CVE-2026-48126

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...

PHP 安全漏洞

PHP is an open-source scripting language executed on the server side. Versions of PHP prior to 8.4.21 and 8.5.6 contained security vulnerabilities. These vulnerabilities stemmed from the DOMNode::C14N method, which might improperly handle XML data, causing a circular linked list to be formed in t...

WWBN AVideo: RCE cause by clonesite plugin

Description Summary The cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via exec, allowing command injection. An attacker can inje...

PT-2026-29870

The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload endpoint validates uploaded files by checking their MIME type via PHP's finfo, which inspects file contents but constructs the stored filename using the...

CVE-2026-22248

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP...

PT-2026-27816

Name of the Vulnerable Software and Affected Versions Elated-Themes Gaspard versions n/a through 1.3 Description A flaw exists in the handling of filenames for Include/Require statements within a PHP program, specifically a PHP Remote File Inclusion issue in Elated-Themes Gaspard. This allows for...

EUVD-2026-14175

Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version...

CVE-2026-22412

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Eona eona allows PHP Local File Inclusion.This issue affects Eona: from n/a through = 1.3...

CVE-2026-22387

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Aviana aviana allows PHP Local File Inclusion.This issue affects Aviana: from n/a through = 2.1...

EUVD-2026-9608

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes Ekoterra - NonProfit, Green Energy & Ecology Theme ekoterra allows PHP Local File Inclusion.This issue affects Ekoterra - NonProfit, Green Energy & Ecology Theme: fr...

CVE-2026-28119

CVE-2026-28119 is a Local File Inclusion vulnerability affecting WordPress Nirvana theme (

CVE-2026-22414

CVE-2026-22414 : Local File Inclusion in Mikado-Themes Marra (WordPress theme) up to version 1.2, caused by improper control of filenames used in include/require statements (PHP). Affected product: Marra theme (WordPress) <= 1.2. CVSS 3.1 indicates network attack vector, high impact on confide...

WordPress plugin Helvig 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

PT-2026-23229

Name of the Vulnerable Software and Affected Versions AncoraThemes Ekoterra - NonProfit, Green Energy & Ecology Theme versions through 1.0.0 Description The software contains a flaw related to improper control of filename handling for include/require statements, specifically a PHP Local File...

CVE-2026-22368

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in axiomthemes Redy redy allows PHP Local File Inclusion.This issue affects Redy: from n/a through = 1.0.2...

CVE-2026-22369

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes Ironfit ironfit allows PHP Local File Inclusion.This issue affects Ironfit: from n/a through = 1.5...

WordPress plugin R&F 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

CVE-2026-2116

A vulnerability has been found in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/editexpenses.php. Such manipulation of the argument expensesid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to t...

EUVD-2020-30953

Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy a...

PT-2026-4148

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion.This issue affects uReach: from n/a through = 1.3.3...