CVE-2026-49954

Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigg...

Scriban has an authorization bypass due to stale include cache surviving TemplateContext.Reset()

Summary TemplateContext.Reset claims that a TemplateContext can be reused safely on the same thread, but it does not clear CachedTemplates. If an application pools TemplateContext objects and uses an ITemplateLoader that resolves content per request, tenant, or user, a previously authorized inclu...

GHSA-X6M9-38VM-2XHF Scriban has an authorization bypass due to stale include cache surviving TemplateContext.Reset()

Summary TemplateContext.Reset claims that a TemplateContext can be reused safely on the same thread, but it does not clear CachedTemplates. If an application pools TemplateContext objects and uses an ITemplateLoader that resolves content per request, tenant, or user, a previously authorized inclu...

VulnCheck KEV: CVE-2023-5815

The News & Blog Designer Pack – WordPress Blog Plugin — Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdpgetmorepost...

The vulnerability of the include() function in Twig template rendering handlers allows attackers to circumvent existing security restrictions.

The vulnerability of the include function in Twig template rendering engines is related to a breach of data protection mechanisms. Exploiting this vulnerability could allow an attacker to circumvent existing security restrictions remotely...

The vulnerability of the `include` function in the Web Directory Free plugin of the WordPress content management system arises from an incorrect limitation on the path to the restricted catalog. This allows attackers to execute arbitrary code.

The vulnerability of the include function in the Web Directory Free plugin of the WordPress content management system is related to an incorrect restriction on the path to the restricted catalog. Exploiting this vulnerability could allow a malicious actor to execute arbitrary code remotely...

The vulnerability of microprogramming software in embedded network control controllers of ASPECT Enterprise, NEXUS Series, MATRIX Series, arises from improper handling of file names for PHP functions like include or require. This allows attackers to gain access to confidential information.

The vulnerability of microprogramming software in embedded network control controllers of ASPECT Enterprise, NEXUS Series, and MATRIX Series is related to incorrect management of file names for PHP functions like include or require. Exploiting this vulnerability can allow an attacker to gain acce...

GHSA-6J75-5WFJ-GH66 Twig has a possible sandbox bypass

Description Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. The security issue happens when all these conditions are met: The sandbox is disabled globally; The sandbox is enabled via a sandboxed include...

WordPress plugin Web Directory Free 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL. WordPress plugin is an application plugin. A security vulnerability exists in th...

CVE-2024-5762

Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zen Cart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the...

CVE-2024-5762

CVE-2024-5762 (Zen Cart) : Local File Inclusion leading to Remote Code Execution in the findPluginAdminPage function. Root cause is insufficient validation of user-supplied data before passing it to PHP include, allowing an unauthenticated attacker to execute arbitrary code on affected installati...

CVE-2024-5762 Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability

Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zen Cart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the...

CVE-2024-5762 Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability

Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zen Cart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the...

PT-2024-37129 · Zen Cart · Zen Cart

Name of the Vulnerable Software and Affected Versions: Zen Cart affected versions not specified Description: This issue allows remote attackers to execute arbitrary code on affected installations of Zen Cart. The specific flaw exists within the findPluginAdminPage function, resulting from the lac...

PT-2024-3331 · D Link · D-Link Dir-845L

Name of the Vulnerable Software and Affected Versions: D-LINK DIR-845L versions =v1.01KRb03 Description: The issue is related to insufficient protection of internal data when handling the file parameter, potentially allowing a remote attacker to gain unauthorized access to protected information...

Trend Micro Apex Central widget WFProxy Local File Inclusion Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Apex Central. Authentication is required to exploit this vulnerability. The specific flaw exists within the getObjWGFServiceApiByApiName function. The issue results from the lack of prope...

PT-2023-32349 · WordPress · The News & Blog Designer Pack

Name of the Vulnerable Software and Affected Versions: The News & Blog Designer Pack – WordPress Blog Plugin versions up to, and including, 3.4.1 Description: The issue is related to Remote Code Execution via Local File Inclusion. This is due to the bdp get more post function utilizing an unsafe...

Cacti link Local File Inclusion Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cacti. Authentication is required to exploit this vulnerability. The specific flaw exists within the link endpoint. The issue results from the lack of proper validation of data retrieved from the...

Advantech R-SeeNet device_status Local File Inclusion Privilege Escalation Vulnerability

This vulnerability allows remote attackers to escalate privileges on affected installations of Advantech R-SeeNet. Authentication is required to exploit this vulnerability. The specific flaw exists within the devicestatus page. The issue results from the lack of proper validation of user-supplied...

Code injection

The ND Shortcodes WordPress plugin before 7.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks...