PT-2026-28019

Name of the Vulnerable Software and Affected Versions CreativeWS Kiddy versions through 2.0.8 Description The software contains a flaw related to improper control of filename handling for include/require statements, specifically a PHP Remote File Inclusion issue. This allows for PHP Local File...

PT-2026-27819

Name of the Vulnerable Software and Affected Versions AncoraThemes Hypnotherapy versions through 1.2.10 Description The software contains a flaw related to improper control of filename handling for include/require statements, specifically a PHP Remote File Inclusion issue. This allows for PHP Loc...

PT-2026-27835

Name of the Vulnerable Software and Affected Versions AncoraThemes Unica versions through 1.4.1 Description The software contains a flaw related to improper control of filename handling for include/require statements, leading to a PHP Remote File Inclusion issue. This allows for PHP Local File...

PT-2026-27834

Name of the Vulnerable Software and Affected Versions AncoraThemes Triompher versions through 1.1.0 Description The software contains a flaw related to improper control of filename handling for include/require statements, specifically a PHP Remote File Inclusion issue. This allows for PHP Local...

PT-2026-27980

Name of the Vulnerable Software and Affected Versions Mikado-Themes Rosebud versions through 1.4 Description A flaw exists in the handling of filenames used in include/require statements within the PHP code of Mikado-Themes Rosebud, leading to a PHP Local File Inclusion issue. This allows for the...

GHSA-X6M9-38VM-2XHF Scriban has an authorization bypass due to stale include cache surviving TemplateContext.Reset()

Summary TemplateContext.Reset claims that a TemplateContext can be reused safely on the same thread, but it does not clear CachedTemplates. If an application pools TemplateContext objects and uses an ITemplateLoader that resolves content per request, tenant, or user, a previously authorized inclu...

Scriban has an authorization bypass due to stale include cache surviving TemplateContext.Reset()

Summary TemplateContext.Reset claims that a TemplateContext can be reused safely on the same thread, but it does not clear CachedTemplates. If an application pools TemplateContext objects and uses an ITemplateLoader that resolves content per request, tenant, or user, a previously authorized inclu...

CVE-2026-30932

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...

CVE-2026-30932

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...

CVE-2026-33513

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

EUVD-2026-13659

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0...

CVE-2026-22324

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0...

CVE-2026-22324

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0...

EUVD-2026-13111

Devome GRR v4.5.0 was discovered to contain multiple authenticated SQL injection vulnerabilities in the include/session.inc.php file via the referer and user-agent...

EUVD-2026-13068

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a before 1.5.6...

CVE-2026-27093

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a through 1.5.6...

CVE-2026-27093 WordPress Tripgo theme < 1.5.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a through 1.5.6...

Devome GRR 安全漏洞

Devome GRR is a data collection and analysis platform for forensic analysis and incident response developed by the French company Devome. Version 4.5.0 of Devome GRR contains a security vulnerability. This vulnerability stems from insufficient validation of the referer and user-agent parameters i...

CVE-2026-30711

CVE-2026-30711 affects Devome GRR v4.5.0 and describes multiple authenticated SQL injection vulnerabilities in include/session.inc.php exploitable via the referer and user-agent. The NVD entry assigns CVSS v3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H with base score 8.8 (HIGH), indicating high impac...

CVE-2026-30711

Devome GRR v4.5.0 was discovered to contain multiple authenticated SQL injection vulnerabilities in the include/session.inc.php file via the referer and user-agent...