CVE-2025-67887

1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privilege...

Linux Distros Unpatched Vulnerability : CVE-2026-6722

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the SOAP extension's object deduplication mechanism stores...

Slackware Linux 15.0 / current php82 Multiple Vulnerabilities (SSA:2026-127-03)

The version of php82 installed on the remote host is prior to 8.2.31 / 8.4.21. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2026-127-03 advisory. New php packages are available for Slackware 15.0 and -current to fix security issues. Tenable has extracted the...

Linux Distros Unpatched Vulnerability : CVE-2025-14179

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when...

Linux Distros Unpatched Vulnerability : CVE-2026-7259

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads...

CVE-2025-67887

1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privilege...

CVE-2025-67886

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged...

PT-2026-39198

Name of the Vulnerable Software and Affected Versions Emlog versions prior to 2.6.11 Description Insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, which can lead to complete server compromise and the installation of a persistent backdoor...

Linux Distros Unpatched Vulnerability : CVE-2026-7568

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the metaphone function in ext/standard/metaphone.c uses a...

Linux Distros Unpatched Vulnerability : CVE-2026-6735

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, 8.5. before 8.5.6, due to improper sanitation of user data, it allows an attacker to...

CVE-2026-8097

A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of the argument squeryx results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may...

CVE-2026-8097

A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of the argument squeryx results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may...

FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images

CVE-2026-42879 - FacturaScripts - Authenticated Unrestricted File Upload via MIME Type Bypass Summary An authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF...

GHSA-VF3Q-FRMR-VRR9 FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images

CVE-2026-42879 - FacturaScripts - Authenticated Unrestricted File Upload via MIME Type Bypass Summary An authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF...

FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint

Summary An unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables including any database...

GHSA-GR3R-CRP5-QRRM Compromised tag of intercom-php published via GitHub

Impact On April 30, 2026, a malicious commit was pushed to the intercom/intercom-php repository and tagged as version 5.0.2, using a compromised service account github-management-service. This occurred as part of the same supply chain attack that affected intercom-client on npm. The malicious...

CVE-2026-41655

Admidio is an open-source user management solution. Prior to version 5.0.9, the ecardpreview.php endpoint does not validate that the ecardtemplate POST parameter is a safe filename before passing it to ECard::getEcardTemplate. An authenticated user can supply a path traversal payload e.g.,...

CVE-2026-41657

Admidio is an open-source user management solution. Prior to version 5.0.9, the contactsdata.php endpoint uses a weaker permission check isAdministratorUsers, requiring only roledituser=true than the frontend UI contacts.php which correctly requires the stronger isAdministrator requiring...

CVE-2026-41587 CI4MS: Unrestricted PHP File Upload via Theme Installation Leads to Authenticated Remote Code Execution

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permission to achieve remo...

CVE-2026-41587

CVE-2026-41587 affects CI4MS, a CodeIgniter 4-based CMS skeleton. The vulnerability resides in the theme upload flow: from versions 0.26.0.0 up to before 0.31.7.0, an authenticated backend user with theme-upload permission can upload a crafted ZIP, causing files (including PHP) to be placed into ...