Exploit for CVE-2026-7537

MDJM Event Management = 1.7.8.3 - Authenticated Administrato...

CVE-2022-50993

CVE-2022-50993 affects Weaver (Fanwei) E-office, prior to version 10.0_20221201. The OfficeServer.php endpoint is vulnerable to unauthenticated arbitrary file upload, allowing remote attackers to POST multipart data with arbitrary filenames and disguised content types to upload PHP web shells int...

CVE-2022-50993 Weaver E-office < 10.0_20221201 Unauthenticated Arbitrary File Read via XmlRpcServlet

Weaver Fanwei E-office versions prior to 10.020221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and disguised content types...

CVE-2026-6498

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...

CVE-2026-6498

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...

EUVD-2026-26361

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...

CVE-2026-6498 Five Star Restaurant Reservations <= 2.7.16 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...

Exploit for CVE-2026-36340

CVE-2026-36340 Remote Code Execution RCE Vulnerability in Kr...

EUVD-2026-26303

A flaw has been found in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the file /admin/updatecustomer.php. This manipulation of the argument type/length/business parameter validity causes sql injection. The attack is possible to be carried out...

EUVD-2026-26388

Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary code via the detailproduk.php component...

CVE-2026-38939

CVE-2026-38939 describes a Cross Site Scripting (XSS) vulnerability in the MVC-Ecommerce application by andrewtch88 (v.1.0) affecting the product_catalogue.php component. The NVD and related sources confirm the flaw but do not provide specific impacted versions beyond v.1.0, nor a confirmed patch...

PT-2026-36086

Name of the Vulnerable Software and Affected Versions Five Star Restaurant Reservations versions prior to 2.7.17 Description A payment bypass exists due to PHP type juggling, which occurs when a loose comparison is used between different data types, potentially leading to unexpected true results...

Exploit for Server-Side Request Forgery in Chamilo Chamilo_Lms

CVE-2026-33715 — Unauthenticated SSRF + Open Email Relay in Ch...

Embedded Malicious Code

Overview intercom/intercom-php is an Intercom API client. Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload. A malicious actor compromised the package, enabling the attacker to publish tampered versions of the deep learning...

CVE-2026-34965

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/savecollection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP...

CVE-2018-25300

XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Attackers can send GET requests to news.php with malicious id values to extract sensitive database informatio...

CVE-2026-34965 Cockpit CMS Authenticated Remote Code Execution via Collections

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/savecollection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP...

CVE-2026-34965

CVE-2026-34965 (Cockpit CMS) : An authenticated remote code execution flaw exists in the /cockpit/collections/save_collection endpoint. Attackers with collection management privileges can inject arbitrary PHP code into collection rules parameters, which is written to server-side PHP files and lat...

CVE-2026-34965

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/savecollection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP...

GHSA-J2RX-4JG9-79MW Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type

Cockpit versions 2.13.5 and earlier are affected by a misconfiguration within the Bucket component isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling...