LotusCMS 3.0 - Remote Code Execution

LotusCMS 3.0 is susceptible to remote code execution via the Router function. This is done by embedding PHP code in the 'page' parameter, which will be passed to a eval call and allow remote code execution. id: CVE-2011-0518 info: name: LotusCMS 3.0 - Remote Code Execution author: pikpikcu...

CVE-2026-33479

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSR...

CVE-2026-27174

CVE-2026-27174 affects MajorDoMo. An include-order bug in modules/panel.class.php lets unauthenticated users reach the admin panel’s PHP console, with execution continuing into inc_panel_ajax.php after a redirect that lacks an exit. The console handler passes GET parameters (via register_globals)...

CVE-2022-31181

PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users...

EUVD-2018-11203

Malware in sbrugna...

Exploit for CVE-2025-50881

CVE-2025-50881: Remote Code Execution in API Use it Flow via m...

Sql injection

PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users...

SQL Injection

prestashop/prestashop is vulnerable to SQL injection. An attacker is able to execute arbitrary SQL queries on the target system via sending specifically crafted input through the vulnerable fetch and save methods which in turn call PHP's Eval function...

VulnCheck KEV: CVE-2022-31181

PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users...

MyBB Admin Control Code Injection RCE

This exploit module leverages an improper input validation vulnerability in MyBB prior to 1.8.30 to execute arbitrary code in the context of the user running the application. MyBB Admin Control setting page calls PHP eval function with an unsanitized user input. The exploit adds a new setting,...

Product Lister for Walmart <= 1.0.0 - Unauthenticated RCE via Outdated PHPUnit

The plugin uses an outdated PHPUnit library, which is known to be affected by an unauthenticated RCE issue. February 28th, 2020 - Ticket sent to vendor via https://support.cedcommerce.com/open.php March 6th, 2020 - Update requested to vendor also realised that the ticket was closed w/o reason giv...

CVE-2019-17613

qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...

CVE-2018-19514

In Webgalamb through 7.0, an arbitrary code execution vulnerability could be exploited remotely without authentication. Exploitation requires authentication bypass to access administrative functions of the site to upload a crafted CSV file with a malicious payload that becomes part of a PHP eval...

Authentication flaw

In Webgalamb through 7.0, an arbitrary code execution vulnerability could be exploited remotely without authentication. Exploitation requires authentication bypass to access administrative functions of the site to upload a crafted CSV file with a malicious payload that becomes part of a PHP eval...

CVE-2018-19514

In Webgalamb through 7.0, an arbitrary code execution vulnerability could be exploited remotely without authentication. Exploitation requires authentication bypass to access administrative functions of the site to upload a crafted CSV file with a malicious payload that becomes part of a PHP eval...

php-Charts url.php Remote PHP Code Execution

The php-Charts install hosted on the remote web server contains a flaw that could allow arbitrary PHP code execution. Input passed to the 'wizard/url.php' script is not properly sanitized before being used in a PHP eval call. An unauthenticated, remote attacker could leverage this vulnerability t...

Eaton Network Shutdown Module view_list.php paneStatusListSortBy Parameter eval() Call Remote PHP Code Execution

The version of the Eaton Network Shutdown Module hosted on the remote web server does not sanitize user input to the 'paneStatusListSortBy' parameter of the 'viewlist.php' script before using it as part of a command to be executed via PHP's 'eval' function. An unauthenticated, remote attacker can...

SysCP 1.2.x - Multiple Script Execution Vulnerabilities

SysCP 1.2.x - Multiple Script Execution Vulnerabilities source: https://www.securityfocus.com/bid/14490/info SysCP is affected by multiple script execution vulnerabilities. The following specific vulnerabilities were identified: The application is affected by a remote file include vulnerability. ...

phpBB 1.x - Page Header Arbitrary Command Execution

source: https://www.securityfocus.com/bid/3167/info An input validation error exists in phpBB, a freely available WWW forums package. The problem is due to improper validation of some variables in phpBB. It is possible for users registered with the phpBB system to submit values for certain...