Lucene search
K

857 matches found

Packet Storm News
Packet Storm News
added 2026/04/03 12:0 a.m.3 views

OWASP CRS Arbitrary File Upload

A vulnerability was identified in OWASP CRS where whitespace padding in filenames can bypass file upload extension checks, allowing uploads of dangerous files such as .php, .phar, .jsp, and .jspx. This has been addressed in versions 3.3.9, 4.25.x LTS, and 4.8.x...

6.8CVSS5.8AI score0.02172EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/04/01 5:0 a.m.5 views

CVE-2026-34036

Dolibarr is an enterprise resource planning ERP and customer relationship management CRM software package. In versions 22.0.4 and prior, there is a Local File Inclusion LFI vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting...

6.5CVSS6AI score0.00419EPSS
Exploits2References1
NVD
NVD
added 2026/03/31 3:15 a.m.3 views

CVE-2026-34036

Dolibarr is an enterprise resource planning ERP and customer relationship management CRM software package. In versions 22.0.4 and prior, there is a Local File Inclusion LFI vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting...

6.5CVSS0.00419EPSS
Exploits2References2
UbuntuCve
UbuntuCve
added 2026/03/31 3:15 a.m.4 views

CVE-2026-34036

Dolibarr is an enterprise resource planning ERP and customer relationship management CRM software package. In versions 22.0.4 and prior, there is a Local File Inclusion LFI vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting...

6.5CVSS6AI score0.00419EPSS
Exploits2References3
OSV
OSV
added 2026/03/31 1:39 a.m.5 views

CVE-2026-34036 Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php

Dolibarr is an enterprise resource planning ERP and customer relationship management CRM software package. In versions 22.0.4 and prior, there is a Local File Inclusion LFI vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting...

6.5CVSS6AI score0.00419EPSS
Exploits2References4
RedhatCVE
RedhatCVE
added 2026/03/26 3:0 p.m.5 views

CVE-2026-33513

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

8.6CVSS6.4AI score0.0074EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/24 11:27 a.m.7 views

CVE-2019-25647

PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension controls. Attackers can upload malicious PHP files through the image manager endpoint and execute them...

8.8CVSS6.7AI score0.00798EPSS
Exploits1References4Affected Software1
NVD
NVD
added 2026/03/23 7:16 p.m.6 views

CVE-2026-33513

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

8.6CVSS0.0074EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/03/23 12:0 a.m.8 views

WWBN AVideo 代码问题漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 26.0 contained code vulnerabilities. These vulnerabilities stemmed from the downloadVideoFromDownloadURL function using the original file name and extension of the remote...

8.8CVSS5.9AI score0.00395EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/11 6:23 p.m.29 views

CVE-2019-25480 ARMBot Unrestricted File Upload via upload.php

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. Attackers can upload PHP files with traversal payloads ../publichtml/ to write executable code ...

8.7CVSS0.00717EPSS
Exploits0References2
CVE
CVE
added 2026/03/06 12:18 p.m.15 views

CVE-2018-25162

CVE-2018-25162 affects 2-Plan Team 1.0.4. An authenticated attacker can upload executable PHP files via managefile.php, by sending multipart form data with action=upload and the userfile1 parameter. Uploaded PHP files are stored in the files directory and may be executed by the web server, enabli...

7.1CVSS6.2AI score0.00444EPSS
Exploits0References2
CVE
CVE
added 2026/02/27 9:23 a.m.16 views

CVE-2024-10938

The CVE-2024-10938 entry concerns the OVRI Payment WordPress plugin (v1.7.0). The connected documents describe malicious ".htaccess" files included with the plugin that contain directives intended to block execution of certain scripts while permitting execution of selected malicious PHP files. If...

6.5CVSS6.1AI score0.00307EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/20 10:54 p.m.5 views

CVE-2018-25158 Chamilo LMS 1.11.8 Arbitrary File Upload via elfinder

Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files with image headers in the social myfiles section, rename them to PHP extensions, and execute...

8.8CVSS6AI score0.00376EPSS
Exploits0References3
NVD
NVD
added 2026/02/18 6:24 p.m.8 views

CVE-2025-70151

code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints updateprofilepicture.php and uploadpicture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied...

8.8CVSS0.00589EPSS
Exploits1References2
NVD
NVD
added 2026/02/05 5:16 p.m.8 views

CVE-2020-37123

Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters...

9.8CVSS0.03135EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/03 10:1 p.m.3 views

CVE-2020-37091

Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload capabilities through the FA...

5.3CVSS5.2AI score0.0015EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/01/30 10:7 p.m.5 views

CVE-2020-37023

Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy a...

8.8CVSS6AI score0.00601EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/30 12:0 a.m.12 views

PT-2026-5465

Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy a...

8.8CVSS6AI score0.00601EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/01/23 4:47 p.m.4 views

CVE-2021-47888 Textpattern 4.8.3 - Remote code execution

Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through ...

8.8CVSS6.8AI score0.00602EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/01/23 4:47 p.m.32 views

CVE-2021-47888 Textpattern 4.8.3 - Remote code execution

Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through ...

8.8CVSS0.00602EPSS
Exploits0References4
Rows per page
Query Builder