PT-2026-39591

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

📄 openDCIM 25.01 SQL Injection / Remote Code Execution

openDCIM version 25.01 remote SQL injection exploit that achieves remote code execution. ================================================================================================================================== | Title : openDCIM 25.01 SQL Injection Leading to Remote Code Execution | |...

📄 openDCIM 25.01 SQL Injection

openDCIM version 25.01 remote SQL injection exploit that can be leveraged to execute arbitrary code. ================================================================================================================================== | Title : openDCIM 25.01 Python Exploit – Authenticated &...

openDCIM install.php SQL Injection to RCE

This module exploits a SQL injection vulnerability in openDCIM's install.php endpoint CVE-2026-28515 to achieve remote code execution. The install.php script remains accessible after installation and processes LDAP configuration parameters via UpdateParameter without authentication or input...

PT-2025-51321

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.23.0 through 1.27.0 Description FreshRSS is a self-hosted RSS feed aggregator. Versions 1.23.0 through 1.27.0 contain a path traversal issue within the language user configuration parameter. This allows an unprivileged user...

CVE-2024-0413

A vulnerability was found in DeShang DSKMS up to 3.1.2. It has been rated as problematic. This issue affects some unknown processing of the file public/install.php. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the publ...

DeShang DSCMS Access Control Error Vulnerability

DeShang DSCMS is a website builder for enterprise websites from DeShang, China. An access control error vulnerability exists in DeShang DSCMS prior to version 3.1.2, which stems from the file public/install.php that causes incorrect access control...

DeShang DSShop Access Control Error Vulnerability

DeShang DSShop is a single-store mobile mall online store system from DeShang, China. The access control error vulnerability exists in DeShang DSShop prior to version 3.1.0. The vulnerability stems from the file public/install.php of the component HTTP GET Request Handler, which results in...

PT-2024-15535 · Deshang · Deshang Dsshop

Name of the Vulnerable Software and Affected Versions: DeShang DSShop versions up to 3.1.0 Description: A vulnerability was found in the HTTP GET Request Handler component, specifically affecting the file public/install.php. This issue leads to improper access controls and can be initiated...

CVE-2023-7193

A vulnerability was found in MTab Bookmark up to 1.2.6 and classified as critical. This issue affects some unknown processing of the file public/install.php of the component Installation. The manipulation leads to improper access controls. The complexity of an attack is rather high. The...

Electron Technologies FZC PopojiCMS Cross-Site Scripting Vulnerability

Electron Technologies FZC PopojiCMS is an open source content management system CMS based on the Popoji framework from Electron Technologies FZC, USA. A cross-site scripting vulnerability exists in Electron Technologies FZC PopojiCMS version 2.0.1, which stems from some unknown processing in the...

PT-2023-32414 · Popojicms · Popojicms

Name of the Vulnerable Software and Affected Versions: PopojiCMS version 2.0.1 Description: A vulnerability was found in the file install.php of the component Web Config, affecting some unknown processing. The manipulation of the argument Site Title with the input alert1 leads to cross site...

CVE-2023-38947

An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2021-43479

A Remote Code Execution RCE vulnerability exists in The-Secretary 2.5 via install.php...

CVE-2022-25101

A vulnerability in the component /templates/install.php of WBCE CMS v1.5.2 allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2019-7720

taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...

CVE-2018-17126

CScms 4.1 allows remote code execution, as demonstrated by 1';eval$POSTcmd; in Web Name to upload\plugins\sys\Install.php...

CScms Cross-Site Scripting Vulnerability

CScms is a content management system CMS developed on a CI framework. A cross-site scripting vulnerability exists in the \upload\plugins\sys\Install.php file in CScms version 4.1. A remote attacker can exploit this vulnerability to inject arbitrary Web script or HTML by using the site name...

CVE-2018-5749

install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php, which might allow remote attackers to execute arbitrary PHP code via the 1 databaseserver, 2...

DERAEMON-CMS vulnerable to cross-site scripting

Overview DERAEMON-CMS provided by TEAM DERAEMONS is a content management system CMS. install.php in DERAEMON-CMS contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing of the parameters hostname, database and username. Satoshi Ogawa of Mitsui Bussan Secure Directions, In...