Lucene search
K

202 matches found

EUVD
EUVD
added last week5 views

EUVD-2026-42054

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents...

8.6CVSS6.7AI score0.00867EPSS
Exploits2References3
OSV
OSV
added 2026/07/02 8:46 p.m.2 views

GHSA-MM6C-5J6X-HQ8M Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename

Summary Algernon selects its file handler from filepath.Ext engine/handlers.go:134, which does not treat the NTFS-equivalent names x.lua::$DATA, x.lua., or x.lua as .lua. On Windows, an unauthenticated client appends one of these suffixes to any server-side script on a public path and receives it...

8.7CVSS5.9AI score0.00077EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/01 4:24 p.m.8 views

CVE-2026-34117

Guardian language-system passes the id GET parameter directly into a PHP exec call in texttosubtitles.php line 19 without sanitization: exec"php jobs/texttosubtitles.php ".$loginsession." ".$GET'id'." ...". No authentication is required. An unauthenticated remote attacker can append shell...

9.8CVSS6.1AI score0.00537EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/29 12:30 p.m.8 views

EUVD-2026-40083

FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences in the uniquename parameter. Attackers can supply path traversal sequences...

8.8CVSS6.6AI score0.00627EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/02 10:27 a.m.50 views

CVE-2025-58705 WordPress Crafti theme <= 1.12 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Axiomthemes Crafti allows PHP Local File Inclusion. This issue affects Crafti: from n/a through 1.12...

8.1CVSS0.00415EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/30 2:55 p.m.43 views

CVE-2018-25409 SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksipengurus.php endpoint with module=pengurus and act=update parameters, which...

8.8CVSS0.00325EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/27 6:29 p.m.16 views

CVE-2026-42879 FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images

FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image using...

6.3CVSS5.8AI score0.00229EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 6:29 p.m.11 views

CVE-2026-42879

FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image using...

6.3CVSS5.8AI score0.00229EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/13 2:21 p.m.14 views

CVE-2023-27753

An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file...

8CVSS6.2AI score0.00332EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 12:0 a.m.26 views

CVE-2023-27753

An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file...

0.00332EPSS
Exploits0References2
CVE
CVE
added 2026/05/08 12:0 a.m.84 views

CVE-2025-67886

CVE-2025-67886 affects Bitrix24 up to version 25.100.300, with the vulnerability residing in the Translate Module. An actor with SOURCE/WRITE permissions can upload an archive containing a PHP file and a crafted .htaccess, which then leads to remote code execution after extraction. Exploitation d...

6.3CVSS6AI score0.01028EPSS
Exploits3References6
CNNVD
CNNVD
added 2026/04/28 12:0 a.m.11 views

Creative Ad Agent 路径遍历漏洞

Creative Ad Agent is an AI-based advertising creative generation tool developed by DV Personal Developer. Creative Ad Agent has a path traversal vulnerability. This vulnerability stems from the operation of the server/sdk-server.ts file in the creative-ad-agent-server component, where unknown...

6.9CVSS6AI score0.00479EPSS
Exploits0References2
NVD
NVD
added 2026/04/22 7:17 p.m.7 views

CVE-2026-34415

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authenticati...

9.8CVSS0.03575EPSS
Exploits2References8
CNNVD
CNNVD
added 2026/03/31 12:0 a.m.11 views

WWBN AVideo 跨站请求伪造漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the lack of CSRF token validation on the objects/emailAllUsers.json.php endpoint, whic...

6.5CVSS5.9AI score0.00157EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:0 p.m.4 views

CVE-2026-33647

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the ImageGallery::saveFile method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An...

8.8CVSS5.8AI score0.00639EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/11 6:23 p.m.4 views

CVE-2019-25480

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. Attackers can upload PHP files with traversal payloads ../publichtml/ to write executable code ...

8.7CVSS6.1AI score0.00717EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/06 7:53 a.m.5 views

CVE-2026-22410

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Dolcino dolcino allows PHP Local File Inclusion.This issue affects Dolcino: from n/a through = 1.6...

8.1CVSS5.8AI score0.00504EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/03 1:48 a.m.5 views

CVE-2026-26713

code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/cancel-order.php...

9.8CVSS6AI score0.0033EPSS
Exploits1References1
EUVD
EUVD
added 2026/02/27 9:49 p.m.12 views

EUVD-2026-9079

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionartipodocsatendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like...

9.8CVSS6AI score0.00514EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/02/20 3:47 p.m.22 views

CVE-2026-22370 WordPress Marveland theme <= 1.3.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in axiomthemes Marveland marveland allows PHP Local File Inclusion.This issue affects Marveland: from n/a through = 1.3.0...

8.1CVSS0.00412EPSS
Exploits0References1
Rows per page
Query Builder