1982 matches found
PT-2025-31994 · Unknown · Php-Charts
Name of the Vulnerable Software and Affected Versions: PHP-Charts version 1.0 Description: PHP-Charts version 1.0 contains a PHP code execution issue in the wizard/url.php file. User-supplied GET parameter names are passed directly to the eval function without sanitization. A remote attacker can...
CVE-2013-10051
A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote...
CVE-2013-10035
A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPageAjax.php, and casesSchedulerGetPlugins.php, by supplying...
CVE-2013-10051
A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote...
CVE-2013-10051
InstantCMS
CVE-2013-10051 InstantCMS <= 1.6 Remote PHP Code Execution
A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote...
PT-2025-31688 · Unknown · Instantcms
Name of the Vulnerable Software and Affected Versions: InstantCMS versions prior to 1.7 Description: A remote PHP code execution issue exists due to the unsafe use of the eval function within the search view handler. User-supplied input via the look parameter is concatenated into a PHP expression...
CVE-2013-10035 ProcessMaker Open Source < 2.5.2 neoclassic Skin PHP Code Execution
A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPageAjax.php, and casesSchedulerGetPlugins.php, by supplying...
CVE-2013-10035
ProcessMaker Open Source with the default neoclassic skin (versions 2.0.23–2.5.1) is affected by a code execution vulnerability. An authenticated user can exploit endpoints (e.g., appFolderAjax.php, casesStartPage_Ajax.php, cases_SchedulerGetPlugins.php) by sending crafted POST parameters (action...
CVE-2025-6991
The kallyas theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.21.0 via the 'THLatestPosts4 widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server...
CVE-2025-6991 Kallyas <= 4.21.0 - Authenticated (Contributor+) Local File Inclusion
The kallyas theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.21.0 via the 'THLatestPosts4 widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server...
CVE-2016-15044
A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata G...
SUSE CVE-2015-10141
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker ca...
CVE-2016-15044
A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata G...
CVE-2016-15044
Kaltura
CVE-2015-10141 Xdebug Remote Debugger Unauthenticated OS Command Execution
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker ca...
CVE-2018-25114 osCommerce 2.3.4.1 Installer Unauthenticated Configuration File Injection PHP Code Execution
A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can...
Xdebug 安全漏洞
Xdebug is an extension for debugging and analyzing PHP code from the Xdebug open source. A security vulnerability exists in Xdebug 2.5.5 and earlier versions, which stems from unauthenticated OS command injection and could lead to the execution of arbitrary PHP code...
PT-2025-31592 · Packagist · Dolibarr/Dolibarr
Summary The Dolibarr backend provides the function of adding Menu, and supports setting permissions for the added Menu: This is the trigger point of the vulnerability. The submitted permission can be php code, and it will be executed when viewing the created Menu: - htdocs/admin/menus/edit.php As...
CVE-2025-34113
An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the viewmode GET parameter in tiki-calendar.php. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execu...