Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget

Summary A SQL injection in the Commerce TotalRevenue widget can lead to remote code execution through a chain of four vulnerabilities: SQL Injection -- The TotalRevenue stat interpolates unsanitized widget settings directly into a sprintf-based SQL Expression. Any control panel user can create an...

CVE-2026-34838 Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar...

PT-2026-29881

Name of the Vulnerable Software and Affected Versions Group-Office versions prior to 6.8.156, 25.0.90, and 26.0.12 Description Group-Office, an enterprise customer relationship management and groupware tool, is affected by an insecure deserialization issue in the AbstractSettingsCollection model...

CVE-2025-15438

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The...

CVE-2025-15438

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The...

CVE-2025-15438

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The...

UBUNTU-CVE-2025-15438

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The...

CVE-2025-15438

CVE-2025-15438 affects PluXml up to version 5.8.22, targeting the Media Management Module’s file medias.php, specifically the FileCookieJar::__destruct function. A crafted manipulation of the File argument can trigger deserialization, enabling a remote, unauthenticated attack. Public exploit deta...

CVE-2025-15438

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The...

PT-2026-1068

Name of the Vulnerable Software and Affected Versions PluXml versions prior to 5.8.23 Description A flaw exists in PluXml that could allow for remote code execution. The issue is located in the FileCookieJar:: destruct function within the core/admin/medias.php file of the Media Management Module...

EUVD-2022-52603

Malicious code in bioql PyPI...