Lucene search
K

126 matches found

NVD
NVD
added yesterday7 views

CVE-2026-23698

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents...

8.6CVSS
Exploits1References3
Cvelist
Cvelist
added 2 days ago34 views

CVE-2024-6228 WANotifier < 2.6 - Subscriber+ LFI

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on t...

0.00318EPSS
Exploits0References1
EUVD
EUVD
added 6 days ago12 views

EUVD-2026-33277

Mautic vulnerable to Path Traversal via Campaign Import...

9.9CVSS5.8AI score0.00583EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.15 views

PT-2026-50994

Name of the Vulnerable Software and Affected Versions Joomla! Component vBizz version 1.0.7 Description An unrestricted file upload issue allows authenticated attackers to upload arbitrary PHP files. This is achieved by submitting malicious files through the profile pic parameter via POST request...

8.8CVSS6.4AI score0.0067EPSS
Exploits0References8
CVE
CVE
added 2026/06/15 12:0 p.m.12 views

CVE-2016-20075

CVE-2016-20075 affects WordPress Ultimate Product Catalog 3.8.6. The vulnerability is an arbitrary file upload via the custom fields feature, exploitable by authenticated users with contributor, editor, author, or administrator roles. By uploading malicious files (e.g., PHP shells) through the Pr...

8.8CVSS6AI score0.00327EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/15 12:0 p.m.31 views

CVE-2016-20075 WordPress Ultimate Product Catalog 3.8.6 Arbitrary File Upload RCE

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the...

8.8CVSS0.00327EPSS
Exploits0References3
OSV
OSV
added 2026/06/08 11:7 p.m.7 views

GHSA-8GHR-W65F-J3QR FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions

Summary An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be restricted to administrators. Details The Scheduler API did not correctly enforce administrator permissions when processing scheduler modifications. As a...

6.3CVSS5.7AI score0.00048EPSS
Exploits0References3
NVD
NVD
added 2026/06/08 2:16 a.m.13 views

CVE-2023-54350

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to creat...

8.7CVSS0.00532EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.16 views

PT-2026-47232

Name of the Vulnerable Software and Affected Versions WordPress Augmented-Reality plugin affected versions not specified Description A remote code execution issue exists in the elFinder connector. Unauthenticated attackers can upload and execute arbitrary PHP files by sending POST requests to the...

8.7CVSS6.5AI score0.00532EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.17 views

PT-2026-47559

Summary An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be restricted to administrators. Details The Scheduler API did not correctly enforce administrator permissions when processing scheduler modifications. As a...

6.3CVSS5.7AI score
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:22 p.m.9 views

CVE-2026-34184

Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in...

9.1CVSS5.6AI score0.0027EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 2:46 p.m.14 views

CVE-2018-25388

HaPe PKH 1.1 has an arbitrary file upload vulnerability that bypasses file type validation, allowing authenticated attackers to upload PHP files and execute arbitrary code on the server. Affected endpoints include aksi_foto.php, aksi_user.php, and aksi_kecamatan.php. CVSS metrics indicate high im...

8.8CVSS6.3AI score0.00519EPSS
Exploits0References4
NVD
NVD
added 2026/05/29 12:16 p.m.17 views

CVE-2026-9559

A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges...

9.9CVSS0.00583EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/27 10:51 p.m.18 views

FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations

Summary The GET /api/project endpoint exposes sensitive project configuration data to guest-context requests even when secureEnabled is enabled. Details File: server/api/projects/index.js javascript prjApp.get"/api/project", secureFnc, functionreq, res const permission = checkGroupsFncreq;...

5.9AI score0.00088EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/27 10:51 p.m.5 views

GHSA-Q3W6-Q3HC-C5X6 FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations

Summary The GET /api/project endpoint exposes sensitive project configuration data to guest-context requests even when secureEnabled is enabled. Details File: server/api/projects/index.js javascript prjApp.get"/api/project", secureFnc, functionreq, res const permission = checkGroupsFncreq;...

7.5CVSS5.9AI score0.00088EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.9 views

PT-2026-44163

Name of the Vulnerable Software and Affected Versions FUXA version 1.3.0 Description The '/api/project' endpoint exposes sensitive SCADA/HMI project configuration data to unauthenticated requests. This occurs because the secureFnc middleware utilizes a function that automatically generates a vali...

7.5CVSS5.1AI score0.00088EPSS
Exploits0References10
EUVD
EUVD
added 2026/05/16 3:25 p.m.10 views

EUVD-2020-31228

HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to...

8.8CVSS6.3AI score0.00541EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.10 views

CubeCart 代码问题漏洞

CubeCart is an open-source e-commerce software developed by CubeCart. Versions of CubeCart prior to 6.7.0 had code vulnerabilities. These vulnerabilities stemmed from the REST API file manager endpoint, which allowed users with API keys to upload PHP source files to web-accessible directories...

9.1CVSS6.2AI score0.00585EPSS
Exploits0References2
NVD
NVD
added 2026/05/10 1:16 p.m.20 views

CVE-2021-47943

TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content area and execute...

8.8CVSS0.00617EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/10 12:0 a.m.15 views

Textpattern CMS 代码问题漏洞

TextPattern CMS is a content management system based on PHP developed by the TextPattern team. Version 4.8.7 of TextPattern CMS has a code vulnerability that stems from a remote code execution flaw in the file upload function. This vulnerability could allow authenticated attackers to execute...

8.8CVSS6.6AI score0.00617EPSS
Exploits0References1
Rows per page
Query Builder