Cacti cmd_realtime.php - Command Injection

Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when registerargcargv option of PHP is On. In cmdrealtime.php line 119, the $pollerid used ...

Symfony Profiler - Remote Access via Injected Arguments

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the registerargvargc php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by...

CVE-2026-10694 SourceCodester Online Food Ordering System index.php include file inclusion

A vulnerability was detected in SourceCodester Online Food Ordering System 2.0. Affected by this issue is the function include of the file /index.php. The manipulation of the argument page results in file inclusion. The attack can be launched remotely. The exploit is now public and may be used...

PT-2026-46047

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.2 Description PHP Object Injection occurs due to the use of unserialize calls within the Workflow, Form block, and File/Set components that do not implement the allowed classes restriction. This allows an...

PT-2026-46071

Name of the Vulnerable Software and Affected Versions ealpha072 Student-Management-System versions prior to 01451bd7a2f58cdda07bd0b86e3967582e3ecd08 Description An issue in the Administrative Backend component, specifically within the 'admin/config.php' file, allows for improper authentication...

Debian dsa-6320 : php-twig - security update

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6320 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6320-1 [email protected] https://www.debian.org/securit...

php: NULL pointer dereference in SOAP apache:Map decoder with missing <value>

A flaw was found in PHP. When a PHP SOAP server has a typemap configured, the apache:Map decoding process checks the incorrect variable in case of a missing value element. This incorrect check leads to a NULL pointer dereference and allows a remote unauthenticated attacker to crash the PHP SOAP...

PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions

A flaw was found in PHP. Some functions, including urldecode, incorrectly pass signed characters to character type ctype functions. On certain systems, this can lead to accessing memory with a negative offset. This vulnerability can be exploited by an attacker to trigger a denial of service DoS,...

CVE-2026-10624 SourceCodester Human Resource Management Employee View detailview.php resource injection

A vulnerability has been found in SourceCodester Human Resource Management 1.0. Affected by this vulnerability is an unknown functionality of the file /detailview.php of the component Employee View Page. Such manipulation of the argument employeeid leads to improper control of resource identifier...

EUVD-2026-34024

A vulnerability has been found in SourceCodester Human Resource Management 1.0. Affected by this vulnerability is an unknown functionality of the file /detailview.php of the component Employee View Page. Such manipulation of the argument employeeid leads to improper control of resource identifier...

CVE-2026-10608

A security flaw has been discovered in DedeCMS 5.7.88. This affects the function RemoveXSS of the file /plus/carbuyaction.php. The manipulation of the argument postname/des results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used f...

CVE-2026-10607

A vulnerability was identified in DedeCMS 5.7.88. The impacted element is the function dedehtmlspecialchars of the file /plus/flink.php. The manipulation of the argument msg leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used...

CVE-2026-10607

The vulnerability CVE-2026-10607 affects DedeCMS 5.7.88. The issue resides in the function dede_htmlspecialchars in /plus/flink.php, where manipulation of the msg argument leads to an SQL injection. Attacks can be remote, and exploitation is publicly available. Impact is described as potentially ...

[SECURITY] [DSA 6320-1] php-twig security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6320-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 02, 2026 https://www.debian.org/security/faq -...

CVE-2026-10226

A flaw has been found in raisulislamg4 studentmanagementsystembyphp up to 310d950e09013d5133c6b9210aff9444382d16d1. Impacted is an unknown function of the file delete.php. Executing a manipulation of the argument userid/courseid/teacherid/studentid/applicationid can lead to sql injection. The...

CVE-2026-39553

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes WaveRide allows PHP Local File Inclusion. This issue affects WaveRide: from n/a through 1.4...

CVE-2025-69369 WordPress Racquet theme <= 1.12.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Axiomthemes Racquet allows PHP Local File Inclusion. This issue affects Racquet: from n/a through 1.12.0...

CVE-2025-69369

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Axiomthemes Racquet allows PHP Local File Inclusion. This issue affects Racquet: from n/a through 1.12.0...

CVE-2025-58897 WordPress Fermentio theme <= 1.5.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Axiomthemes Fermentio allows PHP Local File Inclusion. This issue affects Fermentio: from n/a through 1.5.0...

CVE-2025-58707 WordPress Spin theme <= 1.8 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Axiomthemes Spin allows PHP Local File Inclusion. This issue affects Spin: from n/a through 1.8...