406 matches found
CVE-2025-34060
A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to filegetcontents without validation. MIME type checks using...
CVE-2025-34060
A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to filegetcontents without validation. MIME type checks using...
CVE-2025-48492
GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution RCE. This issue is set to ...
CVE-2025-48492
GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution RCE. This issue is set to ...
CVE-2025-48492 GetSimple CMS RCE in Edit component
GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution RCE. This issue is set to ...
CVE-2025-48492
GetSimple CMS is affected in versions 3.3.16–3.3.21. An authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE). The issue is mitigated by upgrading to version 3.3.22, w...
CVE-2025-48492 GetSimple CMS RCE in Edit component
GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution RCE. This issue is set to ...
CVE-2024-36679
In the module "Module Live Chat Pro All in One Messaging" livechatpro =8.4.0, a guest can perform PHP Code injection. Due to a predictable token, the method Lcp::saveTranslations suffer of a white writer that can inject PHP code into a PHP file...
CVE-2024-21519
This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename including...
CVE-2023-50029
PHP Injection vulnerability in the module "M4 PDF Extensions" m4pdf up to version 3.3.2 from PrestaAddons for PrestaShop allows attackers to run arbitrary code via the M4PDF::saveTemplate method...
CVE-2023-36992
PHP injection in TravianZ 8.3.4 and 8.3.3 in the config editor in the admin page allows remote attackers to execute PHP code...
CVE-2022-36262
An issue was discovered in taocms 3.0.2. in the website settings that allows arbitrary php code to be injected by modifying config.php...
CVE-2022-28960
A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the oups parameter at /ecrire...
CVE-2021-24280
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the importfromdebug AJAX action to inject PHP objects...
CVE-2019-17301
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user...
Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin. The plugin, which goes by the name "WP-antymalwary-bot.php," comes with a variety of features to maintain access, hide itself from the admin dashboard, and execut...
WordPress All in One WP Migration plugin <= 7.89 - Unauthenticated PHP Object Injection vulnerability
Unauthenticated PHP Object Injection vulnerability discovered by Webbernaut in WordPress Plugin All-in-One WP Migration versions = 7.89...
Wazuh 4.4.0 Remote Code Execution
Wazuh version 4.4.0 proof of concept remote code execution exploit with a reverse shell. ============================================================================================================================================= | Title : Wazuh v4.4.0 PHP Code Injection Vulnerability | | Author...
USN-7318-1: SPIP vulnerabilities
It was discovered that svg-sanitizer, vendored in SPIP, did not properly sanitize SVG/XML content. An attacker could possibly use this issue to perform cross site scripting. This issue only affected Ubuntu 24.10. CVE-2022-23638 It was discovered that SPIP did not properly sanitize certain inputs....
USN-7318-1 spip vulnerabilities
It was discovered that svg-sanitizer, vendored in SPIP, did not properly sanitize SVG/XML content. An attacker could possibly use this issue to perform cross site scripting. This issue only affected Ubuntu 24.10. CVE-2022-23638 It was discovered that SPIP did not properly sanitize certain inputs....