EUVD-2026-33364

MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resourcetoken cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protection...

CVE-2026-42335

MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the process that parses WWW-Authenticate challenges from an upstream registry. An attacker can obtain upstream credentials by manipulating the bearer realm URL to redirect authentication requests to a...

EUVD-2026-17037

A Server-Side Request Forgery SSRF vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the /api/files/export-content endpoint. The downloadimagetotemp function in backend/routers/files.py fails to validate user-controlled URLs, allowing attackers to make arbitrary HTT...

CVE-2026-22494 WordPress Good Homes theme <= 1.3.13 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Good Homes good-homes allows PHP Local File Inclusion.This issue affects Good Homes: from n/a through = 1.3.13...

CVE-2026-0677 WordPress TotalContest Lite plugin <= 2.9.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through = 2.9.1...

CVE-2026-30921 OneUptime Synthetic Monitor RCE via exposed Playwright browser object

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside...

CVE-2026-28117 WordPress smart SEO theme <= 2.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion.This issue affects smart SEO: from n/a through = 2.9...

CVE-2026-28077

CVE-2026-28077 is a Local File Inclusion vulnerability in the WordPress ThemeREX Vapester theme ( Vapester ) affecting versions up to 1.1.10. The issue is described as Improper Control of Filename for Include/Require Statement in PHP, i.e., a PHP Remote File Inclusion capability that effectively ...

CVE-2026-28061 WordPress Tiger Claw theme <= 1.1.14 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Tiger Claw tiger-claw allows PHP Local File Inclusion.This issue affects Tiger Claw: from n/a through = 1.1.14...

CVE-2026-27998

CVE-2026-27998 : Local File Inclusion in ThemeREX Vixus (WordPress) due to improper control of filenames for PHP include/require. Affected: Vixus vixus

CVE-2026-22428

CVE-2026-22428 corresponds to WordPress Tooth Fairy theme

CVE-2026-1721

Summary A Reflected Cross-Site Scripting XSS vulnerability was discovered in the AI Playground's OAuth callback handler. The errordescription query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the contex...

📄 MySCADA MyPRO Manager 1.2 PHP Code Injection

MySCADA MyPRO Manager version 1.2 suffers from a code injection vulnerability. ============================================================================================================================================= | Title : MySCADA MyPRO Manager 1.2 PHP Code Injection Vulnerability | |...

CVE-2025-69564

code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirmpassword, Role, Branch, and Activate parameters...

CVE-2026-1363

IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end...

CVE-2021-47899 YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability

YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the urluploadhandler endpoint to access sensitive files like /etc/passwd by...

CVE-2026-22464

CVE-2026-22464 applies to the WordPress plugin My Auctions Allegro Free Edition (≤ 3.6.33). The issue is a PHP Local File Inclusion caused by improper control of the filename in Include/Require statements, enabling LFI within the affected plugin. Public references in connected sources confirm aff...

CVE-2025-63017 WordPress WerkStatt plugin plugin <= 1.6.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion.This issue affects WerkStatt Plugin: from n/a through = 1.6.6...

WordPress plugin Myour has a security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...