CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

An authenticated remote code execution vulnerability exists in Piwik now Matomo versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin ZIP archive, leading to arbitrary PHP code...

9.4CVSS8AI score0.7356EPSS

Exploits0References5

CVE•added 2025/05/27 12:0 a.m.•157 views

CVE-2025-48828

vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) flaw in the ajax/api/ad/replaceAdTemplate endpoint caused by improper use of PHP’s Reflection API. An unauthenticated attacker can inject a crafted template (eg, using vb:if with code via passthru($POST[...])) and trigge...

9CVSS9.5AI score0.73682EPSS

Exploits2References3Affected Software1

RedhatCVE•added 2025/05/22 10:57 p.m.•8 views

CVE-2022-32409

A local file inclusion LFI vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request...

9.8CVSS7.5AI score0.66547EPSS

Exploits1References1

RedhatCVE•added 2025/05/22 9:30 p.m.•5 views

CVE-2021-21804

A local file inclusion LFI vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 20.10.2020. A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability...

9.8CVSS7.2AI score0.27808EPSS

Exploits1References1

RedhatCVE•added 2025/05/22 7:22 p.m.•4 views

CVE-2021-24537

The Similar Posts WordPress plugin through 3.1.5 allow high privilege users to execute arbitrary PHP code in an hardened environment ie with DISALLOWFILEEDIT, DISALLOWFILEMODS and DISALLOWUNFILTEREDHTML set to true via the 'widgetrrmsimilarpostscondition' widget setting of the plugin...

7.2CVSS7.5AI score0.01033EPSS

Exploits2References1

RedhatCVE•added 2025/05/22 8:17 a.m.•3 views

CVE-2019-17370

OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheckFiledeal.php blocks "into outfile" in a SELECT statement, but does not block the "into//outfile" manipulation. Therefore, the attacker can create a .php file...

7.2CVSS7.5AI score0.01114EPSS

Exploits1References1

RedhatCVE•added 2025/05/22 5:42 a.m.•2 views

CVE-2013-3629

ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution...

8.8CVSS7.5AI score0.76432EPSS

Exploits5References1

RedhatCVE•added 2025/05/22 5:15 a.m.•3 views

CVE-2013-0224

The Video module 7.x-2.x before 7.x-2.9 for Drupal, when using the FFmpeg transcoder, allows local users to execute arbitrary PHP code by modifying a temporary PHP file...

4.4CVSS7.6AI score0.00058EPSS

Exploits0References1

RedhatCVE•added 2025/05/22 1:26 a.m.•3 views

CVE-2017-11760

uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated users to execute arbitrary PHP code by uploading a .php file composed of concatenated image data and script data, as demonstrated by uploading as an image within the description text area...

8.8CVSS7.6AI score0.00636EPSS

Exploits0References1

RedhatCVE•added 2025/05/22 12:26 a.m.•7 views

CVE-2012-1625

Eval injection vulnerability in the fillpdfformexportdecode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via unspecified vectors...

6CVSS7.8AI score0.00568EPSS

Exploits0References1