CVE-2026-6433

Summary (CVE-2026-6433) : The Custom css-js-php WordPress plugin is vulnerable through versions up to 2.0.7 where unsanitized user input is used in a SQL query and the result is passed to eval(), enabling unauthenticated remote command execution (RCE). Exploitation and impact are stated across mu...

📄 Fuel CMS 1.4.1 PHP Code Injection

This Metasploit module targets a remote code execution vulnerability in Fuel CMS version 1.4.1. The issue stems from improper input sanitization in the filter parameter, which is passed into a dangerous PHP evaluation eval context, enabling code injection...

EUVD-2021-34799

ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the satcode parameter. Attackers can authenticate, submit a POST request to...

CVE-2022-50944

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=addpost parameter, a...

CVE-2021-47939

Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in...

CVE-2021-47938

ImpressCMS 1.4.2 suffers a remote code execution (RCE) in the autotasks admin interface. An authenticated attacker can send a crafted sat_code payload via POST to /modules/system/admin.php?fct=autotasks&op=mod, resulting in creation of an executable file that accepts arbitrary commands through GE...

CVE-2022-50944

Aero CMS 0.0.1 is affected by a PHP code injection vulnerability. Authenticated attackers can upload PHP files via the image parameter to the admin posts.php endpoint with source=add_post, leading to server-side code execution. The vulnerability exposes high impact on confidentiality, integrity, ...

CVE-2022-50944

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=addpost parameter, a...

PT-2026-39514

Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in...

Remote Code Execution (RCE)

dedoc/scramble is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe evaluation of user-controlled input during documentation generation, which allows an attacker to execute arbitrary PHP code in the application context...

CVE-2025-67486 Dolibarr has an Authenticated Remote Code Execution via eval() injection in user extrafields

Dolibarr is an enterprise resource planning ERP and customer relationship management CRM software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is pass...

PT-2026-39198

Name of the Vulnerable Software and Affected Versions Emlog versions prior to 2.6.11 Description Insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, which can lead to complete server compromise and the installation of a persistent backdoor...

PT-2026-38297

Name of the Vulnerable Software and Affected Versions Scramble versions 0.13.2 through 0.13.21 Description When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation. This can le...

Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature

Summary An authenticated user with administrative privileges can achieve Remote Code Execution RCE by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives...

CVE-2026-34965

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/savecollection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP...

CVE-2026-34965 Cockpit CMS Authenticated Remote Code Execution via Collections

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/savecollection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP...

GHSA-J2RX-4JG9-79MW Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type

Cockpit versions 2.13.5 and earlier are affected by a misconfiguration within the Bucket component isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling...

CVE-2026-27760 OpenCATS PHP Code Injection via installer AJAX endpoint

OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define string...

CVE-2026-27760

OpenCATS vulnerability CVE-2026-27760 affects the installer AJAX endpoint. Prior to commit 3002a29, unauthenticated attackers could inject PHP via the databaseConnectivity action parameter, breaking out of the define() string context in config.php and injecting code that persists and runs on subs...

CVE-2026-27760 OpenCATS PHP Code Injection via installer AJAX endpoint

OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define string...