PT-2026-41462

Name of the Vulnerable Software and Affected Versions TextPattern CMS version 4.9.0-dev Description Authenticated attackers can achieve remote code execution by exploiting the plugin upload functionality. The process involves authenticating, retrieving a CSRF token from the plugin event page, and...

EUVD-2026-28830

Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11...

EUVD-2026-25866

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences...

PT-2026-35442

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences...

VulnCheck KEV: CVE-2018-14028

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then...

EUVD-2026-18793

Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write...

PT-2026-30191

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.33.4 Description Budibase is an open-source low-code platform. The plugin file upload endpoint, ''/api/plugin/upload'', passes user-supplied filenames directly to the createTempFolder function without sanitizing pa...

Budibase 路径遍历漏洞

Budibase is an open-source low-code platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.33.4 contained a path traversal vulnerability. This vulnerability stemmed from a lack...

Arbitrary File Write

Shopware is vulnerable to Arbitrary file write. The vulnerability is due to insufficient validation of uploaded plugin files, which allows an attacker to write files to arbitrary directories and upload a PHP shell, resulting in persistent shell access on on-premises installations...

WordPress plugin多款产品 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which provides the ability to host personal blog sites on PHP and MySQL-based...

PT-2025-38614

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.8.x through 10.8.3 Mattermost versions 10.5.x through 10.5.8 Mattermost versions 9.11.x through 9.11.17 Mattermost versions 10.10.x through 10.10.1 Mattermost versions 10.9.x through 10.9.3 Mattermost versions prior to...

Linux Distros Unpatched Vulnerability : CVE-2018-14028

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is...

ProcessMaker 代码问题漏洞

ProcessMaker is a Php-written site builder for business process management BPM and workflow management from ProcessMaker Inc. in the United States. A security vulnerability exists in ProcessMaker versions prior to 3.5.4 that stems from improper handling of plugin uploads, which could lead to remo...

PT-2021-3849 · Phplist · Phplist

Name of the Vulnerable Software and Affected Versions: phplist version 3.5.1 Description: The issue is related to a lack of restrictions on file uploads in the phplist application, which can be exploited by uploading a malicious plugin containing PHP files with certain extensions, such as PHP,...

Nagios XI 操作系统命令注入漏洞

Nagios XI is a commercial monitoring solution built on Nagios Core, including dashboards, web-based configuration, advanced reporting and rich data visualization. A remote code execution vulnerability exists in the "Manage Plugins" page in Nagios XI versions prior to 5.8.0. The vulnerability stem...

DEBIAN-CVE-2018-14028

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then...

UBUNTU-CVE-2018-14028

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then...