CVE-2026-40909 WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint locale/save.php constructs a file path by directly concatenating $POST'flag' into the path at line 30 without any sanitization. The $POST'code' parameter is then written verbatim to that path via...

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal via the locale/save.php process. An attacker can write arbitrary PHP files to any web-accessible directory and execute code by supplying crafte...

GHSA-37J7-56XC-C468 Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal

Affected Versions: Tested on current dev branch build fingerprint 505...7bd86 CVSS v4 Score: 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Privileges Required: Web application admin account for file write, any authenticated user for RCE trigger --- Summary Two separate...

Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal

Affected Versions: Tested on current dev branch build fingerprint 505...7bd86 CVSS v4 Score: 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Privileges Required: Web application admin account for file write, any authenticated user for RCE trigger --- Summary Two separate...

PT-2026-22994

Name of the Vulnerable Software and Affected Versions Idno versions prior to 1.6.4 Description Idno, a social publishing platform, contains a remote code execution vulnerability that can be triggered through a chained sequence of issues. Specifically, a web application administrator can be...

PT-2026-6567

Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters...

EUVD-2022-35251

Malicious code in bioql PyPI...

CVE-2022-30037

XunRuiCMS v4.3.3 to v4.5.1 vulnerable to PHP file write and CMS PHP file inclusion, allows attackers to execute arbitrary php code, via the add function in cron.php...

CVE-2025-46347 YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki vulnerable to remote code execution. An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server, resulting in a full compromise of...

CVE-2023-45880

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname and extension. This allows creation of PHP files outside of the uploads...

CVE-2023-33367

A SQL injection vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing unauthenticated attackers to write PHP files on the server's root directory, resulting in remote code execution...

Revenue Collection System v1.0 - Remote Code Execution (RCE)

Exploit Title: Revenue Collection System v1.0 - Remote Code Execution RCE Exploit Author: Joe Pollock Date: November 16, 2022 Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip...

CVE-2022-30037

XunRuiCMS v4.3.3 to v4.5.1 vulnerable to PHP file write and CMS PHP file inclusion, allows attackers to execute arbitrary php code, via the add function in cron.php...

XunRuiCMS 安全漏洞

XunRuiCloud Software Development XunRuiCMS XunRui CMS is an open source content management system CMS from China XunRuiCloud Software Development Company. XunRuiCMS v4.3.3 to v4.5.1 version of a security vulnerability, the vulnerability stems from the existence of PHP file write and file...

CVE-2022-30037

XunRuiCMS v4.3.3 to v4.5.1 vulnerable to PHP file write and CMS PHP file inclusion, allows attackers to execute arbitrary php code, via the add function in cron.php...

CVE-2022-30037

XunRuiCMS v4.3.3 to v4.5.1 vulnerable to PHP file write and CMS PHP file inclusion, allows attackers to execute arbitrary php code, via the add function in cron.php...

PT-2022-25193 · Unknown · Simple College Website

Name of the Vulnerable Software and Affected Versions: Simple College Website version 1.0 Description: The issue allows attackers to execute arbitrary code via a crafted PHP file, leveraging an arbitrary file write vulnerability. This is achieved through the file put contents function...

WordPress plugin WPCargo Track & Trace 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which supports personal blog sites on PHP and MySQL servers.WordPress plugin is an...

CVE-2020-16629

CVE-2020-16629 affects PhpOK 5.4.137. A SQL injection vulnerability lets an attacker inject attachment data via SQL and then call the attachment replacement function via api.php to write a PHP file to a target path. The issue is documented across multiple sources (CNVD, NVD, Red Hat, CVE lists) w...

CVE-2020-16629

PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path...