI score0.42781EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday70 views

elFinder <=2.1.60 - Local File Inclusion

elFinder through 2.1.60 is affected by local file inclusion via connector.minimal.php. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths. id: CVE-2022-26960 info: name: elFind...

9.1CVSS7.1AI score0.50993EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday551 views

elFinder <= 2.1.47 - Command Injection

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector. The vulnerability occurs when performing image operations on JPEG files, where the filename is passed to the exiftran utility without proper sanitization, allowing command injection. id: CVE-2019-9194 info: name:...

9.8CVSS7AI score0.96633EPSS
Exploits11References5
Nuclei
Nuclei
added yesterday410 views

elFinder 2.1.58 - Remote Code Execution

elFinder 2.1.58 is impacted by multiple remote code execution vulnerabilities that could allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. id: CVE-2021-32682 info: name: elFinder 2.1.58 - Remote Code Executi...

9.8CVSS7.6AI score0.69934EPSS
Exploits5References5
Nuclei
Nuclei
added yesterday61 views

Maian Cart <=3.8 - Remote Code Execution

Maian Cart 3.0 to 3.8 via the elFinder file manager plugin contains a remote code execution vulnerability. id: CVE-2021-32172 info: name: Maian Cart =3.8 to mitigate this vulnerability. reference: - https://dreyand.github.io/maian-cart-rce/ - https://github.com/DreyAnd/maian-cart-rce -...

9.8CVSS7.4AI score0.66433EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday66 views

elFinder < 2.1.58 - Remote Code Execution

studio-42/elfinder before 2.1.58 contains a remote code execution caused by execution of PHP code in a .phar file, letting attackers execute arbitrary PHP code if the server parses .phar files as PHP, exploit requires server to parse .phar files as PHP. id: CVE-2021-23394 info: name: elFinder...

9.8CVSS7.5AI score0.19083EPSS
Exploits1References4
CVE
CVE
added 2026/07/06 6:0 a.m.17 views

CVE-2026-6382

The CVE affects multiple elFinder-based WordPress plugins: FileOrganizer (before 1.1.9), Advanced File Manager (before 5.4.12), File Manager Pro (before 2.1.1), and File Manager (before 8.0.4). The root cause is improper escaping of a parameter passed to a shell command during image operations, e...

9.1CVSS6AI score0.00902EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 6:0 a.m.39 views

CVE-2026-6382 Multiple elFinder Plugins - Authenticated OS Command Injection

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operation...

0.00902EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 6:0 a.m.15 views

CVE-2026-11962

The FileOrganizer WordPress plugin before 1.2.0 does not validate file types on several file-management operations, enabling authenticated users with file-manager access — extended to sub-administrator roles via the premium add‑on — to upload arbitrary PHP files and achieve remote code execution....

8.8CVSS6.3AI score0.00435EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 6:0 a.m.35 views

CVE-2026-11962 FileOrganizer < 1.2.0 - Authenticated Arbitrary File Upload via elFinder File Operations

The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and...

0.00435EPSS
Exploits0References1
NVD
NVD
added 2026/06/08 2:16 a.m.14 views

CVE-2023-54350

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to creat...

8.7CVSS0.00532EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/08 1:55 a.m.49 views

CVE-2023-54350 WordPress Augmented-Reality Plugin Remote Code Execution Unauthenticated

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to creat...

8.7CVSS0.00532EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/08 1:55 a.m.9 views

CVE-2023-54350

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to creat...

8.7CVSS6.7AI score0.00532EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/08 1:55 a.m.17 views

EUVD-2023-60581

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to creat...

8.7CVSS6.7AI score0.00532EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/08 1:55 a.m.9 views

CVE-2023-54350 WordPress Augmented-Reality Plugin Remote Code Execution Unauthenticated

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to creat...

8.7CVSS6.7AI score0.00532EPSS
Exploits0References2
CVE
CVE
added 2026/06/08 1:55 a.m.30 views

CVE-2023-54350

Affected software: WordPress Augmented-Reality plugin. Vulnerability: remote code execution via the elFinder connector. Access/Impact: unauthenticated attackers can upload and execute arbitrary PHP files on the server. How it exploits: POST to connector.minimal.php with mkfile and put commands to...

8.7CVSS6.7AI score0.00532EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.17 views

PT-2026-47232

Name of the Vulnerable Software and Affected Versions WordPress Augmented-Reality plugin affected versions not specified Description A remote code execution issue exists in the elFinder connector. Unauthenticated attackers can upload and execute arbitrary PHP files by sending POST requests to the...

8.7CVSS6.5AI score0.00532EPSS
Exploits0References10
CNNVD
CNNVD
added 2026/06/08 12:0 a.m.11 views

WordPress plugin Augmented-Reality plugin 访问控制错误漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

8.7CVSS6.8AI score0.00532EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:11 p.m.9 views

CVE-2026-44521

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver elFinderVolumeMySQL allows any logged-in user, including users with read-only access to the affected volume, to...

8.8CVSS5.6AI score0.00243EPSS
Exploits0References1
Rows per page
Query Builder