CVE-2026-48527

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by...

EUVD-2026-33286

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by...

CLSA-2025-1767000167 php: Fix of CVE-2025-1735

CVE-2025-1735: add error checks to prevent crashes and improperly escaped data when PostgreSQL rejects invalid strings...

EUVD-2012-2310

Malware in sbrugna...

EUVD-2004-2682

Malware in sbrugna...

GHSA-3432-FMRF-7VMH Chrome PHP is missing encoding in `CssSelector`

Impact CSS Selector expressions are not properly encoded, which can lead to XSS cross-site scripting vulnerabilities. Patches This is patched in v1.14.0. Workarounds Users can apply encoding manually to their selectors, if they are unable to upgrade...

CLSA-2025-1744631408 php: Fix of CVE-2024-11235

CVE-2024-11235: fix Use-after-free for ??= due to incorrect live-range calculation...

CLSA-2025-1740242864 php: Fix of CVE-2024-8929

Fixup for CVE-2024-8929: support COMFIELDLIST...

CLSA-2024-1714728164 Fix CVE(s): CVE-2022-31629, CVE-2024-2756

SECURITY UPDATE: possible insecure cookie abuse - debian/patches/php-7.3-CVE-2024-2756.patch: fix Host-/Secure- cookie bypass due to partial CVE-2022-31629 fix - CVE-2024-2756...

[R1] PHP Stand-alone Patch Available for Tenable.sc versions 5.7.x to 5.11.x

Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components PHP was found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line with good practice, Tenable opted to provide a...

Joomla 1.5.0 to 3.4.5 Object Injection via User-Agent

Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the sessi...

Joomla HTTP Header Unauthenticated Remote Code Execution

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Joomla HTTP Header Unauthenticated Remote Code Execution', 'Description' = %q Joomla suffers from an unauthenticated remote code...

pSys v0.7.0 Alpha (chatbox.php) Remote SQL Injection Vulnerability

No description provided by source. '/ -.- ---------------------oOO------OOo-------------------- | pSys v0.7.0 Alpha chatbox.php Remote SQL Injection | | works only with magic quotes = off | | coded by DNX | -------------------------------------------------------- ! Discovered.: DNX ! Vendor.....:...

CVE-2004-2692

The execdir PHP patch php-exec-dir 4.3.2 through 4.3.7 with safe mode disabled allows remote attackers to bypass restrictions and execute arbitrary commands via a backtick operator, which is not handled using the phpescapeshellcmd function...

CVE-2004-2692

The execdir PHP patch php-exec-dir 4.3.2 through 4.3.7 with safe mode disabled allows remote attackers to bypass restrictions and execute arbitrary commands via a backtick operator, which is not handled using the phpescapeshellcmd function...