MAL-2025-29178 Malicious code in php-code-coverage (npm)

The package php-code-coverage was found to contain malicious code. --- -= Per source details. Do not edit below this line.=-...

CVE-2025-50286

A Remote Code Execution RCE vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access...

CVE-2012-10025

The WordPress plugin Advanced Custom Fields ACF version 3.5.1 and below contains a remote file inclusion RFI vulnerability in core/actions/export.php. When the PHP configuration directive allowurlinclude is enabled default: Off, an unauthenticated attacker can exploit the acfabspath POST paramete...

CVE-2013-10070

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution...

CVE-2025-50286

A Remote Code Execution RCE vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access...

CVE-2025-50286

Grav CMS v1.7.48 is affected by an authenticated RCE via the Admin Panel’s /admin/tools/direct-install feature. An authenticated administrator can upload a malicious plugin (e.g., ZIP with arbitrary PHP) that is extracted and loaded, enabling arbitrary PHP code execution and a reverse shell. The ...

CVE-2025-50286

A Remote Code Execution RCE vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access...

PT-2025-32177

Name of the Vulnerable Software and Affected Versions: Grav CMS versions 1.7.48 Description: A Remote Code Execution RCE issue exists in Grav CMS version 1.7.48. An authenticated administrator can upload a malicious plugin through the /admin/tools/direct-install API endpoint. Upon upload, the...

CVE-2013-10070

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution...

CVE-2013-10070

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can craft a request injecting arbitrary PHP code, leading to command execution under the web server’s context...

CVE-2013-10070 PHP-Charts v1.0 PHP Code Execution

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution...

CVE-2013-10070 PHP-Charts v1.0 PHP Code Execution

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution...

PT-2025-31994 · Unknown · Php-Charts

Name of the Vulnerable Software and Affected Versions: PHP-Charts version 1.0 Description: PHP-Charts version 1.0 contains a PHP code execution issue in the wizard/url.php file. User-supplied GET parameter names are passed directly to the eval function without sanitization. A remote attacker can...

CVE-2013-10051

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote...

CVE-2013-10035

A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPageAjax.php, and casesSchedulerGetPlugins.php, by supplying...

CVE-2013-10051

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote...

CVE-2013-10051

InstantCMS

CVE-2013-10051 InstantCMS <= 1.6 Remote PHP Code Execution

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote...

PT-2025-31688 · Unknown · Instantcms

Name of the Vulnerable Software and Affected Versions: InstantCMS versions prior to 1.7 Description: A remote PHP code execution issue exists due to the unsafe use of the eval function within the search view handler. User-supplied input via the look parameter is concatenated into a PHP expression...

CVE-2013-10035

ProcessMaker Open Source with the default neoclassic skin (versions 2.0.23–2.5.1) is affected by a code execution vulnerability. An authenticated user can exploit endpoints (e.g., appFolderAjax.php, casesStartPage_Ajax.php, cases_SchedulerGetPlugins.php) by sending crafted POST parameters (action...