CVE-2026-8208

Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in...

CVE-2026-41247 elFinder: Command injection in resize background color parameter when using ImageMagick CLI

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

PT-2026-32331

LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server...

CVE-2026-32985 Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass...

EUVD-2013-7277

Malware in sbrugna...

CVE-2011-10018

myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of...

CVE-2011-10018

myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of...

CVE-2013-10052

CVE-2013-10052 concerns ZPanel’s zsudo helper. A misconfiguration in /etc/sudoers lets low-privilege users run arbitrary commands as root, enabling local privilege escalation by writing a payload to a writable dir and executing it via zsudo. Documented impact includes post-exploitation scenarios ...

WordPress iSpring Embedder 1.0 CSRF / Shell Upload

WordPress iSpring Embedder plugin versions 1.0 and below suffer from a cross site request forgery vulnerability that can be leveraged to upload a PHP web shell. CVE-2025-23922 - WordPress iSpring Embedder CSRF to Arbitrary File Upload 📌 CVE Details - CVE ID: CVE-2025-23922 - Published: 2025-01-16...

CVE-2024-50530

Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Stars SMTP Mailer allows Upload a Web Shell to a Web Server.This issue affects Stars SMTP Mailer: from n/a through 1.7...

Tourism Management System v2.0 - Arbitrary File Upload

Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload Google Dork: N/A Exploit Author: SoSPiro Date: 2024-02-18 Vendor Homepage: https://phpgurukul.com Software Link: https://phpgurukul.com/tourism-management-system-free-download/ Version: 2.0 Tested on: Windows 10 Pro Impact:...

Remote code execution

A Remote Code Execution vulnerability exist in Uffizio's GPS Tracker all versions. The web server can be compromised by uploading and executing a web/reverse shell. An attacker could then run commands, browse system files, and browse local resources...

Cross site request forgery (csrf)

The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7dbeditscrfiledelete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the...

OpenEMR 5.0.0 - Remote Code Execution (Authenticated)

Exploit Title: OpenEMR 5.0.0 - Remote Code Execution Authenticated Date 10.06.2021 Exploit Author: Ron Jost Hacker5preme Vendor Homepage: https://www.open-emr.org/ Software Link: https://sourceforge.net/projects/openemr/files/OpenEMR%20Current/5.0.0/openemr-5.0.0.zip/download Version: 5.0.0 Teste...

CVE-2020-24984

An issue was discovered in Quadbase EspressReports ES 7 Update 9. It allows CSRF, whereby an attacker may be able to trick an authenticated admin level user into uploading malicious files to the web server...

File Upload Vulnerability in ED01-CMS

ED01-CMS is a content management system. ED01-CMS suffers from a file upload vulnerability that can be exploited by an attacker to gain control of a web server...

Code Execution Vulnerability in ZSITE of Qingdao eEnterprise Tianchuang Management Consulting Co.

ZSITE is an open source free enterprise portal system designed for enterprise marketing. There is a code execution vulnerability in ZSITE, which can be exploited by an attacker to gain control of the web server of Qingdao Yiqi Tianchuang Management Consulting Co...

Command Execution Vulnerability in SeaCMS (CNVD-2020-48920)

SeaCMS is a web content management system based on PHP+MYSQL architecture and supports cross-platform operation. SeaCMS has a command execution vulnerability that can be exploited by attackers to gain control of a web server...

WTCMS suffers from a file upload vulnerability (CNVD-2020-47243)

WTCMS is a content management system CMS based on Thinkphp. WTCMS suffers from a file upload vulnerability that can be exploited by an attacker to gain control of the web server...

File Upload Vulnerability in TpFlow Workflow Engine

TpFlow workflow engine is a PHP-based development of the workflow engine . A file upload vulnerability exists in TpFlow Workflow Engine, which can be exploited by an attacker to gain control of a web server...