Lucene search
K

130 matches found

CVE
CVE
added yesterday12 views

CVE-2026-57793

CVE-2026-57793 affects the Flow WordPress theme by Elated-Themes. The issue is an improper filename control in Include/Require statements, resulting in a PHP Local File Inclusion (LFI). Affected versions are Flow:

7.5CVSS6.1AI score0.00496EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 5 days ago6 views

CVE-2026-59856

Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search pattern that is run via winexecute without escaping. A name...

8.4CVSS6.2AI score0.00169EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.15 views

PT-2026-55289

Name of the Vulnerable Software and Affected Versions Cockpit CMS versions prior to 364 Description Unauthenticated attackers can read arbitrary files or execute PHP files due to a path traversal and local file inclusion issue. The application fails to perform containment checks when constructing...

8.2CVSS6.1AI score0.00406EPSS
Exploits0References11
CVE
CVE
added 2026/07/01 4:21 p.m.12 views

CVE-2026-34113

CVE-2026-34113 : Guardian language-system is vulnerable to unauthenticated OS command injection via the id GET parameter in speech_text.php. The code passes the parameter directly into an exec() call: exec("php jobs/speech_audio_text.php "+login_session+" "+$_GET['id']+" ..."), allowing an attack...

9.8CVSS6.1AI score0.00537EPSS
Exploits0References2
NVD
NVD
added 2026/06/26 2:16 a.m.8 views

CVE-2026-8661

Server-Side Cross-Site Scripting and Server-Side Request Forgery vulnerability in the markdowntopdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux allows remote attackers to execute JavaScript server-side and make arbitrary outbound HTTP requests via crafted...

4.8CVSS0.00254EPSS
Exploits0References2
CVE
CVE
added 2026/06/26 1:59 a.m.27 views

CVE-2026-8661

CVE-2026-8661 affects the Rapid7 InsightConnect Markdown Plugin (Linux) up to version 3.1.4. The vulnerability is in the markdown_to_pdf action and combines Server-Side Scripting (XSS) with Server-Side Request Forgery (SSRF). It allows remote attackers to execute JavaScript server-side and to tri...

4.8CVSS6.2AI score0.00254EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/26 1:59 a.m.40 views

CVE-2026-8661 Server-Side Cross-Site Scripting and SSRF in Rapid7 InsightConnect Markdown to PDF Plugin

Server-Side Cross-Site Scripting and Server-Side Request Forgery vulnerability in the markdowntopdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux allows remote attackers to execute JavaScript server-side and make arbitrary outbound HTTP requests via crafted...

4.8CVSS0.00254EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/26 1:59 a.m.10 views

EUVD-2026-39616

Server-Side Cross-Site Scripting and Server-Side Request Forgery vulnerability in the markdowntopdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux allows remote attackers to execute JavaScript server-side and make arbitrary outbound HTTP requests via crafted...

4.8CVSS6.2AI score0.00254EPSS
Exploits0References2
NVD
NVD
added 2026/06/05 7:16 p.m.15 views

CVE-2026-46399

HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CM...

9.4CVSS0.00291EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 5:16 p.m.28 views

CVE-2026-48126

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...

8.2CVSS0.00335EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/10 12:0 a.m.12 views

PHP 安全漏洞

PHP is an open-source scripting language executed on the server side. Versions of PHP prior to 8.4.21 and 8.5.6 contained security vulnerabilities. These vulnerabilities stemmed from the DOMNode::C14N method, which might improperly handle XML data, causing a circular linked list to be formed in t...

7.5CVSS5.8AI score0.00353EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/16 9:25 p.m.10 views

WWBN AVideo: RCE cause by clonesite plugin

Description Summary The cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via exec, allowing command injection. An attacker can inje...

9.8CVSS6.2AI score0.02221EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.6 views

PT-2026-29870

The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload endpoint validates uploaded files by checking their MIME type via PHP's finfo, which inspects file contents but constructs the stored filename using the...

8.7CVSS6AI score0.00306EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/26 2:57 p.m.5 views

CVE-2026-22248

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP...

8.8CVSS6AI score0.00315EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.6 views

PT-2026-27816

Name of the Vulnerable Software and Affected Versions Elated-Themes Gaspard versions n/a through 1.3 Description A flaw exists in the handling of filenames for Include/Require statements within a PHP program, specifically a PHP Remote File Inclusion issue in Elated-Themes Gaspard. This allows for...

8.1CVSS5.9AI score0.00504EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/24 3:21 p.m.6 views

EUVD-2026-14175

Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version...

10CVSS5.8AI score0.13266EPSS
Exploits4References14
RedhatCVE
RedhatCVE
added 2026/03/06 7:53 a.m.4 views

CVE-2026-22412

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Eona eona allows PHP Local File Inclusion.This issue affects Eona: from n/a through = 1.3...

8.1CVSS5.8AI score0.00504EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/06 7:52 a.m.4 views

CVE-2026-22387

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Aviana aviana allows PHP Local File Inclusion.This issue affects Aviana: from n/a through = 2.1...

8.1CVSS5.8AI score0.00504EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/05 6:30 a.m.4 views

EUVD-2026-9608

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes Ekoterra - NonProfit, Green Energy & Ecology Theme ekoterra allows PHP Local File Inclusion.This issue affects Ekoterra - NonProfit, Green Energy & Ecology Theme: fr...

5.9AI score0.00403EPSS
Exploits0References2
CVE
CVE
added 2026/03/05 5:54 a.m.21 views

CVE-2026-28119

CVE-2026-28119 is a Local File Inclusion vulnerability affecting WordPress Nirvana theme (

8.1CVSS5.9AI score0.00327EPSS
Exploits0References1
Rows per page
Query Builder