406 matches found
Cockpit CMS 0.6.1 - Remote Code Execution
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI. id: CVE-2020-35131 info: name: Cockpit CMS 0.6.1 ...
EUVD-2017-18977
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the wp-json/wp/v2/posts endpoint...
EUVD-2018-21879
Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the dbname parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the dbname parameter, then...
CVE-2018-25357 Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.php
Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the dbname parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the dbname parameter, then...
Revive Adserver: PHP code injection via unexpected delivery limitation parameter
A vulnerability was reported in Revive Adserver 6.0.6 and earlier versions where user input was not properly validated when saving delivery limitations. This allowed a low-privileged user to inject malicious PHP code into the compiledlimitations field, which could then be executed during banner...
📄 Dolibarr ERP/CRM Authenticated Code Injection
Dolibarr ERP/CRM versions prior to 17.0.1 allow remote code execution by an authenticated user who has access to the Website module. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Dolibarr...
EUVD-2026-30175
CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print..php. files/.htaccess ships an explicit allow from all...
CVE-2026-45708 CubeCart: Authenticated RCE via Invoice Template → Order Print
CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print..php. files/.htaccess ships an explicit allow from all...
CVE-2021-47939
Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in...
CVE-2021-47939 Evolution CMS 3.1.6 Authenticated Remote Code Execution via Module Creation
Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in...
CVE-2026-34965
CVE-2026-34965 (Cockpit CMS) : An authenticated remote code execution flaw exists in the /cockpit/collections/save_collection endpoint. Attackers with collection management privileges can inject arbitrary PHP code into collection rules parameters, which is written to server-side PHP files and lat...
CVE-2026-34965
Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/savecollection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP...
EUVD-2026-24134
In Dolibarr ERP & CRM = 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page...
CVE-2026-31018
In Dolibarr ERP & CRM = 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page...
USN-8150-1 spip vulnerabilities
It was discovered that SPIP did not properly sanitize certain inputs. A remote attacker could possibly use this issue to perform cross site scripting. CVE-2022-28959 It was discovered that SPIP did not properly sanitize certain inputs. A remote attacker could possibly use this issue to perform PH...
USN-8150-1: SPIP vulnerabilities
It was discovered that SPIP did not properly sanitize certain inputs. A remote attacker could possibly use this issue to perform cross site scripting. CVE-2022-28959 It was discovered that SPIP did not properly sanitize certain inputs. A remote attacker could possibly use this issue to perform PH...
CVE-2026-3300
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...
EUVD-2026-17275
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...
CVE-2026-3300 Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...
CVE-2026-3300
CVE-2026-3300 affects Everest Forms Pro for WordPress (versions