Lucene search
K

93422 matches found

CVE
CVE
added 1 hour ago7 views

CVE-2026-12194

PHPIPAM is affected by an authenticated local file inclusion vulnerability that allows users with access to the API to execute/include arbitrary PHP files on the web server's file system. The API is not enabled by default on installations...

2.3CVSS6.1AI score
Exploits0References2
Nuclei
Nuclei
added yesterday98 views

Invision Community <=5.0.6 Unauthenticated RCE via Template Injection

Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller /applications/core/modules/front/system/themeeditor.php, where a protected method named customCss can be invoked by unauthenticated...

10CVSS7.9AI score0.79174EPSS
Exploits6References5
Nuclei
Nuclei
added yesterday10 views

PHPGurukul Hospital Management System 4.0 - SQL Injection

PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\user-login.php. Remote unauthenticated users can exploit the vulnerability to obtain sensitive database information. id: CVE-2020-22165 info: name: PHPGurukul Hospital Management System 4.0 - SQL Injection...

7.5CVSS7.1AI score0.06348EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday15 views

Aquatronica Controller System <= 5.1.6 - Information Disclosure

Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit...

9.3CVSS6AI score0.01443EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday26 views

Ads Pro Plugin <= 4.89 - Local File Inclusion

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsatemplate' parameter of the bsapreviewcallback function. This makes it possible for unauthenticated attackers to includ...

9.8CVSS6.6AI score0.28162EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday39 views

Symfony Profiler - Remote Access via Injected Arguments

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the registerargvargc php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by...

7.3CVSS7.1AI score0.63422EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday25 views

My Geo Posts Free <= 1.2 - PHP Object Injection

The My Geo Posts Free plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If ...

9.8CVSS7.3AI score0.0307EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday13 views

Cockpit CMS 0.6.1 - Remote Code Execution

Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI. id: CVE-2020-35131 info: name: Cockpit CMS 0.6.1 ...

9.8CVSS7.3AI score0.49938EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday47 views

Qualitor <= 8.20 - Remote Code Execution

Qualitor through 8.20 allows remote attackers to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter. id: CVE-2023-47253 info: name: Qualitor = 8.20 - Remote Code Execution author: s4e-io severity: critical description: |...

9.8CVSS7.6AI score0.14422EPSS
Exploits4References3
Nuclei
Nuclei
added yesterday141 views

ISPConfig - PHP Code Injection

An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if adminallowlangedit is enabled. id: CVE-2023-46818 info: name: ISPConfig - PHP Code Injection author: non-things severity: high description: | An issue was discovered...

7.2CVSS7.1AI score0.13894EPSS
Exploits14References4
Nuclei
Nuclei
added yesterday34 views

PHPGurukul Hospital Management System - Cross-Site Scripting

PHPGurukul Hospital Management System in PHP 4.0 contains multiple cross-site scripting vulnerabilities. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. id: CVE-2020-5191 info: name: PHPGurukul Hospital Management System -...

6.1CVSS6.6AI score0.0552EPSS
Exploits3References5
Nuclei
Nuclei
added yesterday169 views

Cacti cmd_realtime.php - Command Injection

Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when registerargcargv option of PHP is On. In cmdrealtime.php line 119, the $pollerid used ...

10CVSS7.7AI score0.94378EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday52 views

FOG Project < 1.5.10.34 - Remote Command Execution

FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php. id: CVE-2024-39914 info: name: FOG Project 1.5.10.34 - Remote...

9.8CVSS6AI score0.23414EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday31 views

Seo By 10Web < 1.2.7 - Cross-Site Scripting

The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. id:...

4.8CVSS6.6AI score0.00909EPSS
Exploits3References3
Nuclei
Nuclei
added yesterday26 views

Online Security Guards Hiring System - Cross-Site Scripting

A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php. id: CVE-2023-0527 info: name: Online Security Guards Hiring System - Cross-Site Scripting author:...

6.1CVSS5.2AI score0.06169EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday12 views

Multiple Thrive Themes < 2.0.0 - Arbitrary File Upload

Thrive “Legacy” Rise by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Squared by...

9.1CVSS7.2AI score0.03946EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday12 views

LotusCMS 3.0 - Remote Code Execution

LotusCMS 3.0 is susceptible to remote code execution via the Router function. This is done by embedding PHP code in the 'page' parameter, which will be passed to a eval call and allow remote code execution. id: CVE-2011-0518 info: name: LotusCMS 3.0 - Remote Code Execution author: pikpikcu...

5.1CVSS6.6AI score0.15833EPSS
Exploits3References2
Nuclei
Nuclei
added yesterday12 views

PHP Login System 2.0.1 - Cross-Site Scripting

msaad1999's PHP-Login-System 2.0.1 contains a reflected cross-site scripting caused by unsanitized input in 'validator' parameter in /reset-password, letting remote attackers execute arbitrary JavaScript in a user's browser, exploit requires attacker to craft malicious URL id: CVE-2023-38875 info...

6.1CVSS6.5AI score0.00824EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday15 views

MapTiler Tileserver-php v2.0 - Unauthenticated File Read

MapTiler Tileserver-php v2.0 contains a directory traversal caused by improper sanitization of GET parameters in renderTile function, letting attackers read arbitrary files on the server, exploit requires crafted web requests id: CVE-2025-44137 info: name: MapTiler Tileserver-php v2.0 -...

8.2CVSS7.3AI score0.0136EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday36 views

Php-mod/curl Library <2.3.2 - Cross-Site Scripting

Php-mod/curl library before 2.3.2 contains a cross-site scripting vulnerability via the postfilepathupload.php key parameter and the POST data to postmultidimensional.php. An attacker can inject arbitrary script, which can allow theft of cookie-based authentication credentials and launch of other...

6.1CVSS6.5AI score0.01261EPSS
Exploits2References3
Rows per page
Query Builder