CVE-2018-25409

SIM-PKH 2.4.1 contains an Arbitrary File Upload vulnerability. Authenticated users can upload PHP code via the fupload parameter to the aksi_pengurus.php endpoint (module=pengurus, act=update). Uploaded PHP files are stored in the foto directory and can be executed as web scripts, enabling potent...

CVE-2018-25409 SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksipengurus.php endpoint with module=pengurus and act=update parameters, which...

PT-2026-45109

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi pengurus.php endpoint with module=pengurus and act=update parameters, which...

Exploit for SQL Injection in Devcode Openstamanager

CVE-2025-69215: OpenSTAManager has an SQL Injection in the Sta...

EUVD-2026-10089

The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'updateaction' function. This makes it possible for unauthenticated attackers to approve or reject user account...

CVE-2026-1644

The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'updateaction' function. This makes it possible for unauthenticated attackers to approve or reject user account...

WordPress plugin WP Frontend Profile 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

CVE-2026-1644 WP Frontend Profile <= 1.3.8 - Cross-Site Request Forgery to Unauthorized User Account Approval or Rejection

The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'updateaction' function. This makes it possible for unauthenticated attackers to approve or reject user account...

PT-2026-23760

The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update action' function. This makes it possible for unauthenticated attackers to approve or reject user account...

EUVD-2026-8945

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update update action to achieve remote code execution...

CVE-2026-20910

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code execution...

CVE-2026-20910 Copeland XWEB and XWEB Pro OS Command Injection

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code execution...

PT-2026-22251

Name of the Vulnerable Software and Affected Versions XWEB Pro versions 1.12.1 and earlier Description A flaw exists that allows a logged-in attacker to execute code on a system remotely. This is achieved by injecting malicious input into the devices field within the firmware update action. The...

CVE-2026-1785

The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the CloudSearchListTable class. This makes it possible for unauthenticated...

GHSA-QX9P-W3VJ-Q24Q OpenSTAManager has an SQL Injection in the Stampe Module

Vulnerability Details Location - File: modules/stampe/actions.php - Line: 26 - Vulnerable Code: php case 'update': if !emptyintvalpost'predefined' && !emptypost'module' $dbo-query'UPDATE zzprints SET predefined = 0 WHERE idmodule = '.post'module'; // ↑ Direct concatenation without prepare...

OpenSTAManager has an SQL Injection in the Stampe Module

Vulnerability Details Location - File: modules/stampe/actions.php - Line: 26 - Vulnerable Code: php case 'update': if !emptyintvalpost'predefined' && !emptypost'module' $dbo-query'UPDATE zzprints SET predefined = 0 WHERE idmodule = '.post'module'; // ↑ Direct concatenation without prepare...

MiracleLinux 8 : varnish:6 (AXSA:2024-7669:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2024-7669:01 advisory. varnish: HTTP/2 Broken Window Attack may result in denial of service CVE-2024-30156 Tenable has extracted the preceding description block directly from the...

EUVD-2025-202724

OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the actiondealupdate in file /usr/lib/lua/luci/controller/api/rcmsAPI.lua...

EUVD-2018-13299

Malware in sbrugna...

EUVD-2025-4664

Malicious code in bioql PyPI...