php-composer
php-composer
- CVE-2025-6784 - The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi
- CVE-2026-13114 - The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Si
- CVE-2026-13353 - The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerab
- CVE-2026-13378 - The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting
- CVE-2026-13756 - The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and incl
- CVE-2026-14262 - The Simple JWT Login – Allows you to use JWT on REST endpoints
- CVE-2026-15155 - The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable
- CVE-2026-15335 - The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (fo
- CVE-2026-15338 - The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all vers
- CVE-2026-2354 - The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type
- CVE-2026-3576 - The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading
- CVE-2026-4661 - The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-base
- CVE-2026-6939 - The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
- CVE-2026-7655 - The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to
- CVE-2026-12685 - The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoo
- CVE-2026-12761 - The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerab
- CVE-2026-13347 - The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including
- CVE-2026-13430 - The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions
- CVE-2026-14894 - The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all
- CVE-2026-15070 - The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in al
- CVE-2026-15282 - The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type
- CVE-2026-15288 - The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input
- CVE-2026-15290 - The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Pl
- CVE-2026-15291 - The Chat Help – Click to Chat Button & Form plugin for WordPress is vulnerable to Sensitive Information Exposu
- CVE-2026-15293 - The WP Business Intelligence Lite plugin for WordPress is vulnerable to authorization bypass in all versions u
- CVE-2026-15298 - The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting in all versions up to, and
- CVE-2026-15300 - The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parame
- CVE-2026-1667 - The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-
- CVE-2026-39903 - Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5 contains an authorization bypass vulnera
- CVE-2026-54159 - prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE
- CVE-2026-54736 - Phalcon is a high-performance, full-stack PHP framework
- CVE-2026-57584 - Phalcon is a high-performance, full-stack PHP framework
- CVE-2026-61450 - Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author (any admin.pages user, or anyone ab
- CVE-2026-11571 - The Everest Forms WordPress plugin before 3.5.0 does not reliably delete temporary CSV files generated during
- CVE-2026-12116 - A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server
- CVE-2026-12595 - The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via Unverified OAuth Email in a
- CVE-2026-12597 - The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via the GitHub OAuth callback i
- CVE-2026-12598 - The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in versions up to and including
- CVE-2026-13441 - The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site
- CVE-2026-13492 - The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1
- CVE-2026-14372 - The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for Word
- CVE-2026-15000 - The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via
- CVE-2026-15158 - The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and i
- CVE-2026-4275 - The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site
- CVE-2026-51924 - An issue in docuForm GmbH Client v.11.11c allows a remote attacker to execute arbitrary code via the file uplo
- CVE-2026-51925 - A Local File Inclusion (LFI) vulnerability exists in docuForm GmbH Client v.11.11c that allows a remote attack
- CVE-2026-51926 - An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the
- CVE-2026-52762 - YesWiki: Authenticated (Admin) Server-Side Template Injection to Remote Code Execution via Bazar Semantic Templates
- CVE-2026-52766 - YesWiki vulnerable to unauthenticated arbitrary page deletion via {{erasespamedcomments}} action
- CVE-2026-52767 - YesWiki Vulnerable to Unauthenticated ActivityPub Signature-Verification Bypass via !openssl_verify(...) accepting int(-
- CVE-2026-52769 - YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub Signature.keyId
- CVE-2026-52770 - YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric query/queries filters
- CVE-2026-52771 - YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (ApiController::deletePage)
- CVE-2026-52775 - YesWiki has Authenticated SQL Injection via ReactionManager
- CVE-2026-52777 - YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize
- CVE-2026-52778 - YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service
- CVE-2026-53932 - laravel-backup-restore has an OS Command Injection during database restore
- CVE-2026-55212 - Pimcore is an Open Source Data & Experience Management Platform
- CVE-2026-5523 - The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and inclu
- CVE-2026-58143 - Cotonti Siena 0.9.26 and earlier contains a cross-site request forgery vulnerability that allows unauthenticat
- CVE-2026-59734 - Coolify is an open-source and self-hostable tool for managing servers, applications, and databases
- CVE-2026-59856 - Vim is an open source, command line text editor
- CVE-2026-8848 - The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for
- CVE-2026-9253 - The WP Cost Estimation & Payment Forms Builder (E&P Forms) plugin for WordPress is vulnerable to Stored Cross-
- CVE-2026-58480 - Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vul
- CVE-2026-59948 - Composer is a dependency Manager for the PHP language
- CVE-2026-27823 - EGroupware has a Remote Code Execution Vulnerability
- CVE-2026-40187 - EGroupware has Authenticated RCE via Malicious eTemplate Upload
- CVE-2026-10750 - The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP too
- CVE-2026-11387 - The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress
- CVE-2026-11568 - The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or p
- CVE-2026-11794 - The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the
- CVE-2026-11823 - The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_se
- CVE-2026-11883 - The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-fact
- CVE-2026-12142 - The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Sc
- CVE-2026-12158 - The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Reques
- CVE-2026-12224 - The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint
- CVE-2026-1239 - The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthori
- CVE-2026-12923 - The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and inclu
- CVE-2026-13228 - The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Priv
- CVE-2026-13468 - The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to auth
- CVE-2026-13706 - Improper input validation vulnerability in Wikimedia Foundation UrlShortener
- CVE-2026-13731 - The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to St
- CVE-2026-34099 - Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in job_info.php (l
- CVE-2026-34100 - Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in media.php (line
- CVE-2026-34101 - Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in text_file.php (
- CVE-2026-34102 - Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in job_info_get.ph
- CVE-2026-34103 - Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in subtitles.php (
- CVE-2026-34104 - Guardian language-system passes the name GET parameter directly into an unsanitized SQL query in designer.php
- CVE-2026-34105 - Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in translate_text
- CVE-2026-34106 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in subtitles.php (line 19
- CVE-2026-34107 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate.php (line 14
- CVE-2026-34108 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in text.php (line 15) wit
- CVE-2026-34109 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in speech.php (line 18) w
- CVE-2026-34110 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in complex_start.php (lin
- CVE-2026-34111 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac_text.php (li
- CVE-2026-34112 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac.php (line 18
- CVE-2026-34113 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in speech_text.php (line
- CVE-2026-34114 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate_text.php (li
- CVE-2026-34115 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe_amazon.php
- CVE-2026-34116 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe.php (line 1
- CVE-2026-34117 - Guardian language-system passes the id GET parameter directly into a PHP exec() call in text_to_subtitles.php
- CVE-2026-57517 - Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated r
- CVE-2026-58025 - Deserialization of untrusted data vulnerability in Wikimedia Foundation MediaWiki
- CVE-2026-58036 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki
- CVE-2026-6070 - The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in vers
- CVE-2026-7517 - The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting
- CVE-2026-8857 - A vulnerability in Wikimedia Foundation timeline
- CVE-2026-10513 - The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and includi
- CVE-2026-11590 - The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied ar
- CVE-2026-12073 - The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escala
- CVE-2026-12240 - The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file pa
- CVE-2026-37106 - An issue in DokuWiki 2025-05-14b Librarian 56.2 allows a remote attacker to create an account via the regist
- CVE-2026-47198 - Paymenter has URL parameter injection that bypasses paid plan limits at checkout
- CVE-2026-56700 - Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities
- CVE-2026-57995 - phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in GroupController::updatePermissions that
- CVE-2026-58376 - Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authentic
- CVE-2026-8141 - The Ajax Load More - Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'taxono
- CVE-2026-9711 - The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress (full) is vulnerable to SQL Injecti
- CVE-2026-13555 - A vulnerability was found in itsourcecode Online Hotel Management System 1.0
- CVE-2026-13565 - A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/1.php
- CVE-2026-13566 - A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0
- CVE-2026-13568 - A weakness has been identified in SourceCodester Inventory Management System 1.0
- CVE-2026-37637 - An issue in Alexantr filemanager v.1.0 allows a remote attacker to execute arbitrary code via the filemanager
- CVE-2026-40521 - FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that al
- CVE-2026-41896 - Coolify is an open-source and self-hostable tool for managing servers, applications, and databases
- CVE-2026-56124 - phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote a
- CVE-2026-10820 - The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content Wor
- CVE-2026-48979 - PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling
- CVE-2026-49260 - php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (m
- CVE-2026-49286 - PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
- CVE-2026-49287 - Statamic CMS's unsafe method invocation via collection sorting allows data destruction
- CVE-2026-12077 - The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the via 'latitude' and 'longi
- CVE-2026-40079 - Cacti is an open source performance and fault management framework
- CVE-2026-40083 - Cacti is an open source performance and fault management framework
- CVE-2026-12417 - The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Valida
- CVE-2026-39948 - Cacti is an open source performance and fault management framework
- CVE-2026-9643 - The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQU
- CVE-2026-52845 - Caddy is an extensible server platform that uses TLS by default
- CVE-2026-56425 - The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0
- CVE-2026-48908 - A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimate
- CVE-2026-48939 - A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachme
- CVE-2026-48907 - A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthen
- CVE-2026-41237 - Froxlor has an incomplete fix for CVE-2026-30932
- CVE-2026-5394 - Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save
- CVE-2026-44739 - Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration
- CVE-2026-44741 - Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parame
- CVE-2026-45162 - Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
- CVE-2026-45260 - Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
- CVE-2026-45704 - Pimcore has a CustomReports Share Bypass
- CVE-2018-25357 - Dolibarr ERP CRM contains a remote code evaluation vulnerability
- CVE-2026-46725 - TYPO3 Remote Code Execution in extension Content Element Selector (ceselector)
- CVE-2026-8727 - TYPO3 Remote Code Execution in extension Site Crawler (crawler)
- CVE-2026-8827 - TYPO3 SQL Injection in extension Address List (tt_address)
- CVE-2026-6433 - The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in
- CVE-2025-14179 - In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO
- CVE-2026-6104 - In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL b
- CVE-2026-6722 - In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOA
- CVE-2026-7262 - In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a
- CVE-2026-7263 - In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data in
- CVE-2026-7568 - In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the met
- CVE-2026-3844 - The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validat
- CVE-2026-40176 - Composer is a dependency manager for PHP
- CVE-2026-40261 - Composer is a dependency manager for PHP
- CVE-2026-0740 - The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
- CVE-2026-3300 - The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in al
- CVE-2020-37094 - EspoCRM 5.7.0 prior to 5.9.0 contains an authentication token reuse vulnerability that allows authenticated at
- CVE-2025-24293 - # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use
- CVE-2025-68616 - WeasyPrint helps web developers to create PDF documents
- CVE-2025-65518 - Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition
- CVE-2025-7852 - The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation
- CVE-2020-36847 - The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and includ
- CVE-2025-44203 - In HotelDruid 3.0.0 and 3.0.7, the unauthenticated database-setup endpoint creadb.php can be reached before se
- CVE-2020-36326 - Object injection in PHPMailer/PHPMailer
- CVE-2021-25296 - Nagios XI version xi-5.7.5 is affected by OS command injection
- CVE-2021-25297 - Nagios XI version xi-5.7.5 is affected by OS command injection
- CVE-2021-25298 - Nagios XI version xi-5.7.5 is affected by OS command injection
- CVE-2020-25213 - The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execu
- CVE-2019-19634 - class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension fo
- CVE-2019-19576 - class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for