CVE-2026-33507

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting...

CVE-2021-47758 Chikitsa Patient Management System 2.0.2 - Remote Code Execution (RCE) (Authenticated)

Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables...

EUVD-2021-2099

Malware in sbrugna...

CVE-2025-9079 Admin RCE via prepackaged plugins by way of misconfigured imports directory

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 9.11.x = 9.11.17, 10.10.x = 10.10.1, 10.9.x = 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory...

CVE-2024-25291

Deskfiler v1.2.3 allows attackers to execute arbitrary code via uploading a crafted plugin...

📄 Nagios Xi 5.6.6 Remote Code Execution

Nagios Xi version 5.6.6 proof of concept authenticated remote code execution exploit. Exploit Title: Nagiosxi authenticated Remote Code Execution Date: 17/02/2024 Exploit Author: Calil Khalil Vendor Homepage: https://www.nagios.com/products/nagios-xi/ Version: Nagios Xi 5.6.6 Tested on: Ubuntu CV...

Code injection

Deskfiler v1.2.3 allows attackers to execute arbitrary code via uploading a crafted plugin...