Malicious code in intercom-php (Packagist)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 0bd33abd6fda35e856f8346fda5e85913ce2cad6b4d6c315a2e7138b867760aa This package is malicious and was compromised as part of the Mini Shai-Hulud campaign by the TeamPCP threat actor. The malicious payload...

MAL-2026-3637 Malicious code in intercom-php (Packagist)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 0bd33abd6fda35e856f8346fda5e85913ce2cad6b4d6c315a2e7138b867760aa This package is malicious and was compromised as part of the Mini Shai-Hulud campaign by the TeamPCP threat actor. The malicious payload...

PT-2026-40811

Name of the Vulnerable Software and Affected Versions CubeCart versions prior to 6.7.0 Description An authenticated arbitrary file upload flaw exists in the REST API File Manager endpoint "POST /api/v1/files". Users possessing an API key with files:rw permissions can upload PHP source files to th...

Flight SQL注入漏洞

Flight is a PHP microframework developed by Mike Cao. Versions of Flight prior to 3.18.1 contained an SQL injection vulnerability. This vulnerability occurred because the methods SimplePdo::insert, SimplePdo::update, and SimplePdo::delete directly concatenated the $table parameter and the keys fr...

CubeCart 代码注入漏洞

CubeCart is an open-source e-commerce software developed by CubeCart. Prior to version 6.7.3, there was a code injection vulnerability in CubeCart. This vulnerability stemmed from administrators with document editing privileges being able to save raw PHP code in the invoice editor. As a result,...

PT-2026-40618

Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=add user endpoint with POST requests...

PT-2026-40565

Name of the Vulnerable Software and Affected Versions coreActivity: Activity Logging for WordPress versions prior to 3.1 Description The plugin is susceptible to PHP Object Injection, a condition where untrusted data is passed to a deserialization function, potentially allowing the execution of...

WordPress plugin coreActivity 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There we...

Ninja Forms Uploads - Unauthenticated PHP File Upload

Exploit Title: Ninja Forms Uploads - Unauthenticated PHP File Upload Date: 2026-04-09 Exploit Author: Sélim Lanouar @whattheslime Vendor Homepage: https://ninjaforms.com/ Software Link: https://ninjaforms.com/extensions/file-uploads/ Version: 3.3.24 Tested on: WordPress 6.9.3 on Apache and Nginx...

CVE-2026-42289 ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation

ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an...

CVE-2026-44262

CVE-2026-44262 affects dedoc/scramble (Laravel API documentation generator) versions 0.13.2–0.13.21. The vulnerability arises when publicly accessible docs endpoints evaluate user-controlled input via NodeRulesEvaluator::doEvaluateExpression(), which may evaluate request data and execute arbitrar...

CLSA-2026-1778603120 Fix CVE(s): CVE-2026-6735

SECURITY UPDATE: XSS in PHP-FPM status endpoint - debian/patches/CVE-2026-6735.patch: HTML-encode proc.requesturi and tighten querystring entity flags in sapi/fpm/fpm/fpmstatus.c. - CVE-2026-6735...

K000161227: PHP vulnerability CVE-2016-4473

Security Advisory Description /ext/phar/pharobject.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833. CVE-2016-4473 Impact There is no impact; F5 products are not affected by this vulnerability. Security...

WordPress Custom CSS JS PHP plugin <= 2.0.7 - Unauthenticated SQL Injection to RCE vulnerability

Unauthenticated SQL Injection to RCE vulnerability discovered by John Umoru in WordPress Plugin Custom css-js-php versions = 2.0.7...

BIT-PHP-MIN-2026-7259 Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when...

BIT-PHP-MIN-2026-7258 Out-of-bounds read in urldecode() on NetBSD

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, some functions, including urldecode, pass signed char to ctype functions like isxdigit. On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can...

BIT-PHP-2026-7263 DoS attack via DOMNode::C14N()

In PHP versions 8.4. before 8.4.21 and 8.5. before 8.5.6, DOMNode::C14N method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial ...

BIT-PHP-2026-7262 NULL pointer dereference in SOAP apache:Map decoder with missing <value>

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer,...

BIT-PHP-2026-6735 XSS within PHP-FPM status endpoint

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, 8.5. before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code XSS on the target's machine when the target is viewing...

BIT-PHP-2026-6722 Use-After-Free in SOAP using Apache map

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys,...