{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/php/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["composer","command-injection","php"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eComposer, a dependency manager for PHP, is susceptible to a command injection vulnerability (CVE-2026-40176) in versions 2.0.0 before 2.2.27 and versions 2.3.0 before 2.9.6. The vulnerability resides in the \u003ccode\u003ePerforce::generateP4Command()\u003c/code\u003e method, which improperly escapes user-supplied Perforce connection parameters (port, user, client) when constructing shell commands. This allows an attacker who controls a repository configuration, specifically within a malicious \u003ccode\u003ecomposer.json\u003c/code\u003e file declaring a Perforce VCS repository, to inject arbitrary commands. The injected commands are executed in the context of the user running Composer, even if Perforce is not installed. This vulnerability can be exploited if Composer is run on untrusted projects with attacker-supplied \u003ccode\u003ecomposer.json\u003c/code\u003e files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003ecomposer.json\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003ecomposer.json\u003c/code\u003e declares a Perforce VCS repository.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecomposer.json\u003c/code\u003e contains injected commands within the Perforce connection parameters (port, user, client).\u003c/li\u003e\n\u003cli\u003eA user unknowingly executes a Composer command (e.g., \u003ccode\u003ecomposer install\u003c/code\u003e) in a directory containing the malicious \u003ccode\u003ecomposer.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eComposer parses the \u003ccode\u003ecomposer.json\u003c/code\u003e and calls the \u003ccode\u003ePerforce::generateP4Command()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePerforce::generateP4Command()\u003c/code\u003e method constructs a shell command using the attacker-controlled, unescaped Perforce connection parameters.\u003c/li\u003e\n\u003cli\u003eComposer executes the injected command via \u003ccode\u003eproc_open\u003c/code\u003e or similar functions.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution in the context of the user running Composer, potentially leading to sensitive information disclosure, system compromise, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary commands on the victim\u0026rsquo;s system with the privileges of the user running Composer. This can lead to complete system compromise, data exfiltration, or denial of service. While the number of victims is currently unknown, any system running a vulnerable version of Composer and processing untrusted \u003ccode\u003ecomposer.json\u003c/code\u003e files is at risk. The primary attack vector involves tricking developers into running Composer on projects containing malicious \u003ccode\u003ecomposer.json\u003c/code\u003e files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Composer to version 2.2.27 or 2.9.6 or later to patch CVE-2026-40176.\u003c/li\u003e\n\u003cli\u003eCarefully inspect \u003ccode\u003ecomposer.json\u003c/code\u003e files from untrusted sources before running Composer to verify Perforce-related fields contain valid values.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect command execution with suspicious arguments when composer executes and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-composer-command-injection/","summary":"Composer is vulnerable to command injection via a malicious Perforce repository due to improper escaping of user-supplied Perforce connection parameters, potentially leading to arbitrary command execution in the context of the user running Composer.","title":"Composer Command Injection via Malicious Perforce Repository","url":"https://feed.craftedsignal.io/briefs/2026-04-composer-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6193"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-6193","php","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security flaw has been identified in PHPGurukul Daily Expense Tracking System version 1.1. This vulnerability resides in the \u003ccode\u003e/register.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003eemail\u003c/code\u003e argument. Successful exploitation enables remote SQL injection, potentially granting attackers unauthorized access to sensitive database information or allowing them to modify data. This vulnerability, identified as CVE-2026-6193, has a CVSS v3.1 score of 7.3, indicating a high level of severity. The existence of a publicly available exploit increases the risk of widespread exploitation. Organizations using this software should take immediate action to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of PHPGurukul Daily Expense Tracking System 1.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/register.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker injects SQL code into the \u003ccode\u003eemail\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code, potentially allowing the attacker to read, modify, or delete data.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage the initial SQL injection to escalate privileges within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially gain access to administrative credentials stored in the database.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker uses the compromised credentials to gain full control over the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could lead to severe consequences. Attackers could gain unauthorized access to sensitive user data, including usernames, passwords, and financial information. This could result in identity theft, financial fraud, and reputational damage for both the organization and its users. The attacker could also modify or delete data, disrupt the application\u0026rsquo;s functionality, or even gain complete control of the server. Given the availability of a public exploit, the likelihood of attacks is significantly increased.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates provided by PHPGurukul to address CVE-2026-6193.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious SQL Injection Attempts in PHPGurukul Registration\u0026rdquo; to identify exploitation attempts targeting the \u003ccode\u003e/register.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures on the \u003ccode\u003eemail\u003c/code\u003e parameter in \u003ccode\u003e/register.php\u003c/code\u003e to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as unusual characters or SQL syntax in the \u003ccode\u003eemail\u003c/code\u003e parameter, which could indicate an attempted SQL injection (webserver log source).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests containing SQL injection payloads targeting \u003ccode\u003e/register.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-php-gurukul-sqli/","summary":"A remote SQL injection vulnerability exists in PHPGurukul Daily Expense Tracking System 1.1 within the /register.php file, where manipulation of the email argument allows for arbitrary SQL command execution, with a public exploit available.","title":"PHPGurukul Daily Expense Tracking System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-php-gurukul-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-3017"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","php","object-injection","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Smart Post Show WordPress plugin, specifically the Post Grid, Post Carousel \u0026amp; Slider, and List Category Posts components, contains a PHP Object Injection vulnerability. This flaw affects all versions up to and including 3.0.12. The vulnerability resides in the \u003ccode\u003eimport_shortcodes()\u003c/code\u003e function, where the deserialization of untrusted input occurs. This vulnerability requires an authenticated attacker with administrative privileges or higher. Successful exploitation requires the presence of a suitable Property-Oriented Programming (POP) chain within another installed plugin or theme. Without a POP chain, the injected object has no immediate impact. However, with a POP chain, attackers can potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative-level access to the WordPress dashboard, either through credential compromise or vulnerability exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Smart Post Show plugin settings page within the WordPress admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing a serialized PHP object designed to trigger a POP chain.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the \u003ccode\u003eimport_shortcodes()\u003c/code\u003e function, likely through a form field or file upload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eimport_shortcodes()\u003c/code\u003e function deserializes the attacker-controlled input, creating the malicious PHP object.\u003c/li\u003e\n\u003cli\u003eIf a suitable POP chain exists within other installed plugins or themes, the deserialization triggers the chain.\u003c/li\u003e\n\u003cli\u003eThe POP chain executes a series of predefined actions based on the objects and methods involved.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe PHP Object Injection vulnerability in the Smart Post Show WordPress plugin allows attackers to potentially gain remote code execution on the affected server. The impact is contingent on the existence of a POP chain within other installed plugins or themes. If successful, an attacker could potentially compromise the entire web server, leading to data breaches, defacement, or complete system takeover. Given the widespread use of WordPress and this plugin, a successful exploit could affect numerous websites across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Smart Post Show plugin to a version greater than 3.0.12 to patch CVE-2026-3017.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WordPress Plugin Deserialization Attempt\u0026rdquo; to monitor for suspicious deserialization activity on WordPress servers.\u003c/li\u003e\n\u003cli\u003eAudit all installed WordPress plugins and themes for potential POP chains that could be exploited in conjunction with this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T06:17:10Z","date_published":"2026-04-14T06:17:10Z","id":"/briefs/2026-04-smart-post-show-rce/","summary":"The Smart Post Show WordPress plugin versions 3.0.12 and earlier are vulnerable to PHP Object Injection via deserialization of untrusted input in the import_shortcodes() function, potentially leading to remote code execution if a suitable POP chain is present.","title":"Smart Post Show WordPress Plugin PHP Object Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-smart-post-show-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2025-5804"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["php","lfi","wordpress","cve-2025-5804"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA local file inclusion (LFI) vulnerability, identified as CVE-2025-5804, affects the Case Theme User WordPress plugin before version 1.0.4. The vulnerability stems from insufficient validation of filenames passed to PHP\u0026rsquo;s \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statements. This allows an unauthenticated attacker to potentially include arbitrary local files on the server hosting the WordPress instance. Successful exploitation could lead to sensitive information disclosure, arbitrary code execution, or denial of service. The vulnerability was reported and patched by Patchstack. Users of the Case Theme User plugin are advised to upgrade to version 1.0.4 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Case Theme User plugin running on a WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a PHP file within the plugin that uses an \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statement.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a GET or POST parameter associated with the vulnerable \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statement, injecting a path to a local file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server processes the request, and the PHP interpreter attempts to include the file specified in the attacker-controlled parameter.\u003c/li\u003e\n\u003cli\u003eDue to the LFI vulnerability, the server includes the attacker-specified local file.\u003c/li\u003e\n\u003cli\u003eIf the included file contains sensitive data, such as configuration files or credentials, the attacker can extract this information from the server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eIn more advanced scenarios, the attacker might attempt to include PHP files containing malicious code, achieving remote code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-5804 can lead to a range of impacts, including sensitive information disclosure such as WordPress configuration files (wp-config.php), which contain database credentials. Arbitrary code execution is possible if the attacker can include a file containing malicious PHP code. This could allow the attacker to gain complete control of the WordPress site and the underlying server. The number of affected sites depends on the adoption rate of the vulnerable Case Theme User plugin, but given the widespread use of WordPress, the potential impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Case Theme User WordPress plugin to version 1.0.4 or later to patch CVE-2025-5804.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Case Theme User LFI Attempt\u003c/code\u003e to your SIEM to identify potential exploitation attempts based on suspicious file paths in HTTP requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file access patterns, particularly requests containing \u0026ldquo;..\u0026rdquo;, \u0026ldquo;%2e%2e\u0026rdquo;, or other directory traversal sequences, to catch LFI attempts (see log source \u003ccode\u003ewebserver\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-case-theme-lfi/","summary":"CVE-2025-5804 is a PHP Local File Inclusion vulnerability in the Case Theme User WordPress plugin before version 1.0.4 due to improper filename control in include/require statements, potentially allowing attackers to execute arbitrary code by including malicious local files.","title":"Case Theme User WordPress Plugin Local File Inclusion Vulnerability (CVE-2025-5804)","url":"https://feed.craftedsignal.io/briefs/2026-04-case-theme-lfi/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5837"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","php","CVE-2026-5837"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5837 describes a SQL injection vulnerability affecting PHPGurukul News Portal Project version 4.1. The vulnerability resides in the \u003ccode\u003e/news-details.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003eComment\u003c/code\u003e argument.  Successful exploitation allows remote attackers to inject arbitrary SQL commands into the application\u0026rsquo;s database queries. The vulnerability has a CVSS v3.1 score of 7.3, indicating a high severity. Publicly available exploits exist, increasing the risk of active exploitation. Organizations using PHPGurukul News Portal Project 4.1 are urged to investigate and mitigate this vulnerability immediately. The lack of specific patching information emphasizes the importance of proactive detection and prevention measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable PHPGurukul News Portal Project 4.1 instance accessible over the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/news-details.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the request, the \u003ccode\u003eComment\u003c/code\u003e parameter is manipulated to inject SQL code. For example, the attacker might inject a payload such as \u003ccode\u003e' OR '1'='1\u003c/code\u003e to bypass authentication or extract data.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes the crafted request without proper sanitization of the \u003ccode\u003eComment\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is embedded within a database query executed by the application.\u003c/li\u003e\n\u003cli\u003eThe database server executes the attacker-controlled SQL query, potentially allowing the attacker to read, modify, or delete data.\u003c/li\u003e\n\u003cli\u003eThe application returns the results of the injected SQL query to the attacker, potentially revealing sensitive information or confirming successful code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection vulnerability to potentially gain unauthorized access to sensitive data, modify website content, or even gain control of the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5837 can lead to unauthorized access to sensitive information stored in the PHPGurukul News Portal Project\u0026rsquo;s database. An attacker could potentially steal user credentials, financial data, or other confidential information. The attacker could also modify website content, inject malicious code, or even gain control of the underlying server. Given the public availability of exploits, vulnerable instances are at immediate risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetecting SQL Injection in PHPGurukul News Portal\u003c/code\u003e to identify attempts to exploit CVE-2026-5837 by monitoring for suspicious characters in the \u003ccode\u003ecs-uri-query\u003c/code\u003e field of web server logs.\u003c/li\u003e\n\u003cli\u003eApply web application firewall (WAF) rules to block requests containing common SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eReview and harden the \u003ccode\u003e/news-details.php\u003c/code\u003e page to properly sanitize the Comment input field.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity, especially related to the \u003ccode\u003e/news-details.php\u003c/code\u003e endpoint, and correlate with other security events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T04:17:23Z","date_published":"2026-04-09T04:17:23Z","id":"/briefs/2026-04-phpgurukul-sql-injection/","summary":"PHPGurukul News Portal Project version 4.1 is vulnerable to SQL injection via the Comment parameter in /news-details.php, potentially allowing remote attackers to execute arbitrary SQL queries.","title":"PHPGurukul News Portal Project SQL Injection Vulnerability (CVE-2026-5837)","url":"https://feed.craftedsignal.io/briefs/2026-04-phpgurukul-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3296"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","php","object-injection","rce","cve-2026-3296"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Everest Forms plugin for WordPress, a widely used form builder, contains a critical PHP Object Injection vulnerability (CVE-2026-3296) affecting versions up to and including 3.4.3. This vulnerability stems from the insecure deserialization of user-supplied data within the \u003ccode\u003ehtml-admin-page-entries-view.php\u003c/code\u003e file. Specifically, the plugin uses PHP\u0026rsquo;s \u003ccode\u003eunserialize()\u003c/code\u003e function on form entry metadata stored in the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e table without specifying allowed classes, creating an exploitable condition. An unauthenticated attacker can inject malicious serialized PHP objects through any public form field. The \u003ccode\u003esanitize_text_field()\u003c/code\u003e function fails to prevent these attacks because it doesn\u0026rsquo;t strip serialization control characters. This allows attackers to execute arbitrary PHP code on the WordPress server when an administrator views form entries. This vulnerability poses a significant risk to WordPress sites using the Everest Forms plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker submits a malicious serialized PHP object through a public Everest Forms form field.\u003c/li\u003e\n\u003cli\u003eThe submitted payload bypasses the \u003ccode\u003esanitize_text_field()\u003c/code\u003e function due to the function\u0026rsquo;s failure to remove serialization control characters.\u003c/li\u003e\n\u003cli\u003eThe crafted serialized object is stored in the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e database table associated with the form entry.\u003c/li\u003e\n\u003cli\u003eAn administrator accesses the WordPress administration panel and navigates to the Everest Forms entries section.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehtml-admin-page-entries-view.php\u003c/code\u003e file is executed to display form entries and their associated metadata.\u003c/li\u003e\n\u003cli\u003eThe plugin retrieves the stored serialized object from the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunserialize()\u003c/code\u003e function is called on the retrieved data \u003cem\u003ewithout\u003c/em\u003e the \u003ccode\u003eallowed_classes\u003c/code\u003e parameter, triggering PHP Object Injection.\u003c/li\u003e\n\u003cli\u003eThe injected PHP object is instantiated, leading to arbitrary PHP code execution on the server, potentially granting the attacker complete control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-3296) can lead to complete compromise of the WordPress website. An attacker can gain remote code execution, allowing them to inject malware, deface the site, steal sensitive data (including user credentials and financial information), or use the compromised server as part of a botnet. Given the widespread use of the Everest Forms plugin, a large number of WordPress sites are potentially vulnerable. The CVSS v3.1 base score of 9.8 reflects the critical severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Everest Forms plugin to the latest version (greater than 3.4.3) to patch CVE-2026-3296.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious unserialize Call in Everest Forms\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to WordPress form submission endpoints containing serialized PHP objects, as detected by the \u003ccode\u003eDetect Suspicious Form Submission with Serialized Data\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests containing serialized PHP objects in form submission data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T02:16:04Z","date_published":"2026-04-08T02:16:04Z","id":"/briefs/2026-04-everest-forms-rce/","summary":"The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-3296) in versions up to 3.4.3, allowing unauthenticated attackers to execute arbitrary code by injecting serialized PHP objects via form fields.","title":"Everest Forms WordPress Plugin PHP Object Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-everest-forms-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-39355"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["broken-access-control","php","genealogy","CVE-2026-39355"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGenealogy is a family tree PHP application that, prior to version 5.9.1, contained a critical broken access control vulnerability identified as CVE-2026-39355. This flaw allows any authenticated user to transfer ownership of non-personal teams to themselves without proper authorization checks. This unauthorized ownership transfer leads to complete takeover of other users’ team workspaces, granting the attacker unrestricted access to all genealogy data associated with the compromised team. This vulnerability poses a significant risk to data confidentiality and integrity within organizations using affected versions of the Genealogy application. Version 5.9.1 addresses and resolves this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Genealogy application with valid user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target \u0026ldquo;team\u0026rdquo; within the application that is not their own.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the application\u0026rsquo;s team ownership transfer functionality, specifying the target team and the attacker\u0026rsquo;s user ID as the new owner.\u003c/li\u003e\n\u003cli\u003eDue to the broken access control vulnerability (CVE-2026-39355), the application fails to validate the attacker\u0026rsquo;s authorization to perform the ownership transfer.\u003c/li\u003e\n\u003cli\u003eThe application incorrectly updates the team\u0026rsquo;s ownership data, assigning ownership to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker now possesses full administrative control over the compromised team\u0026rsquo;s workspace and data.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses and exfiltrates sensitive genealogy data, including family trees, personal information, and other confidential records.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39355 allows an attacker to gain complete control over targeted teams within the Genealogy application. This leads to unauthorized access to sensitive genealogy data, potentially impacting all users and families represented within the compromised teams. The impact includes data exfiltration, modification, or deletion, potentially causing significant reputational damage and legal liabilities. While the exact number of affected installations is unknown, all organizations running versions prior to 5.9.1 are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade the Genealogy application to version 5.9.1 or later to patch CVE-2026-39355.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to team management endpoints, specifically those related to team ownership transfer. Use the provided Sigma rule \u003ccode\u003eDetect Suspicious Genealogy Team Ownership Transfer\u003c/code\u003e to detect unauthorized attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies within the Genealogy application, ensuring that users can only access and modify data related to teams they are authorized to manage.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging for all user authentication and authorization events within the Genealogy application to facilitate incident investigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T19:16:46Z","date_published":"2026-04-07T19:16:46Z","id":"/briefs/2026-04-genealogy-acl/","summary":"A critical broken access control vulnerability (CVE-2026-39355) in Genealogy PHP application versions prior to 5.9.1 allows authenticated users to transfer ownership of arbitrary teams, leading to complete takeover of team workspaces and unrestricted data access.","title":"Genealogy PHP Application Broken Access Control Vulnerability (CVE-2026-39355)","url":"https://feed.craftedsignal.io/briefs/2026-04-genealogy-acl/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35164"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-35164","rce","file-upload","brave-cms","ckeditor","php","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBrave CMS, an open-source content management system, is vulnerable to an unrestricted file upload vulnerability (CVE-2026-35164) in versions prior to 2.0.6. The vulnerability resides within the CKEditor upload functionality, specifically in the \u003ccode\u003eckupload\u003c/code\u003e method located in \u003ccode\u003eapp/Http/Controllers/Dashboard/CkEditorController.php\u003c/code\u003e. The application fails to properly validate the types of uploaded files, relying solely on user-provided input. This lack of validation enables an authenticated user to upload malicious PHP scripts, leading to arbitrary code execution on the server. The vulnerability was reported on April 6, 2026, and is fixed in Brave CMS version 2.0.6. Organizations using affected versions of Brave CMS are at risk of complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Brave CMS application as a user with upload privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a page or functionality within the CMS that utilizes the CKEditor for content creation or editing.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the CKEditor\u0026rsquo;s upload functionality to upload a malicious PHP script disguised as a legitimate file type (e.g., image).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eckupload\u003c/code\u003e method in \u003ccode\u003eapp/Http/Controllers/Dashboard/CkEditorController.php\u003c/code\u003e processes the uploaded file without proper validation of the file type or content.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP script is stored on the server in a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to directly access the uploaded PHP script via its URL.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP script, granting the attacker the ability to run arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence, installs a web shell, and performs lateral movement within the network, escalating privileges as needed to achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the affected Brave CMS server. This can lead to complete compromise of the CMS instance, including unauthorized access to sensitive data, modification of website content, and potential lateral movement to other systems on the network. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity level. Organizations running vulnerable versions of Brave CMS are at risk of data breaches, website defacement, and further exploitation of their infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Brave CMS to version 2.0.6 or later to remediate the unrestricted file upload vulnerability (CVE-2026-35164).\u003c/li\u003e\n\u003cli\u003eImplement server-side file validation to prevent the upload of malicious files, regardless of file extension.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to file uploads and execution of PHP scripts.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to access potentially malicious PHP files in the web server\u0026rsquo;s upload directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T18:16:42Z","date_published":"2026-04-06T18:16:42Z","id":"/briefs/2026-04-brave-cms-rce/","summary":"Brave CMS versions prior to 2.0.6 contain an unrestricted file upload vulnerability within the CKEditor upload functionality in the ckupload method, allowing authenticated users to upload executable PHP scripts and achieve Remote Code Execution.","title":"Brave CMS Unrestricted File Upload Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-brave-cms-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-34236"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-34236","auth0","php","cookie-forging","session-hijacking"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Auth0-PHP SDK, a PHP library for Auth0 Authentication and Management APIs, contains a vulnerability (CVE-2026-34236) affecting versions 8.0.0 to before 8.19.0. The insufficient entropy used in cookie encryption within these versions creates a significant security risk.  Attackers could potentially exploit this vulnerability by brute-forcing the encryption key used to protect session cookies. Successful exploitation would allow an attacker to forge session cookies, gaining unauthorized access to applications using the vulnerable SDK. The vulnerability was patched in version 8.19.0. Applications using Auth0-PHP within the specified range are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an application using a vulnerable version of the Auth0-PHP SDK (8.0.0 \u0026lt; v \u0026lt; 8.19.0).\u003c/li\u003e\n\u003cli\u003eThe application sets a session cookie encrypted using the SDK\u0026rsquo;s insufficient entropy encryption.\u003c/li\u003e\n\u003cli\u003eAttacker intercepts a legitimate user\u0026rsquo;s session cookie (e.g., via network sniffing or cross-site scripting).\u003c/li\u003e\n\u003cli\u003eAttacker attempts to brute-force the encryption key used to encrypt the session cookie, leveraging the weakness in the encryption algorithm.\u003c/li\u003e\n\u003cli\u003eUpon successful brute-forcing, the attacker decrypts the intercepted session cookie and extracts the session identifier.\u003c/li\u003e\n\u003cli\u003eThe attacker constructs a new, forged cookie with the decrypted session identifier.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the forged cookie into their own browser session.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the application, impersonating the legitimate user and gaining unauthorized access to their account and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34236 allows attackers to forge session cookies, leading to account takeover. The impact is significant, potentially affecting all applications using the vulnerable Auth0-PHP SDK versions 8.0.0 to before 8.19.0. The severity is elevated due to the potential for complete account compromise without requiring user interaction beyond the initial cookie interception. Organizations could face data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Auth0-PHP SDK to version 8.19.0 or later to remediate CVE-2026-34236.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to detect and block suspicious cookie manipulation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns indicative of brute-force attacks against cookie encryption (related to webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T18:16:30Z","date_published":"2026-04-01T18:16:30Z","id":"/briefs/2026-04-auth0-php-cookie-forging/","summary":"Auth0-PHP SDK versions 8.0.0 to before 8.19.0 encrypt cookies with insufficient entropy, potentially allowing attackers to brute-force the encryption key and forge session cookies.","title":"Auth0-PHP SDK Cookie Forging Vulnerability (CVE-2026-34236)","url":"https://feed.craftedsignal.io/briefs/2026-04-auth0-php-cookie-forging/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["protobuf","dos","php"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA high-severity denial-of-service (DoS) vulnerability has been identified in the Protobuf PHP library, affecting versions prior to 4.33.6. The vulnerability stems from the improper handling of maliciously structured Protocol Buffer messages. Specifically, messages containing negative varints or exhibiting deep recursion can trigger excessive resource consumption during parsing. This can lead to application crashes, thereby disrupting service availability. Patches addressing this vulnerability have been released in versions 5.34.0-RC1 and 4.33.6 of the Protobuf library. Defenders should prioritize updating vulnerable systems to these patched versions to mitigate potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Protocol Buffer message.\u003c/li\u003e\n\u003cli\u003eThe message contains either negative varints or exploits deep recursion.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious message to a PHP application using the vulnerable Protobuf library.\u003c/li\u003e\n\u003cli\u003eThe PHP application attempts to parse the malicious message using the affected Protobuf library.\u003c/li\u003e\n\u003cli\u003eDuring parsing, the negative varints or deep recursion trigger excessive resource consumption, such as CPU or memory.\u003c/li\u003e\n\u003cli\u003eThe application becomes unresponsive due to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eThe application crashes, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, rendering affected applications unavailable. This can impact any service relying on the Protobuf PHP library to process untrusted data, such as APIs, message queues, or data storage systems. The number of affected services depends on the prevalence of the vulnerable Protobuf library within an organization\u0026rsquo;s infrastructure. This issue can lead to significant disruption and potential data loss or corruption if applications crash while processing critical data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecomposer/google/protobuf\u003c/code\u003e package to version 4.33.6 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for anomalous request patterns indicative of exploitation attempts targeting Protobuf message processing (webserver log source).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and input validation on services that process Protocol Buffer messages to mitigate the impact of malicious inputs (webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T21:04:21Z","date_published":"2026-03-25T21:04:21Z","id":"/briefs/2026-03-protobuf-dos/","summary":"A denial-of-service vulnerability exists in the Protobuf PHP library due to maliciously crafted messages with negative varints or deep recursion, leading to application crashes and impacting service availability.","title":"Protobuf PHP Library Denial of Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-protobuf-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","vulnerability","php"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePhreeBooks ERP version 5.2.3 is susceptible to a remote code execution (RCE) vulnerability (CVE-2019-25647) within its image manager component. This flaw enables authenticated attackers to bypass file extension restrictions and upload malicious PHP files. Successful exploitation allows attackers to execute arbitrary code on the underlying server, potentially leading to complete system compromise. The vulnerability exists because the image manager lacks adequate validation of uploaded file types, permitting the upload of PHP files disguised with allowed extensions or lacking extensions altogether. This can lead to reverse shell creation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the PhreeBooks ERP 5.2.3 application.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the image manager functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PHP file designed to execute system commands or establish a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious PHP file through the image manager, bypassing file extension validation. This may involve renaming the file with a permitted extension or omitting the extension entirely.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the upload location of the malicious PHP file.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded PHP file\u0026rsquo;s location on the server.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code, triggering the attacker\u0026rsquo;s malicious payload (e.g., reverse shell).\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the server and can execute arbitrary system commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the targeted server. This can lead to complete system compromise, including data theft, modification, or destruction. Given that PhreeBooks ERP is used to manage business operations, a successful attack could result in significant financial losses, disruption of services, and reputational damage. There is no specific information about victim count or sectors targeted available from the source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for PhreeBooks ERP to address CVE-2019-25647.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious PHP Upload via Image Manager\u0026rdquo; to detect attempts to upload malicious PHP files through the image manager.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to unusual file paths containing PHP code, as this could indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eRestrict access to the image manager functionality to only authorized users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:16:07Z","date_published":"2026-03-24T12:16:07Z","id":"/briefs/2026-03-phreebooks-rce/","summary":"PhreeBooks ERP 5.2.3 is vulnerable to remote code execution, allowing authenticated attackers to upload and execute arbitrary PHP files via the image manager, leading to reverse shell connections and system command execution.","title":"PhreeBooks ERP 5.2.3 Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-phreebooks-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PhpSpreadsheet"],"_cs_severities":["critical"],"_cs_tags":["phpspreadsheet","ssrf","rce","php","deserialization"],"_cs_type":"advisory","_cs_vendors":["PhpOffice"],"content_html":"\u003cp\u003ePhpSpreadsheet, a widely used PHP library for reading and writing spreadsheet files, is susceptible to a critical vulnerability that can lead to both Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE). The vulnerability stems from insufficient validation of the \u003ccode\u003e$filename\u003c/code\u003e parameter passed to the \u003ccode\u003eIOFactory::load\u003c/code\u003e function. When this parameter is user-controlled, attackers can leverage PHP wrappers such as \u003ccode\u003eftp://\u003c/code\u003e, \u003ccode\u003ephar://\u003c/code\u003e, and \u003ccode\u003essh2.sftp://\u003c/code\u003e to bypass the \u003ccode\u003eis_file\u003c/code\u003e check, leading to malicious file inclusion or arbitrary code execution. This flaw affects versions up to and including 1.30.2, as well as versions 2.0.0 through 5.5.0. Exploitation can occur even if the specified file inside the phar archive does not exist or is not a supported file type, potentially masking the attack. Due to PhpSpreadsheet\u0026rsquo;s widespread use in other popular libraries like \u003ccode\u003emaatwebsite/excel\u003c/code\u003e and \u003ccode\u003esonata-project/exporter\u003c/code\u003e, the impact of this vulnerability is significant.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious phar archive (\u003ccode\u003eexploit.xlsx\u003c/code\u003e) containing a PHP object with a \u003ccode\u003e__destruct\u003c/code\u003e method that executes arbitrary code via \u003ccode\u003eshell_exec\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts the malicious phar archive on a web server or makes it accessible through other means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to a vulnerable web application using PhpSpreadsheet, providing a \u003ccode\u003ephar://\u003c/code\u003e URL (e.g., \u003ccode\u003ephar://exploit.xlsx/whatever\u003c/code\u003e) as the \u003ccode\u003e$filename\u003c/code\u003e parameter to \u003ccode\u003eIOFactory::load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eIOFactory::load\u003c/code\u003e attempts to load the file specified in the \u003ccode\u003e$filename\u003c/code\u003e parameter, which passes through the vulnerable \u003ccode\u003eis_file\u003c/code\u003e check.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ephar://\u003c/code\u003e wrapper triggers PHP\u0026rsquo;s phar extension, which deserializes the metadata within the \u003ccode\u003eexploit.xlsx\u003c/code\u003e archive.\u003c/li\u003e\n\u003cli\u003eDeserialization of the malicious PHP object triggers the \u003ccode\u003e__destruct\u003c/code\u003e method, executing the attacker\u0026rsquo;s arbitrary code via \u003ccode\u003eshell_exec\u003c/code\u003e, achieving RCE. The code creates \u003ccode\u003e/tmp/poc.txt\u003c/code\u003e in the example.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker provides an \u003ccode\u003eftp://\u003c/code\u003e URL to \u003ccode\u003eIOFactory::load\u003c/code\u003e, pointing to an attacker-controlled FTP server.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eis_file\u003c/code\u003e check allows the \u003ccode\u003eftp://\u003c/code\u003e connection, leading to an SSRF vulnerability where the server running PhpSpreadsheet connects to the attacker\u0026rsquo;s specified FTP server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a range of severe consequences. Remote Code Execution (RCE) allows an attacker to execute arbitrary commands on the server, potentially leading to complete system compromise. The SSRF vulnerability enables an attacker to probe internal network resources, potentially exposing sensitive information or allowing further attacks on internal systems. Given PhpSpreadsheet\u0026rsquo;s use in numerous web applications and frameworks, a successful attack could impact a large number of users and organizations. Example impact includes attackers gaining initial access to internal applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested mitigations by either checking for PHP wrappers in the filename before calling \u003ccode\u003eis_file\u003c/code\u003e or by using \u003ccode\u003erealpath\u003c/code\u003e to ensure a clean absolute path (see code snippets in the advisory).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect_PhpSpreadsheet_Phar_Wrapper\u003c/code\u003e to detect attempts to exploit the RCE vulnerability by monitoring process creation events with command lines containing \u0026ldquo;phar://\u0026rdquo; and \u003ccode\u003ephp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect_PhpSpreadsheet_Ftp_Wrapper\u003c/code\u003e to detect attempts to exploit the SSRF vulnerability by monitoring network connections with destination ports on FTP protocol (21) and file paths contain ftp.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing the \u003ccode\u003ephar://\u003c/code\u003e or \u003ccode\u003eftp://\u003c/code\u003e schemes in the filename parameter to \u003ccode\u003eIOFactory::load\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-phpspreadsheet-rce-ssrf/","summary":"PhpSpreadsheet is vulnerable to Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) due to improper validation of filenames in the IOFactory::load function, exploitable via PHP wrappers like `phar://` and `ftp://`.","title":"PhpSpreadsheet SSRF and RCE Vulnerability via IOFactory::load","url":"https://feed.craftedsignal.io/briefs/2024-01-30-phpspreadsheet-rce-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ci4-cms-erp/ci4ms"],"_cs_severities":["high"],"_cs_tags":["code-execution","web-application","php"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eCI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to authenticated remote code execution. The vulnerability lies in the theme upload feature, where any authenticated backend user with theme-upload permissions can upload a crafted ZIP file. PHP files included in the uploaded ZIP are installed into a web-accessible directory without extension or content filtering. This allows attackers to execute arbitrary PHP code on the server by directly accessing the uploaded files via HTTP requests. The vulnerability was reported on April 29, 2026 and can lead to full server compromise if exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for a backend user account with theme upload permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP file (e.g., shell.php) with code to execute system commands via a GET parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP file (e.g., evil_theme.zip) through the /backend/themes/upload endpoint using a POST request with multipart/form-data.\u003c/li\u003e\n\u003cli\u003eThe application extracts the ZIP archive to a temporary directory.\u003c/li\u003e\n\u003cli\u003eThe application copies the PHP file from the temporary directory to the public/templates/evil/ directory using the rename() function, with no file type validation or content inspection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request targeting the uploaded PHP file (e.g., /templates/evil/shell.php?c=id).\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code, running the system command specified in the \u0026lsquo;c\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe output of the executed command is returned in the HTTP response, granting the attacker remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to execute arbitrary PHP code on the server under the context of the web server user. This can be leveraged to achieve OS-level command execution, potentially leading to data exfiltration, lateral movement, persistence, or full server compromise. Any deployment where a backend user has been granted theme upload permission is vulnerable. While a superadmin already has full privileges, this vulnerability allows lower-privileged roles to escalate their access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patch or upgrade to a version of CI4MS beyond 0.31.6.0 to remediate CVE-2026-41587.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting newly created directories under \u003ccode\u003e/templates/\u003c/code\u003e with PHP file extensions to detect potential exploitation attempts. Create a rule to detect this.\u003c/li\u003e\n\u003cli\u003eImplement stricter file upload validation, including file extension allowlists, MIME type checking, and content inspection, to prevent the upload of malicious PHP files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-ci4ms-rce/","summary":"CI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to remote code execution; an authenticated backend user with theme upload permissions can upload a crafted ZIP file containing a PHP file, which is then installed into the web-accessible public directory without filtering, allowing direct execution via HTTP.","title":"CI4MS Authenticated Remote Code Execution via Theme Upload","url":"https://feed.craftedsignal.io/briefs/2024-01-30-ci4ms-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PhpSpreadsheet"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","phpspreadsheet","xlsx","php"],"_cs_type":"advisory","_cs_vendors":["phpoffice"],"content_html":"\u003cp\u003eA vulnerability exists in PhpSpreadsheet versions 1.x through 5.6.0 where the XLSX reader does not properly validate row numbers read from XML attributes within a spreadsheet file. Specifically, the \u003ccode\u003eColumnAndRowAttributes::readRowAttributes()\u003c/code\u003e method lacks a check against the maximum allowed row number (\u003ccode\u003eAddressRange::MAX_ROW = 1,048,576\u003c/code\u003e). An attacker can exploit this by crafting a minimal XLSX file (approximately 1.6KB) containing a \u003ccode\u003e\u0026lt;row r=\u0026quot;999999999\u0026quot;/\u0026gt;\u003c/code\u003e element. When processed, this inflates the \u003ccode\u003ecachedHighestRow\u003c/code\u003e property, causing subsequent row iteration operations to attempt nearly one billion loop cycles, thereby exhausting CPU resources and leading to a denial-of-service condition. This vulnerability can be exploited in web applications that accept user-uploaded spreadsheet files, making it a significant risk for systems using vulnerable versions of PhpSpreadsheet. The vulnerability was reported in GHSA-7c6m-4442-2x6m.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious XLSX file containing an XML \u003ccode\u003e\u0026lt;row\u0026gt;\u003c/code\u003e element with a large \u003ccode\u003er\u003c/code\u003e attribute (e.g., \u003ccode\u003e\u0026lt;row r=\u0026quot;999999999\u0026quot;/\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious XLSX file to a web application or system that uses PhpSpreadsheet to process spreadsheet files.\u003c/li\u003e\n\u003cli\u003eThe PhpSpreadsheet library, specifically the \u003ccode\u003eIOFactory::createReader('Xlsx')\u003c/code\u003e component, is used to read the uploaded file.\u003c/li\u003e\n\u003cli\u003eDuring the parsing process, the \u003ccode\u003eColumnAndRowAttributes::readRowAttributes()\u003c/code\u003e method reads the large row number from the XML attribute.\u003c/li\u003e\n\u003cli\u003eThe large row number is then used to update the \u003ccode\u003ecachedHighestRow\u003c/code\u003e property in the \u003ccode\u003eWorksheet\u003c/code\u003e object, effectively setting it to a very high value.\u003c/li\u003e\n\u003cli\u003eA subsequent operation that iterates over rows using \u003ccode\u003egetRowIterator()\u003c/code\u003e or retrieves the highest row using \u003ccode\u003egetHighestRow()\u003c/code\u003e triggers a loop that iterates up to the inflated \u003ccode\u003ecachedHighestRow\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe excessive number of loop iterations consumes a significant amount of CPU resources, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe application becomes unresponsive or crashes due to the CPU exhaustion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a CPU denial of service. A small, 1.6KB crafted XLSX file can trigger almost one billion iterations, causing the system to become unresponsive for an extended period (estimated at ~144 seconds per file). This impacts any application using \u003ccode\u003egetRowIterator()\u003c/code\u003e or \u003ccode\u003egetHighestRow()\u003c/code\u003e methods, making the system unavailable. Applications processing the spreadsheet may also exhaust memory if they attempt to accumulate data during the iteration process. The high amplification factor (small input leading to massive CPU consumption) makes this vulnerability particularly dangerous, especially in web applications that process user-supplied spreadsheets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by adding row bounds validation in \u003ccode\u003ereadRowAttributes()\u003c/code\u003e to check if \u003ccode\u003e$rowIndex\u003c/code\u003e is within the acceptable range (1 to \u003ccode\u003eAddressRange::MAX_ROW\u003c/code\u003e). This is the primary recommendation from the source advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PhpSpreadsheet Excessive Row Iteration\u003c/code\u003e to detect processes that may be attempting to process XLSX files with extremely high row numbers, indicating a potential exploitation attempt.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads, specifically XLSX files with unusually small sizes, which might indicate an attempt to upload a malicious file exploiting this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-phpspreadsheet-dos/","summary":"A vulnerability in PhpSpreadsheet exists where a crafted XLSX file containing a large row number can cause excessive CPU consumption due to unbounded loop iterations, leading to a denial of service.","title":"PhpSpreadsheet CPU Denial of Service via Unbounded Row Number","url":"https://feed.craftedsignal.io/briefs/2024-01-03-phpspreadsheet-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-27760"}],"_cs_exploited":false,"_cs_products":["OpenCATS"],"_cs_severities":["critical"],"_cs_tags":["code-injection","php","opencats","cve-2026-27760"],"_cs_type":"advisory","_cs_vendors":["OpenCATS"],"content_html":"\u003cp\u003eCVE-2026-27760 is a critical PHP code injection vulnerability that affects OpenCATS, a web-based applicant tracking system, in versions prior to commit 3002a29. The vulnerability resides in the installer AJAX endpoint, specifically within the \u003ccode\u003edatabaseConnectivity\u003c/code\u003e action parameter. Unauthenticated attackers can exploit this flaw by injecting arbitrary PHP code into this parameter. This injected code allows attackers to execute arbitrary commands on the server. The vulnerability is triggered during the initial setup phase, when the installation wizard is not yet complete and continues to execute on every subsequent page load. This vulnerability poses a significant risk to organizations using vulnerable versions of OpenCATS, as it can lead to complete system compromise, data theft, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP POST request to the OpenCATS installer AJAX endpoint (\u003ccode\u003e/install/ajax.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003edatabaseConnectivity\u003c/code\u003e action parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker injects PHP code into the \u003ccode\u003edatabaseConnectivity\u003c/code\u003e parameter, breaking out of the \u003ccode\u003edefine()\u003c/code\u003e string context in \u003ccode\u003econfig.php\u003c/code\u003e with a single quote and statement separator.\u003c/li\u003e\n\u003cli\u003eThe injected code is then processed by the server, leading to arbitrary PHP code execution within the context of the web server user.\u003c/li\u003e\n\u003cli\u003eThe injected code persists because it\u0026rsquo;s written to the \u003ccode\u003econfig.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eEvery subsequent page load executes the injected PHP code, even after the initial malicious request.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the code execution to install a web shell for persistent access.\u003c/li\u003e\n\u003cli\u003eWith the web shell, the attacker can perform various malicious activities, including reading sensitive files, modifying the database, or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27760 allows unauthenticated attackers to execute arbitrary PHP code on the affected OpenCATS server. This can lead to complete system compromise, including the theft of sensitive applicant data, modification of application settings, and the installation of backdoors for persistent access. Given that OpenCATS handles applicant data, a successful attack could result in a significant data breach and reputational damage. The vulnerability exists in the installer and persists throughout subsequent page loads as long as the installation wizard remains incomplete, making it highly impactful.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenCATS to a version containing commit 3002a29 or later to remediate CVE-2026-27760.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/install/ajax.php\u003c/code\u003e containing PHP code in the \u003ccode\u003edatabaseConnectivity\u003c/code\u003e parameter to detect exploitation attempts (see rule: \u0026ldquo;Detect OpenCATS installer code injection attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests containing PHP code in the \u003ccode\u003edatabaseConnectivity\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview and restrict access to the \u003ccode\u003e/install/\u003c/code\u003e directory after completing the installation process to prevent accidental or malicious access to the installer.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-opencats-code-injection/","summary":"Unauthenticated attackers can exploit a PHP code injection vulnerability in OpenCATS versions prior to commit 3002a29 by injecting malicious PHP code into the installer's AJAX endpoint, leading to arbitrary code execution.","title":"OpenCATS PHP Code Injection Vulnerability (CVE-2026-27760)","url":"https://feed.craftedsignal.io/briefs/2024-01-opencats-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Php","version":"https://jsonfeed.org/version/1.1"}