Lucene search
K

718 matches found

Snyk
Snyk
added 2026/04/18 12:59 a.m.5 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the settingsToParameters process. An attacker can execute arbitrary code and alter configuration by injecting newline characters into PHP INI values that are forwarded to child processes. This is only exploitable if t...

8.5CVSS6.3AI score0.00191EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/18 12:59 a.m.15 views

PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

7.8CVSS6.6AI score0.00191EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/18 12:59 a.m.7 views

GHSA-QRR6-MG7R-M243 PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

7.8CVSS6.6AI score0.00191EPSS
Exploits0References5
CVE
CVE
added 2026/04/17 7:58 p.m.15 views

CVE-2026-32624

CVE-2026-32624 affects xrdp (open source RDP server) up to version 0.10.5. A heap-based buffer overflow can occur in logon processing when domain_user_separator is configured in xrdp.ini, allowing an unauthenticated remote attacker to send a crafted, excessively long username and domain name to o...

6.5CVSS6AI score0.00408EPSS
Exploits0References2Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/04/17 12:52 p.m.11 views

Argument injection via newline in PHP INI values forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

7.8CVSS6.6AI score0.00343EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/04/17 12:52 p.m.36 views

Argument injection via newline in PHP INI values forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

7.8CVSS6.6AI score0.00343EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/04/14 10:29 p.m.6 views

GHSA-G6V3-WV4J-X9HG October Rain has Environment Variable Exfiltration via INI Parser Interpolation

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parseinistring function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APPKEY, $DBPASSWORD, or similar patterns into CMS page settings fields,...

4.9CVSS5.7AI score0.00326EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/14 10:29 p.m.5 views

EUVD-2026-22704

October Rain has Environment Variable Exfiltration via INI Parser Interpolation...

4.9CVSS5.8AI score0.00326EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/14 10:29 p.m.6 views

October Rain has Environment Variable Exfiltration via INI Parser Interpolation

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parseinistring function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APPKEY, $DBPASSWORD, or similar patterns into CMS page settings fields,...

4.9CVSS5.7AI score0.00326EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/04/14 9:16 p.m.5 views

CVE-2026-25125

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

4.9CVSS0.00326EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/14 8:39 p.m.4 views

CVE-2026-25125 October CMS: Environment Variable Exfiltration via INI Parser Interpolation

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

4.9CVSS5.8AI score0.00326EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/14 8:39 p.m.3 views

CVE-2026-25125

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

4.9CVSS5.8AI score0.00326EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/14 8:39 p.m.13 views

CVE-2026-25125

CVE-2026-25125 affects October CMS versions prior to 3.7.14 and 4.1.10. The issue is a server-side information disclosure in the INI settings parser: if cms.safe_mode is enabled, an Editor user can inject patterns like ${APP_KEY} or ${DB_PASSWORD} via parse_ini_string() through page settings, cau...

4.9CVSS5.8AI score0.00326EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.9 views

PT-2026-32911

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parse ini string function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APP KEY, $DB PASSWORD, or similar patterns into CMS page settings...

4.9CVSS5.7AI score0.00326EPSS
Exploits0References5
SUSE CVE
SUSE CVE
added 2026/04/06 11:24 p.m.3 views

SUSE CVE-2026-33028

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms Mutex and non-atomic file writes, concurrent requests lead to the severe corruption of the prima...

7.5CVSS5.8AI score0.00534EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/03/31 10:58 p.m.2 views

CVE-2026-33028

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms Mutex and non-atomic file writes, concurrent requests lead to the severe corruption of the prima...

7.5CVSS5.9AI score0.00534EPSS
Exploits1References1
Snyk
Snyk
added 2026/03/30 4:34 p.m.3 views

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition through the settings update pipeline in api/settings/settings.go and settings/settings.go. An attacker can corrupt app.ini and disrupt service availability by sending concurrent settings-update requests. Concurrent calls ...

7.5CVSS5.9AI score0.00534EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.5 views

CVE-2026-32140

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC driver to load an attacker-controlled configuration file. This configuration file can inject dangerous JDBC properties, leading to remote code...

9.3CVSS6.4AI score0.00691EPSS
Exploits1References1
NVD
NVD
added 2026/03/12 6:16 p.m.5 views

CVE-2026-32140

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC driver to load an attacker-controlled configuration file. This configuration file can inject dangerous JDBC properties, leading to remote code...

9.3CVSS0.00691EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/12 6:4 p.m.6 views

EUVD-2026-11651

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC driver to load an attacker-controlled configuration file. This configuration file can inject dangerous JDBC properties, leading to remote code...

9.3CVSS6.2AI score0.00691EPSS
Exploits1References1
Rows per page
Query Builder