CVE-2026-44193 OPNsense: RCE via XMLRPC endpoint using `opnsense.restore_config_section` method

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restoreconfigsection fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7...

VulnCheck KEV: CVE-2022-50992

Weaver Fanwei E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and...

EUVD-2025-32492

The Ultimate Addons for Elementor Formerly Elementor Header & Footer Builder WordPress plugin before 2.5.0 does not sanitize SVG file contents when uploaded through the xmlrpc.php endpoint using base64 encode, leading to a Cross-Site Scripting vulnerability...

CVE-2025-9703

CVE-2025-9703 describes a Cross-Site Scripting vulnerability in The Ultimate Addons for Elementor (Lite and related) WordPress plugin prior to version 2.5.0. The issue arises because SVG file contents uploaded via the xmlrpc.php endpoint using base64 encoding are not sanitized, allowing injection...

CVE-2025-9703 Ultimate Addons for Elementor Lite < 2.5.0 - Author+ Stored XSS

The Ultimate Addons for Elementor Formerly Elementor Header & Footer Builder WordPress plugin before 2.5.0 does not sanitize SVG file contents when uploaded through the xmlrpc.php endpoint using base64 encode, leading to a Cross-Site Scripting vulnerability...

Beware! A threat actor could steal the titles of your private (and draft) WordPress posts with this new vulnerability!

As of today, almost a billion sites have been built using WordPress, powering businesses and organizations of all sizes. That makes any newly discovered vulnerability especially concerning—like the one recently found and reported by Imperva researchers, which could affect any WordPress site. In...

CVE-2023-49967

Typecho v1.2.1 was discovered to be vulnerable to an XML Quadratic Blowup attack via the component /index.php/action/xmlrpc...

PT-2023-31426 · Typecho · Typecho

Name of the Vulnerable Software and Affected Versions: Typecho version 1.2.1 Description: The issue is related to an XML Quadratic Blowup attack. This attack can be executed via the component /index.php/action/xmlrpc. Recommendations: For Typecho version 1.2.1, consider disabling the...

Typecho Security Vulnerability

typecho is a PHP blogging platform for typecho individual developers. It is simple and powerful. Typecho v1.2.1 version of a security vulnerability , the vulnerability stems from the component / index.php / action / xmlrpc has a security hole . Attackers can use the vulnerability for XML secondar...

VulnCheck KEV: CVE-2011-3600

The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and...

CVE-2023-43187

A remote code execution RCE vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests...

PT-2023-28726 · Nodebb · Nodebb

Name of the Vulnerable Software and Affected Versions: NodeBB versions prior to 1.18.6 Description: A remote code execution issue in the "xmlrpc.php" endpoint allows attackers to execute arbitrary code via crafted XML-RPC requests. Recommendations: For versions prior to 1.18.6, update to version...