CVE-2019-25480 ARMBot Unrestricted File Upload via upload.php

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. Attackers can upload PHP files with traversal payloads ../publichtml/ to write executable code ...

CVE-2019-25471

CVE-2019-25471 affects FileThingie 2.5.7. An arbitrary file upload vulnerability exists where ZIP archives sent to ft2.php can be unpacked to accessible directories, enabling upload and deployment of PHP shells and execution of arbitrary commands via extracted files. The underlying issue is an in...

CVE-2019-25471 FileThingie 2.5.7 Arbitrary File Upload via ft2.php

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, an...

CVE-2019-25471 FileThingie 2.5.7 Arbitrary File Upload via ft2.php

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, an...

UBUNTU-CVE-2026-22248

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP...

EUVD-2026-11174

A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. Performing a manipulation of the argument askcontent results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may b...

EUVD-2026-11192

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP...

CVE-2026-22248

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP...

CVE-2026-22248

GLPI 11.0.0 through 11.0.4 is affected by a Remote Code Execution vulnerability mediated by an unsafe PHP instantiation when an authenticated technician uploads a malicious file. The issue allows code execution on the server due to how the uploaded file is processed. The vulnerability is fixed in...

CVE-2026-3946 PHPEMS index.php cross site scripting

A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. Performing a manipulation of the argument askcontent results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may b...

CVE-2026-3944 itsourcecode University Management System att_add.php sql injection

A vulnerability was determined in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /attadd.php. This manipulation of the argument Name causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be...

Moderate: Red Hat Security Advisory: php security update

An update for php is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is availabl...

EUVD-2026-11095

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...

CVE-2026-2626

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...

CVE-2026-2626 Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...

CVE-2026-2626

The vulnerability affects the divi-booster WordPress plugin prior to version 5.0.2. A lack of authorization and CSRF checks in a fixing function allows unauthenticated users to modify stored plugin options. Additionally, the use of unserialize() on the data could enable PHP Object Injection when ...

EUVD-2026-11096

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...

CVE-2025-13067

The CVE-2025-13067 entry documents a vulnerability in the Royal Addons for Elementor WordPress plugin up to version 1.7.1049. The issue is an arbitrary file upload due to insufficient file-type validation that can be bypassed when files named main.php are uploaded, allowing an attacker with autho...

CVE-2025-13067 Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass

The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possib...

PT-2026-24776

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. Attackers can upload PHP files with traversal payloads ../public html/ to write executable code...