2026-02-25 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2018-25158 | Chamilo - Chamillo LMS | Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files with image headers in the social myfiles section, rename them to PHP extensions, and execute arbitrary code by accessing the uploaded files. | CVSS4.0: 8.7 - HIGH CVSS3.1: 8.8 - HIGH | 0 1 2 | Exploitation: pocAutomatable: noTechnical Impact: total | Chamilo LMS 1.11.8 Arbitrary File Upload via elfinder | github |
| CVE-2019-25366 | Microasp - microASP (Portal+) CMS | microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.phtml with SQL injection payloads using extractvalue and concat functions to extract sensitive database information like the current database name. | CVSS4.0: 8.8 - HIGH CVSS3.1: 8.2 - HIGH | 0 1 2 | Exploitation: pocAutomatable: yesTechnical Impact: partial | microASP Portal+ CMS SQL Injection via pagina.phtml | github |
| CVE-2025-13563 | BuddhaThemes - Lizza LMS Pro | The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the ‘lizza_lms_pro_register_user_front_end’ function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the ‘administrator’ role during registration and gain administrator access to the site. | CVSS3.1: 9.8 - CRITICAL | 0 1 | Exploitation: noneAutomatable: yesTechnical Impact: total | Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation | github |
This post is licensed under CC BY 4.0 by the author.