GHSA-VGMM-27FC-VMGP Maho is Vulnerable to Authenticated Remote Code Execution via File Upload

Summary In Maho 25.7.0, an authenticated staff user with access to the Dashboard and Catalog\Manage Products permissions can create a custom option on a listing with a file input field. By allowing file uploads with a .php extension, the user can use the filed to upload malicious PHP files, gaini...

CVE-2025-58449

Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the Dashboard and Catalog\Manage Products permissions can create a custom option on a listing with a file input field. By allowing file uploads with a .php extension, the user ca...

WordPress plugin InPost Gallery 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2025-9923

CVE-2025-9923 — Affected product: Campcodes Sales and Inventory System 1.0. The flaw is a cross-site scripting (XSS) vulnerability in an unknown part of the file /index.php, triggered by manipulating the page argument. The attack can be launched remotely, and exploits have been published. Public ...

CVE-2025-9772

A vulnerability was detected in RemoteClinic up to 2.0. This affects an unknown part of the file /staff/edit.php. Performing manipulation of the argument image results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. This vulnerability only...

CVE-2025-9749

A vulnerability was identified in HKritesh009 Grocery List Management Web App up to f491b681eb70d465f445c9a721415c965190f83b. This affects an unknown part of the file /src/update.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The...

CVE-2025-9829

A vulnerability was identified in PHPGurukul Beauty Parlour Management System 1.1. The impacted element is an unknown function of the file /signup.php. The manipulation of the argument mobilenumber leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly...

Linux Distros Unpatched Vulnerability : CVE-2023-42802

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one ...

CVE-2025-9722

Portabilis i-Educar (up to 2.10) is affected. The vulnerability is a cross-site scripting in the file /intranet/educar_tipo_ocorrencia_disciplinar_cad.php, caused by improper handling of the nm_tipo/descricao (or nm_tipo_descricao) argument. It can be exploited remotely; public exploits exist. Co...

PT-2025-35402

Name of the Vulnerable Software and Affected Versions: Portabilis i-Educar versions up to 2.10 Description: A vulnerability exists in Portabilis i-Educar that allows for cross site scripting. The issue is related to the manipulation of the nm tipo argument within the file /intranet/educar tipo...

Apartment Management System add_owner_utility.php File SQL Injection Vulnerability

Apartment Management System is an apartment management system. Apartment Management System suffers from a SQL injection vulnerability that originates from the lack of validation of externally entered SQL statements in parameter ID in file /ownerutility/addownerutility.php. An attacker can exploit...

WordPress plugin Neresa 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2025-51968

A SQL Injection vulnerability exists in the action.php file of PuneethReddyHC Online Shopping System Advanced 1.0. The application fails to properly sanitize user-supplied input in the proId POST parameter, allowing attackers to inject arbitrary SQL expressions...

WordPress plugin Houzez 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2025-9402

A vulnerability was found in HuangDou UTCMS 9. This issue affects some unknown processing of the file app/modules/ut-frame/admin/update.php of the component Config Handler. Performing manipulation of the argument UPDATEURL results in server-side request forgery. The attack is possible to be carri...

Visitor Management System front.php File SQL Injection Vulnerability

Visitor Management System is a visitor access management system. The Visitor Management System suffers from a SQL injection vulnerability that originates from a lack of validation of externally entered SQL statements in the parameter rid in the file /front.php. An attacker can exploit this...

WordPress plugin Funnel Builder by FunnelKit 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

PT-2025-34139 · Portabilis · Portabilis I-Diario

Name of the Vulnerable Software and Affected Versions: Portabilis i-Diario versions prior to 2.10 Description: A vulnerability exists in Portabilis i-Diario up to version 2.10. The issue affects an unknown function within the /intranet/educar tipo usuario lst.php file of the Tipos de usàrio Page...

Linux Distros Unpatched Vulnerability : CVE-2017-16641

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the pathrrdtool parameter in an action=save request ...

CVE-2025-9028

A flaw has been found in code-projects Online Medicine Guide 1.0. This vulnerability affects unknown code of the file /adphar.php. Executing manipulation of the argument phuname can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used...