2179 matches found
📄 Pi-hole 5.18.3 Remote Code Execution
This PHP script is an authenticated remote code execution exploit targeting Pi-hole's web admin interface. It requires valid administrator credentials to log in, obtains a CSRF token, and abuses the adlist management feature by injecting a crafted gopher:// URL. The payload forces the server to...
Exploit for CVE-2025-67435
CVE-2025-67436 Authenticated Remote Code Execution RCE in...
CVE-2025-68109
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct...
PT-2025-52212
Name of the Vulnerable Software and Affected Versions Bitrix24 versions prior to 25.100.301 Description Remote Code Execution is possible because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. The supplier...
CVE-2025-68109
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct...
CVE-2025-68109
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct...
CVE-2025-68109 ChurchCRM vulnerable to RCE with database restore functionality
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct...
CVE-2025-68109
ChurchCRM (open-source CRM) is affected in versions prior to 6.5.3. The vulnerability arises in the Database Restore feature, which does not validate the content or file extension of uploaded files, enabling an attacker to upload a web shell and then an .htaccess file to gain direct access. This ...
CVE-2025-68109 ChurchCRM vulnerable to RCE with database restore functionality
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct...
CVE-2025-68109 ChurchCRM vulnerable to RCE with database restore functionality
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct...
EUVD-2025-203990
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct...
PT-2025-51927
Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3 Description ChurchCRM is an open-source church management system. The Database Restore functionality does not validate the content or file extension of uploaded files. This allows an attacker to upload a web...
CVE-2024-58298
Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute...
EUVD-2024-55333
Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute...
CVE-2024-58284
PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands...
CVE-2024-58283
WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary syst...
CVE-2024-58279
appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell with command execution capabilities by...
CVE-2024-58313
CVE-2024-58313 affects xbtitFM 4.1.18 and describes an insecure file upload in the file_hosting feature. The root cause is a bypass of file-type checks through Content-Type header manipulation (image/gif), GIF89a bytes, and alternate PHP tags, enabling authenticated attackers with administrative ...
CVE-2024-58298 Compuware iStrobe Web 20.13 Pre-Auth Remote Code Execution via File Upload
Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute...
CVE-2024-58298
CVE-2024-58298 – Compuware iStrobe Web 20.13 is confirmed to have a pre-authentication remote code execution vulnerability due to a path-traversal in the file upload form. The issue allows unauthenticated attackers to upload JSP files via the fileName parameter, effectively uploading a web shell ...