Exploit for CVE-2026-6433

CVE-2026-6433 — Proof of Concept FlipperCode — Custom CSS,...

CVE-2021-47936

OpenCATS 0.9.4 is affected by a remote code execution vulnerability. Unauthenticated attackers can upload PHP payloads disguised as resume attachments via the careers job application endpoint and then execute commands by accessing the uploaded file. The CVE description in the connected sources co...

Exploit for CVE-2026-36340

CVE-2026-36340 Remote Code Execution RCE Vulnerability in Kr...

CVE-2026-32985

Xerte Online Toolkits

Exploit for CVE-2026-3395

CVE‑2026‑3395 — MaxSite CMS Unauthenticated Remote Code Execut...

📄 SPIP Gadget Chain Insecure Deserialization

SPIP Gadget Chain versions prior to 4.4.9 suffer from a potential PHP object deserialization vulnerability. ============================================================================================================================================= | Title : SPIP Gadget Chain before 4.4.9...

📄 SuiteCRM 7.11.18 Log File Remote Code Execution

SuiteCRM version 7.11.18 allows modification of the logging configuration. The log filename extension is not validated properly .pHp accepted, causing the log to be interpreted as PHP. Then attacker injects PHP payload into the logs changing username lastname field resulting in the log file...

CVE-2023-53942 File Thingie 2.5.7 Authenticated Arbitrary File Upload Remote Code Execution

File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with ...

CVE-2023-53942

CVE-2023-53942 affects File Thingie 2.5.7. The issue is an authenticated file upload vulnerability: attackers can upload PHP zip archives, unzip them, and execute arbitrary system commands via a crafted PHP script with a command parameter. PT-2025-52321 notes the vulnerability requires minimal au...

CVE-2025-56399

alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution RCE through a crafted file upload. A file with a '.png extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side...

CVE-2025-56399

CVE-2025-56399 affects alexusmai/laravel-file-manager 3.3.1 and earlier. An authenticated user can upload a PNG containing PHP code; the upload may bypass client-side validation and be saved on the server. By using the rename API to switch the extension to .php, the file can be accessed via a pub...

CVE-2025-56399

alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution RCE through a crafted file upload. A file with a '.png extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side...

EUVD-2013-7281

Malware in sbrugna...

EUVD-2024-38333

Malicious code in bioql PyPI...

EUVD-2021-29609

Malicious code in bioql PyPI...

Exploit for CVE-2025-56399

CVE-2025-56399 – Authenticated Remote Code Execution in larav...

CVE-2025-52353

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload,...

📄 PivotX 3.0.0 RC 3 Remote Code Execution

This Metasploit module gains remote code execution in PivotX management system version 3.0.0 RC 3. The PivotX allows admin user to directly edit files on the webserver, including PHP files. The module exploits this by writing a malicious payload into index.php file, gaining remote code execution...

CVE-2013-10066

An unauthenticated arbitrary file upload vulnerability exists in Kordil EDMS v2.2.60rc3. The application exposes an upload endpoint usersadd.php that allows attackers to upload files to the /userpictures/ directory without authentication. This flaw enables remote code execution by uploading a PHP...

CVE-2013-10033

An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the dbrestore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates POST parameter, enabling file write via INTO OUTFILE under specific environmental conditions. This can lead to...