3 matches found
📄 ICagenda 3.9.14 / 4.0.7 Shell Upload
iCagenda, a popular events and calendar component for Joomla, contains an unauthenticated file upload vulnerability that allows remote attackers to upload and execute arbitrary PHP code on Joomla 6 sites. Versions 3.2.1 through 3.9.14 and 4.0.0 through 4.0.7 are affected.:1 CVE-2026-48939 -...
CVE-2026-48946
The K2 frontend article-attachment upload path accepts files whose extension is .php, and Apache's standard modphp matches .php$ and executes them under the K2 web user. A K2 Author can upload a shell.php, then fetch /media/k2/attachments/shell.php and execute arbitrary PHP code in the web...
CVE-2018-18461
The Arigato Autoresponder and Newsletter aka bft-autoresponder v2.5.1.7 plugin for WordPress allows remote attackers to execute arbitrary code via PHP code in attachments data to models/attachment.php...