CVE-2026-27161 Unauthenticated Information Disclosure via .htaccess Reliance in Sensitive Directories

GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled common in hardened or shared hosting environments, these protections are silently...

CVE-2019-18782

SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism...

PT-2025-47698

The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.17 via the import/export functionality and a lack of .htaccess protection. This makes it possible for unauthenticated...

EUVD-2006-2874

Malware in sbrugna...

EUVD-2019-8491

Malware in sbrugna...

EUVD-2020-19094

Malware in sbrugna...

EUVD-2019-4514

Malware in sbrugna...

EUVD-2022-5180

Malicious code in bioql PyPI...

CVE-2021-4436

The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlitehandleupload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be access...

qdPM 9.1 Authenticated Shell Upload

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'qdPM 9.1 Authenticated Arbitrary PHP File Upload RCE', 'Description' = %q A remote code execution RCE vulnerability exists in qdPM 9.1 and earlie...

GHSA-RHX9-3QF7-R3J7 Drupal Remote code execution

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerabl...

Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload

The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users admin+ to upload arbitrary files, including PHP ones, leading to RCE. Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue: There is...

CVE-2020-26549

An issue was discovered in Aviatrix Controller before R5.4.1290. The htaccess protection mechanism to prevent requests to directories can be bypassed for file downloading...

CVE-2020-26549

An issue was discovered in Aviatrix Controller before R5.4.1290. The htaccess protection mechanism to prevent requests to directories can be bypassed for file downloading...

SuiteCRM .htaccess Protection Mechanism Incorrectly Implemented Vulnerability

SuiteCRM is a free open source customer relationship management application. SuiteCRM is vulnerable to an incorrect implementation of the .htaccess protection mechanism. No detailed vulnerability details are provided at this time...

CVE-2020-7246

A remote code execution RCE vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users'photoppreview' delete photo feature, allowing bypass of .htaccess protection...

CVE-2020-7246

A remote code execution RCE vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users‘photoppreview’ delete photo feature, allowing bypass of .htaccess protection...

CVE-2017-6381

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerabl...

CVE-2017-6381

CVE-2017-6381 corresponds to a Drupal RCE via the PHPUnit component bundled with Drupal 8 development dependencies. Affected if running Drupal versions before 8.2.2; mitigation in the public description notes that .htaccess generally blocks PHP execution and that Composer development dependencies...

CosmoShop ePRO 10.17.00 Authentication Bypass

Issue: Authentication-Bypass in CosmoShop ePRO V10.17.00 and lower, maybe higher Author: l0om http://l0om.org Date: 26.02.2013 Overview: Cosmoshop provides an admin backup-function which saves .htaccess protected MySQL dump files in a backup directory. This directory does only prevent HTTP...