Lucene search
+L

176 matches found

Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-58409 ChurchCRM: Authenticated Remote Code Execution (RCE) via Malicious Plugin Upload

ChurchCRM is an open-source church management system. Prior to version 7.4.0, an authenticated administrator can achieve Remote Code Execution RCE on the server by installing a malicious plugin ZIP archive containing a PHP webshell. The application explicitly includes 'php' in its ALLOWEDEXTENSIO...

9.1CVSS0.00456EPSS
Exploits0References1
CVE
CVE
added 5 days ago10 views

CVE-2026-58409

ChurchCRM prior to 7.4.0 is vulnerable to authenticated RCE via uploading a malicious plugin ZIP containing a PHP webshell. The vulnerability stems from ALLOWED_EXTENSIONS including 'php' while DENIED_EXTENSIONS fails to block .php files, and extracted ZIP contents are placed under the web root, ...

9.1CVSS6.2AI score0.00456EPSS
Exploits0References1
OSV
OSV
added 5 days ago4 views

CVE-2026-58409 ChurchCRM: Authenticated Remote Code Execution (RCE) via Malicious Plugin Upload

ChurchCRM is an open-source church management system. Prior to version 7.4.0, an authenticated administrator can achieve Remote Code Execution RCE on the server by installing a malicious plugin ZIP archive containing a PHP webshell. The application explicitly includes 'php' in its ALLOWEDEXTENSIO...

9.1CVSS6.2AI score0.00456EPSS
Exploits0References3
OSV
OSV
added 2026/06/29 11:50 a.m.8 views

PYSEC-2026-285 AstrBot is vulnerable to RCE with hard-coded JWT signing keys

Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. Details AstrBot uses a hard-coded JWT signing key, which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python...

9.8CVSS6.2AI score0.00281EPSS
Exploits2References8
OSV
OSV
added 2026/06/26 5:44 p.m.11 views

MAL-2026-6532 Malicious code in chai-as-assured (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd28efd7a3d07f87ec22556cc25a8c07117fa4cdd237c6cb1db750c976a11836 chai-as-assured impersonates the popular chai-as-promised package matching README, author, and API surface. When the exported plugin function is...

5.9AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/24 3:58 a.m.12 views

Malicious code in rollup-runtime-polyfill-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 90dc8536f81ef2ffbd391877bbe1eefbefc900081ef6eaa9848548177c233167 Package name mimics the legitimate rollup-plugin-polyfill-node and copies its source the repository field in package.json points to...

6.3AI score
Exploits0References4
Metasploit
Metasploit
added 2026/06/19 7:3 p.m.244 views

Joplin Plugin Persistence

This module installs a malicious Joplin plugin .jpl into the target's Joplin plugin directory. The plugin executes the payload each time Joplin is launched, providing persistent code execution. Joplin can not be running at the time of plugin installation, or it will be overwriten at shutdown. The...

6AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/12 7:43 p.m.20 views

Malicious code in vite-plugin-compress-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7f7b2710441863a429a2a1833e06f54e9afc23c87d1b40d7ee09e1995c6a65c2 On module load, this Vite plugin performs an HTTP GET to https://www.jsonkeeper.com/b/XVHGD an anonymous, mutable paste host and passes the response'...

6AI score
Exploits0References4
OSV
OSV
added 2026/06/12 7:43 p.m.13 views

MAL-2026-5713 Malicious code in vite-plugin-compress-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7f7b2710441863a429a2a1833e06f54e9afc23c87d1b40d7ee09e1995c6a65c2 On module load, this Vite plugin performs an HTTP GET to https://www.jsonkeeper.com/b/XVHGD an anonymous, mutable paste host and passes the response'...

6AI score
Exploits0References4
NVD
NVD
added 2026/06/09 2:16 p.m.13 views

CVE-2026-9279

Logseq exposes an IPC handler that allows the renderer process to execute shell commands. While an allowlist restricts the command name e.g. git, pandoc, grep, the argument string is concatenated with the command and passed to childprocess.spawn with the shell: true option, allowing shell...

8.7CVSS0.0027EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:31 p.m.10 views

CVE-2025-53345

Missing Authorization vulnerability leading to code execution after installing malicious vulnerable plugin in ThimPress Thim Core. This issue affects Thim Core: from n/a through 2.3.3...

8.8CVSS6AI score0.00302EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/02 9:47 a.m.9 views

CVE-2025-53345

Missing Authorization vulnerability leading to code execution after installing malicious vulnerable plugin in ThimPress Thim Core. This issue affects Thim Core: from n/a through 2.3.3...

8.8CVSS6.2AI score0.00302EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/26 2:12 a.m.15 views

CVE-2026-41937

Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows superadmin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a...

8.6CVSS6.2AI score0.00403EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/23 1:51 p.m.13 views

Malicious code in @zaamx/netme (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ff8cae34ceeb5f691ca4c4f92fbe10d0bc4e6b9eddf081e7c99ab1ee6193c98 This Medusa plugin hardcodes outbound POST requests to https://n8n.lidxi.com/webhook/ in multiple subscribers and admin routes, with no configuration...

5.8AI score
Exploits0References2
EUVD
EUVD
added 2026/05/17 12:11 p.m.13 views

EUVD-2018-21853

GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality. Attackers can brute-force the Blowfish encryption key, upload a malicious JAR...

9.8CVSS6.6AI score0.00589EPSS
Exploits1References4
CVE
CVE
added 2026/05/17 12:11 p.m.19 views

CVE-2018-25332

CVE-2018-25332 - GitBucket 4.23.1 Unauthenticated Remote Code Execution Affected software: GitBucket 4.23.1. Vulnerability: An unauthenticated remote code execution flaw exists due to weak secret token generation and insecure file upload functionality. Adversaries can brute-force the Blowfish enc...

9.8CVSS6.6AI score0.00589EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/05/14 2:30 p.m.21 views

CVE-2026-41937

Summary: CVE-2026-41937 affects Vvveb prior to 1.0.8.3. An unrestricted file upload in the plugin upload endpoint lets super_admin users craft a ZIP (plugin.php with a valid Slug header and public/index.php) that executes arbitrary PHP code as the web server user when accessed at the plugin’s pub...

8.6CVSS6.2AI score0.00403EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/11 4:46 p.m.11 views

CVE-2026-45004 OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory

OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious...

8.4CVSS6.4AI score0.00144EPSS
Exploits0References3
OSV
OSV
added 2026/05/11 2:58 p.m.2 views

CVE-2026-42607 Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution RCE by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails t...

9.1CVSS6.3AI score0.03934EPSS
Exploits4References4
OSV
OSV
added 2026/05/08 9:50 p.m.4 views

CVE-2026-41517 Emlog: Remote Code Execution via Malicious Plugin Upload

Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11...

6.1AI score0.00276EPSS
Exploits0References3
Rows per page
Query Builder