GHSA-XW67-CG5F-4M2R AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL

Summary Type: Classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling escapeshellarg. A ' in any of the three interpolated values $usersid, $m3u8,...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the FileSystemTicketStore process. An attacker can read and unserialize files outside the intended directory, and conditionally delete files, by supplying crafted path traversal sequences in public CAS validation...

FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...

Debian dla-4586 : libapache2-mod-php7.4 - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4586 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4586-1 [email protected]...

PT-2026-43462

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier Description A cross-site request forgery CSRF issue exists in the 2FA toggle functionality. The endpoint "plugin/LoginControl/set.json.php" accepts POST requests with the parameters type=set2FA and value=false ...

PT-2026-41391

Name of the Vulnerable Software and Affected Versions FrankenPHP versions 1.11.2 through 1.12.2 Description An unsafe Unicode handling flaw exists in the CGI path splitting process. The splitPos function in cgi.go incorrectly uses the golang.org/x/text/search library with search.IgnoreCase when...

PT-2026-41345

PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login userid parameter of login.php that allows unauthenticated attackers to extract database contents. Attackers can submit crafted POST requests with SQL payloads using SLEEP functions or RLIKE...

📄 HUSTOJ Zip Slip / Remote Code Execution

This Metasploit module demonstrates a remote code execution vulnerability in HUSTOJ. A user with administrative privileges can abuse the problemimportqduoj.php CGI script using a crafted zip file zip-slip to traverse backwards through the filesystem, then to the webroot, where they can extract a...

Linux Distros Unpatched Vulnerability : CVE-2026-6811

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances whe...

CVE-2026-6722 affecting package php for versions less than 8.3.31-1

CVE-2026-6722 affecting package php for versions less than 8.3.31-1. A patched version of the package is available...

CVE-2026-6735 affecting package php for versions less than 8.3.31-1

CVE-2026-6735 affecting package php for versions less than 8.3.31-1. A patched version of the package is available...

CVE-2026-7258 affecting package php for versions less than 8.3.31-1

CVE-2026-7258 affecting package php for versions less than 8.3.31-1. A patched version of the package is available...

CVE-2026-7262 affecting package php for versions less than 8.3.31-1

CVE-2026-7262 affecting package php for versions less than 8.3.31-1. A patched version of the package is available...

CVE-2026-7259 affecting package php for versions less than 8.3.31-1

CVE-2026-7259 affecting package php for versions less than 8.3.31-1. A patched version of the package is available...

CVE-2025-14179 affecting package php for versions less than 8.3.31-1

CVE-2025-14179 affecting package php for versions less than 8.3.31-1. A patched version of the package is available...

CVE-2026-7261 affecting package php for versions less than 8.3.31-1

CVE-2026-7261 affecting package php for versions less than 8.3.31-1. A patched version of the package is available...

DEBIAN-CVE-2026-6811

Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server...

CVE-2026-6811

Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server...

CVE-2026-6811

Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server...

UBUNTU-CVE-2026-6811

Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server...