CVE-2026-40488

OpenMage LTS (Magento LTS) before 20.17.0 uses an incomplete blocklist (forbidden_extensions = php,exe) for custom option file uploads. This can be bypassed by using alternative PHP executable extensions such as .phtml, .phar, .php3, .php4, .php5, .php7, and .pht, allowing files to be uploaded to...

SUSE CVE-2014-2527

kcleanup.cpp in KDirStat 2.7.0 does not properly quote strings when deleting a directory, which allows remote attackers to execute arbitrary commands via a " double quote character in the directory name, a different vulnerability than CVE-2014-2528...