PT-2026-42013

Name of the Vulnerable Software and Affected Versions CtrlPanel versions prior to 1.2.0 Description An authenticated admin-level user can achieve Remote Code Execution by supplying an arbitrary class name available in the Composer autoloader. The admin settings update endpoint accepts a fully...

PT-2026-29658

Description The oauth2.php file in OpenSTAManager is an unauthenticated endpoint $skip permissions = true. It loads a record from the zz oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize on the access token field without any...

Exploit for CVE-2021-3129

CVE-2021-3129 Unauthenticated RCE in Laravel Ignition via F...

WP 6.4-6.4.1 - POP Chain

Description WP 6.4 introduced a PHP gadget chain. While the issue is not directly exploitable, it could be used along with a PHP unserialization for example in a plugin or theme installed on the blog to achieve RCE...

CVE-2022-23940

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the emailrecipients property. By using a crafted request, they can create a malicious report, containin...

CVE-2022-23940

SuiteCRM remote code execution (CVE-2022-23940) affects 7.12.1 and 8.x up to 8.0.1. Exploitation relies on deserializing crafted data in email_recipients within the Scheduled Reports module, allowing an authenticated user to trigger PHP object deserialization and execute code. The description not...