EUVD-2025-35002

A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DBPASSWORD/ROOTPATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as...

CVE-2025-11938

A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing a manipulation of the argument DBPASSWORD/ROOTPATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as...

CVE-2025-11938

A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing a manipulation of the argument DBPASSWORD/ROOTPATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as...

CVE-2025-11938 ChurchCRM setup.php deserialization

A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing a manipulation of the argument DBPASSWORD/ROOTPATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as...

ChurchCRM 代码问题漏洞

ChurchCRM is ChurchCRM open source an open source CRM system for churches. ChurchCRM 5.18.0 and earlier versions exist deserialization vulnerability , the vulnerability stems from the file setup/routes/setup.php in the parameter DBPASSWORD/ROOTPATH/URL in the receipt of user-submitted serialized...

EUVD-2021-12738

Malware in sbrugna...

EUVD-2020-14552

Malware in sbrugna...

EUVD-2008-7100

Malware in sbrugna...

EUVD-2007-1238

Malware in sbrugna...

EUVD-2005-1789

Malware in sbrugna...

EUVD-2025-4552

Malicious code in bioql PyPI...

CVE-2024-6566

The Aramex Shipping WooCommerce plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.1.21. This is due the plugin not preventing direct access to the composer-setup.php file which also has displayerrors enabled. This makes it possible for...

CVE-2024-25411

A cross-site scripting XSS vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter in setup.php...

CVE-2023-22974

A Path Traversal in setup.php in OpenEMR 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server...

CVE-2014-8365

Multiple cross-site scripting XSS vulnerabilities in Xornic Contact Us allow remote attackers to inject arbitrary web script or HTML via the 1 name or 2 email parameter to contact.php or 3 PATHINFO to setup.php, related to the "PHPSELF" variable...

CVE-2024-13537

The C9 Blocks plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.7.7. This is due the plugin containing a publicly accessible composer-setup.php file with error display enabled. This makes it possible for unauthenticated attackers to retrieve the fu...

CVE-2024-13537

CVE-2024-13537 affects the C9 Blocks WordPress plugin (≤1.7.7) and enables Full Path Disclosure through a publicly accessible composer-setup.php with error display enabled. An unauthenticated attacker can retrieve the web app’s full path, which could aid subsequent attacks. The Wordfence entry li...

CVE-2024-13535

The Actionwear products sync plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.3.2. This is due the composer-setup.php file being publicly accessible with 'displayerrors' set to true. This makes it possible for unauthenticated attackers to retrieve...

FlatPress 安全漏洞

FlatPress is a Php-based blog builder without database support from the FlatPress community. A security vulnerability exists in FlatPress v1.3, which stems from the presence of a cross-site scripting XSS vulnerability that allows an attacker to execute arbitrary web script or HTML by injecting a...

CVE-2024-7414 PDF Builder for WPForms <= 1.2.116 - Unauthenticated Full Path Disclosure

The PDF Builder for WPForms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2.116. This is due to the plugin allowing direct access to the composer-setup.php file which has displayerrors on. This makes it possible for unauthenticated attackers to...