CVE & CISA-KEV Catalog

362,600 CVEs1,630 actively exploited (KEV)AboutAPI
Active:
  • CVSS 7.5 v3·EPSS -·No fix yet

    The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize_text_field(), has its trailing '_PLUGIN_DIR' substring stripped, and is then invoked as a PHP function name with no arguments via `$sess_name()`. The handler is gated only by a nonce — no current_user_can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpvers

    Published 2026-07-01

  • CVSS 7.5 v3·EPSS 0.3%·No fix yet

    Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions.

    Published 2026-06-26

  • CVSS 7.5 v3·EPSS 0.3%·No fix yet

    Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.

    Published 2026-06-26

  • CVSS 7.5 v3·EPSS 0.3%·No fix yet

    Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.

    Published 2026-06-26

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions.

    Published 2026-06-25

  • CVSS 6.2 v3·EPSS 0.4%·No fix yet

    Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send GET requests to index.php with the option parameter set to com_easyshop, task set to ajax.loadImage, and a base64-encoded file path in the file parameter to retrieve sensitive files like configuration.php and system files.

    Published 2026-06-19

  • CVSS 9.8 v3·EPSS 0.9%·No fix yet

    The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

    Published 2026-06-19

  • CVSS 6.3 v4·EPSS 0.3%·No fix yet

    CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Atomlab <= 2.4.5 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Solene Core <= 2.3.2 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Line Agency <= 1.3.1 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Etude <= 1.6 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Gunslinger <= 1.7 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Skyward <= 1.10 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Granola <= 1.13 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Gamic <= 1.15 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Preservation <= 1.10 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Fortius <= 2.3.0 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Snow Club <= 1.1 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Dazzle <= 1.0.0 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in LuxMed | Medicine & Healthcare Doctor WordPress Theme <= 1.2.2 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Imba <= 1.5.0 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in ChapterOne <= 1.7 versions.

    Published 2026-06-17

  • CVSS 7.5 v3·EPSS 0.4%·No fix yet

    Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Hitek < 1.8.3 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Mr. SEO <= 2.0 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Malmö <= 2.2 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Aperitif <= 1.5 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Getaway < 1.8 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Mikado Core <= 1.6 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Solene <= 3.4 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Softlab Core < 1.2.11 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Integrio Core < 1.2.8 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Thegov Core < 2.0.23 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in EcoBlue <= 1.15 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in AutoParts <= 1.5.8 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Right Way <= 4.0 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Reprizo <= 1.0.8 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Promo <= 1.3.0 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Truemag <= 4.3.14.2 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.5%·No fix yet

    Unauthenticated Local File Inclusion in Roneous <= 2.1.5 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in ITactics <= 1.0 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Tipsy <= 1.1 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Resurs <= 1.3 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Local File Inclusion in Orpheus <= 1.3 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Spike <= 1.2 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Local File Inclusion in Eros <= 1.3 versions.

    Published 2026-06-17

Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.