64 matches found
Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation
Description The obj.expr dynamic-attribute syntax added in 3.15.0 as the replacement for the deprecated attribute function lets the attribute be an arbitrary expression. When the receiver is self or any % import % alias and the parenthesised expression is a string literal, DotExpressionParser...
CVE-2022-35239
The image file management page of SolarView Compact SV-CPT-MC310 Ver.7.23 and earlier, and SV-CPT-MC310F Ver.7.23 and earlier contains an insufficient verification vulnerability when uploading files. If this vulnerability is exploited, arbitrary PHP code may be executed if a remote authenticated...
CVE-2025-14475
The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the extensivevcgetmoduletemplatepart function. This is due to insufficient path normalization and validation of the user-supplied...
CVE-2025-12824 Player Leaderboard 1.0.0 - 1.0.2 - Authenticated (Contributor+) Local File Inclusion
The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'playerleaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's 'mode' attribute in a call to include withou...
PT-2025-49169
Name of the Vulnerable Software and Affected Versions LaraDashboard versions prior to 2.3.0 Description LaraDashboard, an all-in-one solution for starting a Laravel Application, has an issue in the password reset flow where it trusts the Host header. This allows attackers to redirect an...
CVE-2025-10686
The Creta Testimonial Showcase WordPress plugin before 1.2.4 is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files...
EUVD-2020-1452
Malware in sbrugna...
EUVD-2014-9817
Malware in sbrugna...
EUVD-2020-1470
Malware in sbrugna...
EUVD-2005-3791
Malware in sbrugna...
EUVD-2007-4622
Malware in sbrugna...
EUVD-2025-10019
Malicious code in bioql PyPI...
EUVD-2022-34697
Malicious code in bioql PyPI...
EUVD-2024-49489
Malicious code in bioql PyPI...
CVE-2014-125113
An unrestricted file upload vulnerability exists in Dell acquired by Quest KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 in the downloadagent.php endpoint. An attacker can upload arbitrary PHP files to a temporary web-accessible...
CVE-2025-6746
The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server,...
PT-2025-28334 · WordPress · Widgets For Google Reviews
Name of the Vulnerable Software and Affected Versions: The Widget for Google Reviews plugin for WordPress versions up to, and including, 1.0.15 Description: The issue allows authenticated attackers with Subscriber-level access and above to include and execute arbitrary PHP files on the server via...
CVE-2022-1609
The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site...
CVE-2021-20187
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication...
CVE-2025-0520
An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7...