Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

2117 matches found

RedhatCVE
RedhatCVEadded 2026/04/16 7:22 p.m.1 views

CVE-2026-32271

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step...

7.7CVSS6.5AI score0.0008EPSS
Exploits0References1
RedhatCVE
RedhatCVEadded 2026/04/15 7:23 p.m.2 views

CVE-2026-32931

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its...

8.8CVSS5.9AI score0.00279EPSS
Exploits0References1
Github Security Blog
Github Security Blogadded 2026/04/14 12:7 a.m.4 views

Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget

Summary A SQL injection in the Commerce TotalRevenue widget can lead to remote code execution through a chain of four vulnerabilities: SQL Injection -- The TotalRevenue stat interpolates unsanitized widget settings directly into a sprintf-based SQL Expression. Any control panel user can create an...

7.7CVSS6.7AI score0.0008EPSS
Exploits0References4Affected Software1
CVE
CVEadded 2026/04/13 8:19 p.m.8 views

CVE-2026-32271

CVE-2026-32271 affects Craft Commerce (Craft CMS) in versions 4.0.0–4.10.2 and 5.0.0–5.5.4, where an SQL injection in the Commerce TotalRevenue widget allows any authenticated control panel user to achieve remote code execution. The exploit involves unsanitized widget settings interpolated into S...

7.7CVSS6.5AI score0.0008EPSS
Exploits0References2
Positive Technologies
Positive Technologiesadded 2026/04/13 12:0 a.m.3 views

PT-2026-32515

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step...

7.7CVSS6.5AI score0.0008EPSS
Exploits0References4
NVD
NVDadded 2026/04/10 6:16 p.m.1 views

CVE-2026-32931

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its...

8.8CVSS0.00279EPSS
Exploits0References3
Cvelist
Cvelistadded 2026/04/10 5:50 p.m.21 views

CVE-2026-32931 Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its...

7.5CVSS0.00279EPSS
Exploits0References3
CVE
CVEadded 2026/04/10 5:50 p.m.7 views

CVE-2026-32931

CVE-2026-32931: Chamilo LMS has an unrestricted file upload vulnerability in the exercise sound upload function. Before versions 1.11.38 and 2.0.0-RC.3, an authenticated teacher could spoof Content-Type to audio/mpeg, upload a PHP webshell with its original .php extension into a web-accessible di...

8.8CVSS5.9AI score0.00279EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/04/10 5:50 p.m.3 views

CVE-2026-32931

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its...

7.5CVSS5.9AI score0.00279EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichmentadded 2026/04/10 5:50 p.m.1 views

CVE-2026-32931 Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its...

7.5CVSS5.9AI score0.00279EPSS
Exploits0References3
EUVD
EUVDadded 2026/04/10 5:50 p.m.2 views

EUVD-2026-21531

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its...

7.5CVSS5.9AI score0.00279EPSS
Exploits0References3
Packet Storm
Packet Stormadded 2026/04/10 12:0 a.m.89 views

📄 XiboCMS 3.3.4 Traversal / Code Execution

XiboCMS version 3.3.4 zip slip exploit that leverages path traversal and arbitrary file upload vulnerabilities to achieve code execution. Exploit Title: XiboCMS 3.3.4- Remote Code Execution Google Dork: N/A Date: 2025-11-18 Exploit Author: complexusprada Vendor Homepage: https://xibo.org.uk/...

8.8CVSS7.4AI score0.13271EPSS
Exploits3
Positive Technologies
Positive Technologiesadded 2026/04/10 12:0 a.m.2 views

PT-2026-32010

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 1.11.38 and prior to 2.0.0-RC.3 Description Chamilo LMS, a learning management system, contains a file upload issue in the exercise sound upload function. An authenticated teacher can upload a PHP webshell by...

7.5CVSS5.9AI score0.00279EPSS
Exploits0References6
Exploit DB
Exploit DBadded 2026/04/08 12:0 a.m.55 views

xibocms 3.3.4 - RCE

Exploit Title: XiboCMS 3.3.4- Remote Code Execution Google Dork: N/A Date: 2025-11-18 Exploit Author: complexusprada Vendor Homepage: https://xibo.org.uk/ Software Link: https://github.com/xibosignage/xibo-cms Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4 Tested on: Ubuntu Linux Docker, Xibo CMS 3.3.4...

8.8CVSS7.2AI score0.13271EPSS
Exploits3
Positive Technologies
Positive Technologiesadded 2026/04/06 12:0 a.m.6 views

PT-2026-30693

Name of the Vulnerable Software and Affected Versions Ninja Forms - File Uploads versions prior to 3.3.27 Description An issue in the Ninja Forms - File Uploads plugin allows unauthenticated attackers to upload arbitrary files, including PHP backdoors, which can lead to remote code execution and...

9.8CVSS8AI score0.17415EPSS
Exploits6References48
NVD
NVDadded 2026/04/03 11:17 p.m.0 views

CVE-2026-34607

Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip function include/lib/common.php:793. When extracting ZIP archives plugin/template uploads, backup imports, the function calls $zip-extractTo$path without sanitizing Z...

7.2CVSS0.00164EPSS
Exploits1References1
Microsoft Secure
Microsoft Secureadded 2026/04/02 3:37 p.m.2 views

Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments

In this article 1. Cookie-controlled execution behavior 2. Observed variants of cookie-controlled PHP web shells 3. Mitigation and protection guidance 4. Microsoft Defender XDR detections 5. Microsoft Security Copilot prompts 6. Microsoft Defender XDR threat analytics 7. MITRE ATT&CK™ Techniques...

6.7AI score
Exploits0
OSV
OSVadded 2026/03/31 10:47 p.m.4 views

GHSA-C5C6-37VQ-PJCQ baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API

Summary A path traversal vulnerability exists in the baserCMS 5.x theme file management API /baser/api/admin/bc-theme-file/themefiles/add.json that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary...

7.2CVSS6.8AI score0.00145EPSS
Exploits1References5
Packet Storm
Packet Stormadded 2026/03/30 12:0 a.m.99 views

📄 Bludit CMS Shell Upload

Bludit CMS versions prior to 3.18.4 have an unrestricted API file upload vulnerability that allows for remote code execution. Exploit Title: Bludit CMS . The uploadFile function performs no file extension or content validation, allowing upload of PHP webshells that execute as www-data. The API...

8.8CVSS6.1AI score0.00532EPSS
Exploits4
GithubExploit
GithubExploitadded 2026/03/28 8:4 a.m.152 views

Exploit for XML Injection (aka Blind XPath Injection) in Fonttools

CVE-2025-66034 — fontTools varLib Arbitrary File Write → RCE...

9.8CVSS7AI score0.00085EPSS
Exploits9
Rows per page
Query Builder