EUVD-2026-21684

A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiate...

CVE-2026-6105

A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiate...

CVE-2026-6105 perfree go-fastdfs-web doInstall InstallController.java improper authorization

A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiate...

CVE-2026-6105 perfree go-fastdfs-web doInstall InstallController.java improper authorization

A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiate...

PT-2026-32126

A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiate...

CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

Summary The Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which writes it into the .env file via pregreplace. Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration...

GHSA-VFHX-5459-QHQH CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

Summary The Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which writes it into the .env file via pregreplace. Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration...

CVE-2026-39394 CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which...

CVE-2026-39394 CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which...

CVE-2026-39394

CI4MS vulnerable to CRLF injection in .env via unvalidated host parameter in Install::index(). Before 0.31.4.0, host is read without validation and appended to .env through updateEnvSettings() using preg_replace(), allowing newline characters to inject arbitrary key=value lines (e.g., app.baseURL...

PT-2026-31321

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.4.0 Description CI4MS, a CodeIgniter 4-based CMS, is susceptible to arbitrary configuration injection via the .env file. The Install::index controller does not validate the host POST parameter before passing it to...

Authorization Bypass Through User-Controlled Key

Overview pterodactyl/panel is a game management panel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in ServerTransferController and ServerInstallController. An attacker in possession of a secret Wings access token can access information on a...

ShopWind Security Breach

ShopWind is a B2B2C, O2O industry e-commerce system software based on the Yii2.0 framework deeply reconstructed by China ShopWind. You can easily create and publish your own brand of professional e-commerce platform for a full range of branding and product promotion. ShopWind 4.6 and previous...

Incorrect Permission Assignment for Critical Resource in ShopXO

ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in app/install/controller/Index.php...

CVE-2022-28056

ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in app/install/controller/Index.php...

CVE-2019-5886

An issue was discovered in ShopXO 1.2.0. In the application\install\controller\Index.php file, there is no validation lock file in the Add method, which allows an attacker to reinstall the database. The attacker can write arbitrary code to database.php during system reinstallation...

CVE-2019-5886

ShopXO 1.2.0 contains a vulnerability in the install/controller/Index.php Add method where there is no validation lock file, enabling database reinstallation. This can allow an attacker to write arbitrary code to database.php during system reinstallation, potentially leading to code execution and...