CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

A weakness has been identified in lokibhardwaj PHP-Code-For-Unlimited-File-Upload up to 124fe96324915490c81eaf7db3234b0b4e4bab3c. This affects an unknown part of the file /f.php. This manipulation of the argument h causes cross site scripting. Remote exploitation of the attack is possible. The...

5.1CVSS0.00038EPSS

Exploits0References3

RedhatCVE•added 2025/08/30 6:21 p.m.•4 views

CVE-2025-52353

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload,...

9.8CVSS8AI score0.00588EPSS

Exploits1References1

Tenable Nessus•added 2025/08/25 12:0 a.m.•5 views

Linux Distros Unpatched Vulnerability : CVE-2016-7980

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Cross-site request forgery CSRF vulnerability in ecrire/exec/validerxml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of...

8.8CVSS8.2AI score0.00554EPSS

Exploits4References2

Positive Technologies•added 2025/08/06 12:0 a.m.•5 views

PT-2025-32177

Name of the Vulnerable Software and Affected Versions: Grav CMS versions 1.7.48 Description: A Remote Code Execution RCE issue exists in Grav CMS version 1.7.48. An authenticated administrator can upload a malicious plugin through the /admin/tools/direct-install API endpoint. Upon upload, the...

8.1CVSS6.5AI score0.73126EPSS

Exploits7References13

RedhatCVE•added 2025/07/14 10:15 a.m.•10 views

CVE-2020-36847

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the...

9.8CVSS7.7AI score0.89304EPSS

Exploits5References1

CVE•added 2025/07/12 9:24 a.m.•48 views

CVE-2020-36847

CVE-2020-36847 affects the WordPress Simple File List plugin (versions ≤ 4.2.2). The vulnerability is Remote Code Execution via the plugin’s file-renaming flow (rename of uploaded PHP disguised as PNG to PHP), allowing unauthenticated code execution on the server. Affected component: Simple File ...

9.8CVSS7.7AI score0.89304EPSS

Exploits5References5Affected Software1

Positive Technologies•added 2025/07/10 12:0 a.m.•2 views

PT-2025-29139 · Unknown · Processmaker

Name of the Vulnerable Software and Affected Versions: ProcessMaker versions prior to 3.5.4 Description: An unrestricted file upload vulnerability exists due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file...

8.6CVSS7.8AI score0.56656EPSS

Exploits3References11

CNNVD•added 2025/07/03 12:0 a.m.•3 views

Bolt CMS 安全漏洞

Bolt CMS is a PHP-based open source content management system from Bolt CMS Open Source. A security vulnerability exists in Bolt CMS 3.7.0 and prior versions that originates from allowing an authenticated user to inject arbitrary PHP code into the displayname field, which could lead to remote cod...

8.8CVSS7.5AI score0.67402EPSS

Exploits1References6

CISA KEV Catalog•added 2025/06/02 12:0 a.m.•12 views

Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability

Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 ...

6.9CVSS7.5AI score0.39398EPSS

In wildExploits0

ICS•added 2025/05/28 8:57 p.m.•14 views

Craft CMS stores user-provided content session files

RISK EVALUATION Craft CMS stores user-provided content in session files. A remote, unauthenticated attacker can introduce arbitrary content, including PHP code, into session files with known names and locations. If an attacker can access these files, possibly through another vulnerability such...

10CVSS7.4AI score0.93094EPSS

Exploits13References1

RedhatCVE•added 2025/05/23 12:24 a.m.•6 views

CVE-2022-48538

In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cactildapauth allows a zero as the password...

5.3CVSS7.1AI score0.00068EPSS

Exploits1

RedhatCVE•added 2025/05/22 9:3 p.m.•11 views

CVE-2021-24890

The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a...

8.8CVSS6.9AI score0.00221EPSS

Exploits2References1

RedhatCVE•added 2025/05/22 5:54 p.m.•6 views

CVE-2020-25042

An arbitrary file upload issue exists in Mara CMS 7.5. In order to exploit this, an attacker must have a valid authenticated admin/manager session and make a codebase/dir.php?type=filenew request to upload PHP code to codebase/handler.php...

7.2CVSS7AI score0.77043EPSS

Exploits3

RedhatCVE•added 2025/05/22 4:28 p.m.•10 views

CVE-2020-19896

File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php...

9.8CVSS7.6AI score0.00705EPSS

Exploits1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by