Lucene search
K

93628 matches found

Nuclei
Nuclei
added 7 hours ago98 views

Google for WooCommerce <= 2.8.6 - Information Disclosure via Publicly Accessible PHP Info File

The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible printphpinformation.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PH...

5.3CVSS7AI score0.00879EPSS
Exploits0References2
Nuclei
Nuclei
added 7 hours ago19 views

ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)

ZZZCMS zzzphp v1.6.3 contains a remote code execution caused by lack of restrictions in inc/zzzfile.php, letting attackers execute arbitrary PHP code via a crafted URL in the plugins/ueditor/php/controller.php?action=catchimage source parameter, exploit requires attacker to send malicious URL and...

9.8CVSS7.5AI score0.06589EPSS
Exploits1References2
Nuclei
Nuclei
added 7 hours ago30 views

Ads Pro Plugin <= 4.89 - Local File Inclusion

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsatemplate' parameter of the bsapreviewcallback function. This makes it possible for unauthenticated attackers to includ...

9.8CVSS6.5AI score0.28162EPSS
Exploits1References2
Nuclei
Nuclei
added 7 hours ago13 views

PHP Login System 2.0.1 - Cross-Site Scripting

msaad1999's PHP-Login-System 2.0.1 contains a reflected cross-site scripting caused by unsanitized input in 'validator' parameter in /reset-password, letting remote attackers execute arbitrary JavaScript in a user's browser, exploit requires attacker to craft malicious URL id: CVE-2023-38875 info...

6.1CVSS6.6AI score0.00824EPSS
Exploits0References2
Nuclei
Nuclei
added 7 hours ago21 views

MapTiler Tileserver-php v2.0 - Unauthenticated File Read

MapTiler Tileserver-php v2.0 contains a directory traversal caused by improper sanitization of GET parameters in renderTile function, letting attackers read arbitrary files on the server, exploit requires crafted web requests id: CVE-2025-44137 info: name: MapTiler Tileserver-php v2.0 -...

8.2CVSS7.1AI score0.0136EPSS
Exploits2References2
Nuclei
Nuclei
added 7 hours ago30 views

Apache2 - Transfer-Encoding Chunked XSS

Apache2 PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 contain a reflected cross-site scripting vulnerability caused by mishandling of chunked transfer-encoding requests in sapi/apache2handler/sapiapache2.c. Attackers can execute malicious scripts via crafted...

6.1CVSS6.7AI score0.04103EPSS
Exploits1References5
Nuclei
Nuclei
added 7 hours ago48 views

Aquatronica Controller System <= 5.1.6 - Information Disclosure

Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit...

9.3CVSS6.1AI score0.01443EPSS
Exploits1References4
Nuclei
Nuclei
added 7 hours ago110 views

WordPress Redux Framework <=4.2.11 - Information Disclosure

WordPress Redux Framework plugin through 4.2.11 is susceptible to information disclosure. The plugin registers several unique AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php. These are predictable, given that they are based on an md5 has...

5.3CVSS6.2AI score0.28961EPSS
Exploits6References5
Nuclei
Nuclei
added 7 hours ago40 views

PHPGurukul Hospital Management System - Cross-Site Scripting

PHPGurukul Hospital Management System in PHP 4.0 contains multiple cross-site scripting vulnerabilities. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. id: CVE-2020-5191 info: name: PHPGurukul Hospital Management System -...

6.1CVSS6.6AI score0.0552EPSS
Exploits3References5
Nuclei
Nuclei
added 7 hours ago105 views

Php-mod/curl Library <2.3.2 - Cross-Site Scripting

Php-mod/curl library before 2.3.2 contains a cross-site scripting vulnerability via the postfilepathupload.php key parameter and the POST data to postmultidimensional.php. An attacker can inject arbitrary script, which can allow theft of cookie-based authentication credentials and launch of other...

6.1CVSS6.5AI score0.01261EPSS
Exploits2References3
Nuclei
Nuclei
added 7 hours ago91 views

Online Security Guards Hiring System - Cross-Site Scripting

A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php. id: CVE-2023-0527 info: name: Online Security Guards Hiring System - Cross-Site Scripting author:...

6.1CVSS5.5AI score0.06169EPSS
Exploits4References5
Nuclei
Nuclei
added 7 hours ago556 views

elFinder <= 2.1.47 - Command Injection

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector. The vulnerability occurs when performing image operations on JPEG files, where the filename is passed to the exiftran utility without proper sanitization, allowing command injection. id: CVE-2019-9194 info: name:...

9.8CVSS7AI score0.96633EPSS
Exploits11References5
EUVD
EUVD
added 8 hours ago5 views

EUVD-2026-43631

A security vulnerability has been detected in code-projects Online Job Portal 1.0. This impacts an unknown function of the file /Admin/DetailJob.php. The manipulation leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may ...

5.1CVSS4.6AI score
Exploits0References6
CVE
CVE
added 8 hours ago9 views

CVE-2026-12583

The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, wri...

8.1CVSS6.4AI score
Exploits0References1
EUVD
EUVD
added 14 hours ago5 views

EUVD-2026-43550

A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0/2.php. This affects an unknown function of the file /editexam2.php. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been release...

7.5CVSS6.8AI score
Exploits0References7
Cvelist
Cvelist
added yesterday21 views

CVE-2026-15595 SourceCodester Class and Exam Timetabling System forsubject.php cross site scripting

A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. The affected element is an unknown function of the file /forsubject.php. This manipulation of the argument subject causes cross site scripting. It is possible to initiate the attack remotely. The exploit has...

5.3CVSS
Exploits0References6
Cvelist
Cvelist
added yesterday15 views

CVE-2026-58409 ChurchCRM: Authenticated Remote Code Execution (RCE) via Malicious Plugin Upload

ChurchCRM is an open-source church management system. Prior to version 7.4.0, an authenticated administrator can achieve Remote Code Execution RCE on the server by installing a malicious plugin ZIP archive containing a PHP webshell. The application explicitly includes 'php' in its ALLOWEDEXTENSIO...

9.1CVSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-49972

Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell.php.jpg. The PATHINFOFILENAME extraction preserves the inn...

8.8CVSS6.5AI score
Exploits0References4
CVE
CVE
added yesterday13 views

CVE-2026-61498

CVE-2026-61498 affects Vitec Flamingo 4.12.2. The vulnerability is an unauthenticated OS command injection in the admin/ajax/gen_graphs.php endpoint, where input values from GET parameters (start, end, key, format) are unsafely passed to shell commands via passthru(), enabling remote command exec...

9.8CVSS6.3AI score
Exploits0References3
RedhatCVE
RedhatCVE
added yesterday7 views

CVE-2026-59856

A flaw was found in Vim, an open-source command-line text editor. The PHP omni-completion script improperly handles specially crafted input. When a victim opens a malicious PHP file and invokes omni-completion, an unescaped class or trait name can be interpreted as Ex commands. This allows a remo...

8.4CVSS6.2AI score0.00169EPSS
Exploits1References5
Rows per page
Query Builder