EUVD-2025-12113

Malicious code in bioql PyPI...

EUVD-2023-43954

Malicious code in bioql PyPI...

Exploit for Path Traversal in Aiohttp

LFI-aiohttp-CVE-2024-23334-PoC A Bash script to automate Loca...

CVE-2024-4315

parisneo/lollms version 9.5 is vulnerable to Local File Inclusion LFI attacks due to insufficient path sanitization. The sanitizepathfromendpoint function fails to properly sanitize Windows-style paths backward slash , allowing attackers to perform directory traversal attacks on Windows systems...

CVE-2024-2928

A Local File Inclusion LFI vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can...

CVE-2021-24566

The WooCommerce Currency Switcher FOX WordPress plugin before 1.3.7 was vulnerable to LFI attacks via the "woocs" shortcode...

Design/Logic Flaw

The SiteOrigin Widgets Bundle WordPress plugin before 1.51.0 does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites...

WordPress NextGEN Gallery Plugin < 3.39 Multiple Vulnerabilities

The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:imagely:nextgengallery"; if description...

Design/Logic Flaw

The WordPress Gallery Plugin WordPress plugin before 3.39 does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks...

NextGEN Gallery < 3.39 - Admin+ Local File Inclusion

Description The plugin does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks PoC 1. Create a gallery and upload an image. 2. Add the NextGEN Gallery block to a page and click Edit. Select the Gallery...

CVE-2023-1273

The ND Shortcodes WordPress plugin before 7.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks...

CVE-2023-1273

CVE-2023-1273 affects the WordPress plugin ND Shortcodes (before 7.0). The issue is that some shortcode attributes used to generate include paths are not validated, allowing an authenticated user (e.g., a subscriber) to perform a Local File Inclusion (LFI) attack by manipulating the path. Public ...

CVE-2023-1274

The Pricing Tables For WPBakery Page Builder formerly Visual Composer WordPress plugin before 3.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks...

Code injection

The Pricing Tables For WPBakery Page Builder formerly Visual Composer WordPress plugin before 3.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks...

Design/Logic Flaw

The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks...

CVE-2023-1124 Shopping Cart & eCommerce Store < 5.4.3 - Admin+ LFI

The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks...

Vailyn - A Phased, Evasive Path Traversal + LFI Scanning & Exploitation Tool In Python

Vailyn Phased Path Traversal & LFI Attacks Vailyn 3.0 Since v3.0, Vailyn supports LFI PHP wrappers in Phase 1. Use --lfi to include them in the scan. About Vailyn is a multi-phased vulnerability analysis and exploitation tool for path traversal and file inclusion vulnerabilities. It is built to...

Security Bulletin: A security vulnerability in Node.js netmask module affects IBM Cloud Automation Manager

Summary A security vulnerability in Node.js netmask module affects IBM Cloud Automation Manager. Vulnerability Details CVEID: CVE-2021-28918 DESCRIPTION: Node.js netmask module is vulnerable to server-side request forgery, caused by the improper handling of mixed-format IP addresses. By using a...

Local File Inclusion (LFI)

athlon1600/php-proxy-app is vulnerable to local file inclusion LFI attacks. The vulnerability exists due to the ability to include file:/// in the value of q, which allows unauthenticated users to read local files...