Chartify – WordPress Chart Plugin < 2.9.6 - Local File Inclusion

The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the executio...

Malicious code in cpu-optimizers (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f82b75da107c50f4d2f3cf5587e7db58a0dc91b77f8511226ff9219623dc145a Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

Malicious code in hiveos (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 632c5c53f72df87d7b0d9843df212e147e729699ffe5e7f6c20e3cd41fa13f64 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

EUVD-2026-17026

OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated operators with operator.write permission to override workspace boundaries by supplying attacker-controlled spawnedBy and workspaceDir values. Remote operators can escape the...

CVE-2026-33573

OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated operators with operator.write permission to override workspace boundaries by supplying attacker-controlled spawnedBy and workspaceDir values. Remote operators can escape the...

CVE-2026-2448 Page Builder by SiteOrigin <= 2.33.5 - Authenticated (Contributor+) Local File Inclusion

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locatetemplate function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary fil...

Mattermost Desktop App 安全漏洞

The Mattermost Desktop App is a desktop application for message communication developed by the American company Mattermost. Versions 6.0, 6.2.0, and 5.2.13.0 of the Mattermost Desktop App have security vulnerabilities. These vulnerabilities stem from unvalidated help links, which could allow...

CVE-2026-24895 FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the...

CVE-2026-24895 FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the...

CVE-2026-24895

FrankenPHP CGI path splitting bug before 1.11.2 uses lowercased path for split index and applies it to the original path, causing SCRIPT_NAME/SCRIPT_FILENAME to point to the wrong file and potentially execute an unintended file. Root cause: Go strings.ToLower can increase byte length for certain ...

CVE-2026-24895 FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the...

CVE-2025-15368

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'templatename' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files...

CVE-2025-15368 SportsPress <= 2.7.26 - Authenticated (Contributor+) Local File Inclusion via Shortcode

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'templatename' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files...

CVE-2009-4056

Directory traversal vulnerability in admin/popup.php in Betsy CMS 3.5 allows remote attackers to include and execute arbitrary local files via a .. dot dot in the popup parameter...

CVE-2024-41726

Path traversal vulnerability exists in SKYSEA Client View Ver.3.013.00 to Ver.19.210.04e. If this vulnerability is exploited, an arbitrary executable file may be executed by a user who can log in to the PC where the product's Windows client is installed...

CVE-2023-45799

In MLSoft TCO!stream versions 8.0.22.1115 and below, a vulnerability exists due to insufficient permission validation. This allows an attacker to make the victim download and execute arbitrary files...

CVE-2022-23766

An improper input validation vulnerability leading to arbitrary file execution was discovered in BigFileAgent. In order to cause arbitrary files to be executed, the attacker makes the victim access a web page d by them or inserts a script using XSS into a general website...

CVE-2020-7861

AnySupport Remote support solution before 2019.3.21.0 allows directory traversing because of swprintf function to copy file from a management PC to a client PC. This can be lead to arbitrary file execution...

CVE-2025-1771

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotelaloneloadmorepost' function 'style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...

EUVD-2025-199530

A local privilege escalation vulnerability exists in the restore mechanism of ASUS System Control Interface. It can be triggered when an unprivileged actor copies files without proper validation into protected system paths, potentially leading to arbitrary files being executed as SYSTEM. For more...