Lucene search
K

7226 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/30 2:55 p.m.10 views

CVE-2018-25409

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksipengurus.php endpoint with module=pengurus and act=update parameters, which...

8.8CVSS6AI score0.00325EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.17 views

PT-2026-44901

Name of the Vulnerable Software and Affected Versions Emlog Pro version 2.6.9 Description The template upload feature contains a path traversal issue, which occurs when an application uses user-supplied input to construct a pathname that is then used in a file operation. This allows authenticated...

7.2CVSS5.8AI score0.00782EPSS
Exploits1References5
EUVD
EUVD
added 2026/05/29 12:0 a.m.16 views

EUVD-2026-33351

The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containing directory traversal sequences in filenames, an attacker can overwrite default template files or...

7.2CVSS6.1AI score0.00782EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/27 5:31 a.m.35 views

CVE-2026-9200 Query Shortcode <= 0.2.1 - Authenticated (Contributor+) Local File Inclusion via 'lens' Shortcode Attribute

The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the...

7.5CVSS0.00495EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.11 views

WordPress plugin affiliate-toolkit 代码注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

7.2CVSS6.1AI score0.00581EPSS
Exploits0References4
OSV
OSV
added 2026/05/23 7:16 p.m.27 views

UBUNTU-CVE-2018-25357

Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the dbname parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the dbname parameter, then...

9.8CVSS6.7AI score0.01701EPSS
Exploits1References7
NVD
NVD
added 2026/05/21 9:16 p.m.16 views

CVE-2026-8134

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable file...

9.4CVSS0.00738EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/21 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-46640

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Twig: Arbitrary PHP code execution via self. macro-reference compilation CVE-2026-46640 Note that Nessus relies on the presence of the package as reported by th...

6.2AI score0.00056EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/15 6:36 p.m.38 views

CVE-2021-47964 Schlix CMS 2.2.6-6 Remote Code Execution via core.blockmanager

Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager. Attackers can upload a crafted ZIP file containing PHP code in the packageinfo.inc file and...

8.8CVSS0.0071EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/14 2:30 p.m.8 views

CVE-2026-41937

Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows superadmin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a...

8.6CVSS6.2AI score0.00403EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.11 views

CubeCart 代码注入漏洞

CubeCart is an open-source e-commerce software developed by CubeCart. Prior to version 6.7.3, there was a code injection vulnerability in CubeCart. This vulnerability stemmed from administrators with document editing privileges being able to save raw PHP code in the invoice editor. As a result,...

7.2CVSS5.9AI score0.00306EPSS
Exploits0References2
CVE
CVE
added 2026/05/12 8:56 p.m.48 views

CVE-2026-44262

CVE-2026-44262 affects dedoc/scramble (Laravel API documentation generator) versions 0.13.2–0.13.21. The vulnerability arises when publicly accessible docs endpoints evaluate user-controlled input via NodeRulesEvaluator::doEvaluateExpression(), which may evaluate request data and execute arbitrar...

9.4CVSS6.1AI score0.0586EPSS
Exploits3References2
CVE
CVE
added 2026/05/11 6:0 a.m.32 views

CVE-2026-6433

The CVE-2026-6433 entry corresponds to the WordPress plugin FlipperCode Custom CSS, JS & PHP (

7.3CVSS6.3AI score0.00753EPSS
In wildExploits2References1
Packet Storm
Packet Storm
added 2026/05/11 12:0 a.m.101 views

📄 Fuel CMS 1.4.1 PHP Code Injection

This Metasploit module targets a remote code execution vulnerability in Fuel CMS version 1.4.1. The issue stems from improper input sanitization in the filter parameter, which is passed into a dangerous PHP evaluation eval context, enabling code injection...

9.8CVSS7.9AI score0.82937EPSS
Exploits17
EUVD
EUVD
added 2026/05/10 3:31 p.m.9 views

EUVD-2021-34799

ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the satcode parameter. Attackers can authenticate, submit a POST request to...

8.8CVSS6.6AI score0.00569EPSS
Exploits0References5
NVD
NVD
added 2026/05/10 1:16 p.m.12 views

CVE-2022-50944

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=addpost parameter, a...

8.8CVSS0.00347EPSS
Exploits0References3
NVD
NVD
added 2026/05/10 1:16 p.m.67 views

CVE-2021-47939

Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in...

8.8CVSS0.00638EPSS
Exploits0References4
CVE
CVE
added 2026/05/10 12:43 p.m.11 views

CVE-2021-47938

ImpressCMS 1.4.2 suffers a remote code execution (RCE) in the autotasks admin interface. An authenticated attacker can send a crafted sat_code payload via POST to /modules/system/admin.php?fct=autotasks&op=mod, resulting in creation of an executable file that accepts arbitrary commands through GE...

8.8CVSS6.6AI score0.00569EPSS
Exploits0References4
CVE
CVE
added 2026/05/10 12:12 p.m.10 views

CVE-2022-50944

Aero CMS 0.0.1 is affected by a PHP code injection vulnerability. Authenticated attackers can upload PHP files via the image parameter to the admin posts.php endpoint with source=add_post, leading to server-side code execution. The vulnerability exposes high impact on confidentiality, integrity, ...

8.8CVSS6.1AI score0.00347EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/10 12:12 p.m.6 views

CVE-2022-50944

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=addpost parameter, a...

8.8CVSS6.1AI score0.00347EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder