CVE-2026-33942

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

CVE-2026-33942 Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

CVE-2026-33942 Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

Saloon 代码问题漏洞

Saloon is a PHP open-source API integration and SDK library developed by Saloon PHP. Versions of Saloon prior to 4.0.0 had code vulnerabilities. These vulnerabilities stemmed from the fact that when constructing the request URL, if the endpoint was a valid absolute URL, the code would ignore the...

Code-Projects Accounting System 代码注入漏洞

Code-Projects Accounting System is an accounting system open sourced by Code-Projects. Version 1.0 of the Code-Projects Accounting System has a code injection vulnerability. This vulnerability stems from incorrect handling of the parameter costumername in the file /myaccount/addcostumer.php, whic...

GDTaller 跨站脚本漏洞

GDTaller is a digital certificate and electronic seal management system developed by the Spanish company GDTaller. GDTaller has a cross-site scripting vulnerability, which stems from the site parameter in the applogin.php file. Attackers can send victims a URL containing malicious scripts, causin...

Laravel-Mediable 安全漏洞

Laravel-Mediable is a Laravel media file management package developed by Plank. Versions of Laravel-Mediable 6.4.0 and earlier contain security vulnerabilities. These vulnerabilities stem from the application accepting or favoring the MIME types provided by the client when processing file uploads...

PT-2026-28193

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post content' of admin form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's maybe unserialize function without class restrictions on...

PT-2026-28196

A flaw has been found in SourceCodester Malawi Online Market 1.0. The impacted element is an unknown function of the file /display.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be...

CVE-2026-4825

CVE-2026-4825 affects SourceCodester Sales and Inventory System 1.0. The vulnerability lies in the HTTP GET Parameter Handler for the file /update_sales.php, where manipulating the sid argument enables an SQL injection. The issue may be exploited remotely, and an exploit has been made public. No ...

AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter

Summary The Subscribe::save method in objects/subscribe.php concatenates the $this-usersid property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from $POST'userid' in both subscribe.json.php and subscribeNotify.json.php. An authenticate...

GHSA-8WF4-C4X3-H952 AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL

Summary The downloadVideoFromDownloadURL function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension including .php. By providing an invalid resolution parameter, an attacker triggers an early die via...

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the streamerURL parameter in control.json.php. An attacker can gain unauthorized control over live streams by supplying a...

GHSA-P2GH-CFQ4-4WJC Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion

Impact A Denial of Service DoS vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability. Patches...

EUVD-2026-15787

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Deston deston allows PHP Local File Inclusion.This issue affects Deston: from n/a through = 1.0...

EUVD-2026-15738

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.This issue affects Mixtape: from n/a through = 2.1...

EUVD-2026-15781

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes MultiOffice multioffice allows PHP Local File Inclusion.This issue affects MultiOffice: from n/a through = 1.2...

EUVD-2026-15689

Improper Control of Generation of Code 'Code Injection' vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through = 2.7.1...

EUVD-2026-15511

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Nelson nelson allows PHP Local File Inclusion.This issue affects Nelson: from n/a through = 1.2.0...

EUVD-2026-15499

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes Greenville greenville allows PHP Local File Inclusion.This issue affects Greenville: from n/a through = 1.3.2...