CVE-2025-45753

A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature...

CVE-2025-45752

CVE-2025-45752 affects SeedDMS 6.0.32. Affected component: Extension Manager zip import functionality. Root cause: exploitation of the zip import feature allows an attacker with admin privileges to execute arbitrary PHP code. Impact is described as arbitrary code execution with admin access. Expl...

CVE-2025-47916

Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller file: /applications/core/modules/front/system/themeeditor.php, where a protected method named customCss can be invoked by...

Arbitrary Command Injection

Craft CMS is vulnerable to Arbitrary Command Injection. The vulnerability is due to unauthenticated user-supplied data being stored in session files without validation, potentially allowing PHP code injection into a predictable server file path...

PT-2025-21165 · Invision · Invision Community

Name of the Vulnerable Software and Affected Versions: Invision Community versions 5.0.0 through 5.0.7 Description: The issue lies within the themeeditor controller, where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content...

CVE-2025-2158

The WordPress Review Plugin: The Ultimate Solution for Building a Review Website plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.3.5 via the Post custom fields. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2025-35939

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...

CVE-2025-35939

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...

CVE-2025-35939 Craft CMS stores user-provided content in session files

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...

CVE-2025-35939

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...

PT-2025-20135 · Unknown · Fullworks Display Eventbrite Events

Name of the Vulnerable Software and Affected Versions: fullworks Display Eventbrite Events affected versions not specified Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion' vulnerability. Th...

CVE-2025-3491

The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acptvalidatesetting' function. This is due to insufficient sanitization of the 'templatename' parameter. This makes it possib...

CVE-2025-2101

CVE-2025-2101 (Edumall theme for WordPress) Unauthenticated Local File Inclusion via the template parameter of the edumall_lazy_load_template AJAX action affects Edumall

CVE-2025-3491

The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acptvalidatesetting' function. This is due to insufficient sanitization of the 'templatename' parameter. This makes it possib...

CVE-2025-3491 Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution

The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acptvalidatesetting' function. This is due to insufficient sanitization of the 'templatename' parameter. This makes it possib...

CVE-2025-3491

The WordPress Add custom page template plugin (vulnerable

PT-2025-17949 · WordPress · Add Custom Page Template Plugin

Name of the Vulnerable Software and Affected Versions: Add custom page template plugin for WordPress versions up to, and including, 2.0.1 Description: The issue is related to PHP Code Injection leading to Remote Code Execution due to insufficient sanitization of the template name parameter. This ...

CVE-2025-1782

CVE-2025-1782 affects HylaFAX Enterprise Web Interface and AvantFAX. The vulnerability arises from an unsanitized language form element that can be abused to include an arbitrary file in PHP code, enabling an authenticated attacker to perform actions as the web server user. The available document...

Exploit for Code Injection in Ispconfig

CVE-2023-46818-Exploit This is my own exploit for CVE-2023-468...

CVE-2025-2636

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files ...