92632 matches found
Ninja Forms Uploads - Unauthenticated PHP File Upload
Exploit Title: Ninja Forms Uploads - Unauthenticated PHP File Upload Date: 2026-04-09 Exploit Author: Sélim Lanouar @whattheslime Vendor Homepage: https://ninjaforms.com/ Software Link: https://ninjaforms.com/extensions/file-uploads/ Version: 3.3.24 Tested on: WordPress 6.9.3 on Apache and Nginx...
CVE-2026-42289 ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an...
CVE-2026-44262
CVE-2026-44262 affects dedoc/scramble (Laravel API documentation generator) versions 0.13.2–0.13.21. The vulnerability arises when publicly accessible docs endpoints evaluate user-controlled input via NodeRulesEvaluator::doEvaluateExpression(), which may evaluate request data and execute arbitrar...
CLSA-2026-1778603120 Fix CVE(s): CVE-2026-6735
SECURITY UPDATE: XSS in PHP-FPM status endpoint - debian/patches/CVE-2026-6735.patch: HTML-encode proc.requesturi and tighten querystring entity flags in sapi/fpm/fpm/fpmstatus.c. - CVE-2026-6735...
K000161227: PHP vulnerability CVE-2016-4473
Security Advisory Description /ext/phar/pharobject.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833. CVE-2016-4473 Impact There is no impact; F5 products are not affected by this vulnerability. Security...
WordPress Custom CSS JS PHP plugin <= 2.0.7 - Unauthenticated SQL Injection to RCE vulnerability
Unauthenticated SQL Injection to RCE vulnerability discovered by John Umoru in WordPress Plugin Custom css-js-php versions = 2.0.7...
BIT-PHP-MIN-2026-7259 Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when...
BIT-PHP-MIN-2026-7258 Out-of-bounds read in urldecode() on NetBSD
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, some functions, including urldecode, pass signed char to ctype functions like isxdigit. On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can...
BIT-PHP-2026-7263 DoS attack via DOMNode::C14N()
In PHP versions 8.4. before 8.4.21 and 8.5. before 8.5.6, DOMNode::C14N method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial ...
BIT-PHP-2026-7262 NULL pointer dereference in SOAP apache:Map decoder with missing <value>
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer,...
BIT-PHP-2026-6735 XSS within PHP-FPM status endpoint
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, 8.5. before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code XSS on the target's machine when the target is viewing...
BIT-PHP-2026-6722 Use-After-Free in SOAP using Apache map
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys,...
BIT-PHP-2026-6104 Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
In PHP versions 8.4. before 8.4.21 and 8.5. before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mbconvertencoding or related mbstring functions, the code incorrectly assumes that when strncasecmp returns 0 it means the strings have the same length. This can lead to...
BIT-PHP-MIN-2025-14179 SQL injection in pdo_firebird via NUL bytes in quoted strings
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat, which stops at...
BIT-PHP-2025-14179 SQL injection in pdo_firebird via NUL bytes in quoted strings
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat, which stops at...
BIT-LIBPHP-2026-7568 Signed integer overflow in metaphone()
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the metaphone function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed...
BIT-LIBPHP-2026-7263 DoS attack via DOMNode::C14N()
In PHP versions 8.4. before 8.4.21 and 8.5. before 8.5.6, DOMNode::C14N method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial ...
BIT-LIBPHP-2026-6735 XSS within PHP-FPM status endpoint
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, 8.5. before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code XSS on the target's machine when the target is viewing...
BIT-LIBPHP-2026-6722 Use-After-Free in SOAP using Apache map
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys,...
BIT-LIBPHP-2026-6104 Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
In PHP versions 8.4. before 8.4.21 and 8.5. before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mbconvertencoding or related mbstring functions, the code incorrectly assumes that when strncasecmp returns 0 it means the strings have the same length. This can lead to...