CVE-2021-36547

A remote code execution RCE vulnerability in the component /codebase/dir.php?type=filenew of Mara v7.5 allows attackers to execute arbitrary commands via a crafted PHP file...

CVE-2021-24160

In the Reponsive Menu free and Pro WordPress plugins before 4.0.4, subscribers could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and...

CVE-2020-21480

An arbitrary file write vulnerability in RGCMS v1.06 allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2020-11456

LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php aka survey groups...

CVE-2020-8865

This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the paramstemplate parameter, the process doe...

CVE-2020-13796

An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/structure/structure.class.php...

CVE-2020-13442

A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/...

CVE-2020-11819

In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution...

CVE-2020-21481

An arbitrary file upload vulnerability in RGCMS v1.06 allows attackers to execute arbitrary code via a crafted .txt file which is later changed to a PHP file...

CVE-2020-20698

A remote code execution RCE vulnerability in /1.com.php of S-CMS PHP v3.0 allows attackers to getshell via modification of a PHP file...

CVE-2020-19267

An issue in index.php/Dswjcms/Basis/resources of Dswjcms 1.6.4 allows attackers to execute arbitrary code via uploading a crafted PHP file...

CVE-2020-22153

File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted .php file to the upload parameter in the navigation function...

CVE-2020-26008

The PluginsUpload function in application/service/PluginsAdminService.php of ShopXO v1.9.0 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via uploading a crafted PHP file...

CVE-2020-35709

bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files with "Content-Type: application/octet-stream" to ../media/images/ via the admin/index.php?mode=tools=upload URI, aka directory traversal...

CVE-2020-21322

An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2011-3808

The Bug Genie 2.1.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/svnintegration/config.inc.php and certain other files...

CVE-2011-3804

SweetRice 0.7.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by plugin/tinymce/plugins/advimage/images.php...

CVE-2011-3697

Achievo 1.4.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/graph/jpgraph/jpgraphradar.php and certain other files...

CVE-2011-3716

Claroline 1.9.7 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by work/connector/linker.cnr.php and certain other files...

CVE-2011-3792

Pixelpost 1.7.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by includes/functionsfeeds.php and certain other files...