24h | 7d | 30d

CVE-2026-4782

Overview

  • themefusion
  • Avada (Fusion) Builder
13 May 2026
Published
13 May 2026
Updated
CVSS v3.1
MEDIUM (6.5)
EPSS
0.04%
KEV

Description

The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of the 'fusion_section_separator' shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability was partially patched in version 3.15.2 and fully patched in version 3.15.3.

Statistics

  • 1 Post
Last activity: 3 hours ago

Bluesky

Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
Avada Builder flaws in versions through 3.15.2 can let authenticated users read arbitrary files or pull sensitive database data, including credentials and password hashes. Fixed in 3.15.3. #AvadaBuilder #CVE20264782 #CVE20264798
  • 0
  • 0
  • 0
  • 3h ago

CVE-2025-6793

Overview

  • Marvell
  • QConvergeConsole
07 Jul 2025
Published
07 Jul 2025
Updated
CVSS v3.0
CRITICAL (9.4)
EPSS
87.03%
KEV

Description

Marvell QConvergeConsole QLogicDownloadImpl Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability. This vulnerability allows remote attackers to delete arbitrary files and disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the QLogicDownloadImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files and disclose information in the context of SYSTEM. Was ZDI-CAN-24912.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 3 hours ago

Fediverse

Profile picture fallback
Metasploit @metasploit

The ultimate persistence mechanism is here: Vim plugin persistence! Seriously, who can close Vim anyway?

Catch up on the latest Metasploit Wrap-up, also featuring Unauthenticated Marvell QConvergeConsole Path Traversal (CVE-2025-6793), Authenticated RCE in GestioIP 3.5.7 (CVE-2024-48760), and a classic PHP filter bypass in Dolibarr ERP/CRM (CVE-2023-30253).

As always, check it out the blog: rapid7.com/blog/post/pt-metasp

  • 0
  • 1
  • 0
  • 3h ago

CVE-2024-48760

Overview

  • Pending
14 Jan 2025
Published
23 Jan 2025
Updated
CVSS
Pending
EPSS
66.58%
KEV

Description

An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function. The attacker can upload a malicious perlcmd.cgi file that overwrites the original upload.cgi file, enabling remote command execution.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 3 hours ago

Fediverse

Profile picture fallback
Metasploit @metasploit

The ultimate persistence mechanism is here: Vim plugin persistence! Seriously, who can close Vim anyway?

Catch up on the latest Metasploit Wrap-up, also featuring Unauthenticated Marvell QConvergeConsole Path Traversal (CVE-2025-6793), Authenticated RCE in GestioIP 3.5.7 (CVE-2024-48760), and a classic PHP filter bypass in Dolibarr ERP/CRM (CVE-2023-30253).

As always, check it out the blog: rapid7.com/blog/post/pt-metasp

  • 0
  • 1
  • 0
  • 3h ago

CVE-2023-30253

Overview

  • Pending
29 May 2023
Published
14 Jan 2025
Updated
CVSS
Pending
EPSS
90.43%
KEV

Description

Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 3 hours ago

Fediverse

Profile picture fallback
Metasploit @metasploit

The ultimate persistence mechanism is here: Vim plugin persistence! Seriously, who can close Vim anyway?

Catch up on the latest Metasploit Wrap-up, also featuring Unauthenticated Marvell QConvergeConsole Path Traversal (CVE-2025-6793), Authenticated RCE in GestioIP 3.5.7 (CVE-2024-48760), and a classic PHP filter bypass in Dolibarr ERP/CRM (CVE-2023-30253).

As always, check it out the blog: rapid7.com/blog/post/pt-metasp

  • 0
  • 1
  • 0
  • 3h ago
Showing 61 to 64 of 64 CVEs