CVE-2006-5929

PHP remote file inclusion vulnerability in firepjs.php in Phpjobscheduler 3.0 allows remote attackers to execute arbitrary PHP code via a URL in the installedconfigfile parameter. NOTE: the provenance of this information is unknown; details are obtained from third party sources...

CVE-2009-3822

PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat comajaxchat component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALSmosConfigabsolutepath parameter to tests/ajcuser.php...

CVE-2025-45752

A vulnerability in SeedDMS 6.0.32 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the zip import functionality in the Extension Manager...

CVE-2025-4524

The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the...

PT-2025-22435

Name of the Vulnerable Software and Affected Versions Vtiger CRM Open Source Edition version 8.3.0 Description A vulnerability in the software allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature...

CVE-2025-45753

Vulnerability CVE-2025-45753 affects Vtiger CRM Open Source Edition v8.3.0. An attacker with admin privileges can execute arbitrary PHP code by abusing the ZIP import functionality in the Module Import feature. The entry indicates high impact (C/H/I/A) with a CVSSv3.1 base score of 7.2. Connected...

CVE-2025-45753

A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature...

CVE-2025-45752

CVE-2025-45752 affects SeedDMS 6.0.32. Affected component: Extension Manager zip import functionality. Root cause: exploitation of the zip import feature allows an attacker with admin privileges to execute arbitrary PHP code. Impact is described as arbitrary code execution with admin access. Expl...

CVE-2025-47916

Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller file: /applications/core/modules/front/system/themeeditor.php, where a protected method named customCss can be invoked by...

PT-2025-21165 · Invision · Invision Community

Name of the Vulnerable Software and Affected Versions: Invision Community versions 5.0.0 through 5.0.7 Description: The issue lies within the themeeditor controller, where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content...

CVE-2025-2158

The WordPress Review Plugin: The Ultimate Solution for Building a Review Website plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.3.5 via the Post custom fields. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2025-35939

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...

CVE-2025-35939 Craft CMS stores user-provided content in session files

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...

CVE-2025-2101

CVE-2025-2101 (Edumall theme for WordPress) Unauthenticated Local File Inclusion via the template parameter of the edumall_lazy_load_template AJAX action affects Edumall

CVE-2025-2636

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files ...

CVE-2025-2636 InstaWP Connect <= 0.1.0.85 - Unauthenticated Local PHP File Inclusion

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files ...

CVE-2025-2636

The CVE-2025-2636 entry fixes a Local File Inclusion flaw in the InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress. Affected versions are up to 0.1.0.85; the vulnerability is exploitable via the instawp-database-manager parameter, enabling unauthenticated attackers to include ...

BIT-DOLIBARR-2021-33816

The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shellexec are blocked but backticks are not blocked...

CVE-2025-2294

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubiohybridthemeloadtemplate function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...

CmsMadeSimple Authenticated File Manager RCE

CMS Made Simple use exploit/multi/http/cmsmsfilemanagerauthrce msf exploitcmsmsfilemanagerauthrce show targets ...targets... msf exploitcmsmsfilemanagerauthrce set TARGET msf exploitcmsmsfilemanagerauthrce show options ...show and set options... msf exploitcmsmsfilemanagerauthrce exploit This...