CVE-2023-46304

modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file executed on every page load...

CVE-2023-5099

The HTML filter and csv-file search plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.7 via the 'src' attribute of the 'csvsearch' shortcode. This allows authenticated attackers, with contributor-level permissions and above, to include and execute...

CVE-2023-1720

Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through...

CVE-2023-6989

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the renderactiontemplate parameter. This makes it possible for unauthenticated attacker to include and execute PHP...

CVE-2023-24610

NOSH 4a5cfdb allows remote authenticated users to execute PHP arbitrary code via the "practice logo" upload feature. The client-side checks can be bypassed. This may allow attackers to steal Protected Health Information because the product is for health charting...

CVE-2022-48538

In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cactildapauth allows a zero as the password...

CVE-2025-45753

A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature...

CVE-2025-45752

A vulnerability in SeedDMS 6.0.32 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the zip import functionality in the Extension Manager...

PT-2025-22962

Name of the Vulnerable Software and Affected Versions vBulletin affected versions not specified Description The issue allows attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. Attackers can craft template code in an alternative PHP function invocation...

CVE-2022-34128

The Cartography aka positions plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php...

CVE-2022-32409

A local file inclusion LFI vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request...

CVE-2022-24652

sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload...

CVE-2022-24651

sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in PHP code execution through /user/upload/upload...

CVE-2022-35944

October is a self-hosted Content Management System CMS platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin pan...

CVE-2022-45291

PWS Personal Weather Station Dashboard PWSDashboard LTS December 2020 2012lts allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWSprintfile.php, PWSframetext.php, PWSlistfile.php, PWSwinter.php, and PWSeasyweathersetup.php endpoints. A contributing factor ...

CVE-2021-21804

A local file inclusion LFI vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 20.10.2020. A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability...

CVE-2021-21264

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-26231 fixed in 1.0.470/471 and 1.1.1 was discovered that has the same impact as CVE-2020-26231 & CVE-2020-15247. An authenticated backend user with the cms.managepages,...

CVE-2021-32924

Invision Community aka IPS Community Suite before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\builder::previewBlock method interacts unsafely with the IPS\Theme::runProcessFunction method...

CVE-2021-36766

Concrete5 through 8.5.5 deserializes Untrusted Data. The vulnerable code is located within the controllers/singlepage/dashboard/system/environment/logging.php Logging::updatelogging method. User input passed through the logFile request parameter is not properly sanitized before being used in a ca...

CVE-2021-24890

The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a...