Egidio Romano

**Name of the Vulnerable Software and Affected Versions** Discuz! X5.0 versions 20260320 through 20260610 **Description** A CAPTCHA bypass allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition (OCR) model—a technology that converts images of text into machine-encoded text—against collected samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse. **Recommendations** Update to a version later than 20260610.

**Name of the Vulnerable Software and Affected Versions** Discuz! X5.0 versions 20260320 through 20260501 **Description** An authentication bypass allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality. This is possible due to a shared cryptographic key between UCenter integration and the database backup API exposed by the 'dbbak.php' endpoint. Attackers can inject a crafted payload through the `username` parameter during login to abuse the encryption oracle in the `logging more()` function within `logging ctl`, enabling them to obtain a signed token. This token allows the bypass of authorization for database export and import operations, and a race condition can be triggered to impersonate arbitrary users. **Recommendations** For versions 20260320 through 20260501, apply the available patch to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Discuz! X5.0 versions 20260320 through 20260610 **Description** An issue exists where authenticated administrators can execute arbitrary code by importing a specially crafted plugin configuration. This is achieved by including path traversal sequences in the `directory` attribute. By triggering an exception during plugin installation, sanitization routines are bypassed, allowing malicious paths to be stored and subsequently passed to the `include()` function. When combined with file upload functionality, this leads to arbitrary code execution within the context of the web server user. **Recommendations** Update Discuz! X5.0 to a version released after 20260610.

**Name of the Vulnerable Software and Affected Versions** SocialEngine versions 7.8.0 and prior **Description** An issue exists in the '/activity/index/get-memberall' endpoint where user-supplied input passed via the `text` parameter is not sanitized before being incorporated into a SQL query. This allows an unauthenticated remote attacker to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, which could potentially enable remote code execution. **Recommendations** Update SocialEngine to a version later than 7.8.0. Avoid using the `text` parameter in the '/activity/index/get-memberall' endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SocialEngine versions prior to 7.8.1 **Description** A blind server-side request forgery exists in the "/core/link/preview" endpoint. The issue occurs because user-supplied input passed via the `uri` request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can provide arbitrary URLs, including internal network and loopback addresses, forcing the server to issue HTTP requests to attacker-controlled destinations. This allows for internal network enumeration and access to services not intended to be externally reachable. **Recommendations** Update to a version later than 7.8.0. As a temporary workaround, restrict access to the "/core/link/preview" endpoint or avoid using the `uri` parameter until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.55 **Description** The software contains a reflected cross-site scripting issue in the webmail interface. Remote attackers can execute arbitrary JavaScript in a victim’s browser by using a malicious URL. Attackers can inject malicious code through the `StartDate` parameter in the `FreeBusy.aspx` form, which is not properly sanitized before being embedded into dynamically generated JavaScript. **Recommendations** Update to version 10.55 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.55 **Description** The software contains a reflected cross-site scripting issue in the webmail interface. This allows remote attackers to execute arbitrary JavaScript in a victim’s browser by using a malicious URL. Attackers can inject malicious code through the `SelectedIndex` parameter in the `ManageShares.aspx` form, which is not properly sanitized before being included in dynamically generated JavaScript. **Recommendations** Update MailEnable to version 10.55 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.55 **Description** The software contains a reflected cross-site scripting issue in the webmail interface. This allows remote attackers to execute arbitrary JavaScript in a victim’s browser by using a malicious URL. Attackers can inject malicious code through the `Attendees` parameter in the `FreeBusy.aspx` form, which is not properly sanitized before being embedded into dynamically generated JavaScript. **Recommendations** Update MailEnable to version 10.55 or later.

**Name of the Vulnerable Software and Affected Versions** MetInfo CMS versions 7.9 through 8.1 **Description** An unauthenticated PHP code injection flaw allows remote attackers to execute arbitrary code and gain full control over the affected server by sending crafted requests containing malicious PHP code. This issue stems from insufficient input neutralization in the execution path, specifically within the `/app/system/weixin/include/class/weixinreply.class.php` file during the handling of Weixin (WeChat) API requests. Exploitation requires the server to be non-Windows and the `/cache/weixin/` directory to exist, which occurs when the official WeChat plugin is installed and configured. Real-world exploitation has been observed, with a significant surge in activity starting May 1, 2026, primarily targeting approximately 2,000 online instances in China and Hong Kong, as well as honeypots in the U.S. and Singapore. Attackers have used this flaw to escalate privileges and move laterally across networks. **Recommendations** Update MetInfo CMS versions 7.9, 8.0, and 8.1 to the patched versions released on April 7, 2026. As a temporary workaround, restrict access to the `/app/system/weixin/include/class/weixinreply.class.php` file or disable the official WeChat plugin to remove the `/cache/weixin/` directory.

**Name of the Vulnerable Software and Affected Versions** Blesta versions 3.x through 5.x before 5.13.3 **Description** The software contains a flaw that allows for object injection. This issue is also identified as CORE-5668. **Recommendations** Update to version 5.13.3 or later.

**Name of the Vulnerable Software and Affected Versions** Blesta versions 3.x through 5.x before 5.13.3 **Description** The software does not properly validate input. This could allow for potential issues related to data handling. **Recommendations** Update to version 5.13.3 or later.

**Name of the Vulnerable Software and Affected Versions** Blesta versions 3.x through 5.x before 5.13.3 **Description** The software contains a flaw that allows for object injection. This issue is also known as CORE-5680. **Recommendations** Update to version 5.13.3 or later.

**Name of the Vulnerable Software and Affected Versions** SmarterTools SmarterMail versions prior to 9526 **Description** SmarterTools SmarterMail is susceptible to a cross-site scripting (XSS) issue through MAPI requests. The issue allows for the injection of malicious scripts via crafted MAPI requests. **Recommendations** Update SmarterTools SmarterMail to version 9526 or later.

Name of the Vulnerable Software and Affected Versions: SugarCRM versions prior to 6.5.24 SugarCRM versions prior to 6.7.13 SugarCRM versions prior to 7.5.2.5 SugarCRM versions prior to 7.6.2.2 SugarCRM versions prior to 7.7.1.0 Description: A PHP object injection issue exists due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the `rest data` parameter before passing it to the `unserialize()` function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. A prior fix was incomplete and failed to address some vectors. Recommendations: For versions prior to 6.5.24, update to version 6.5.24 or later. For versions prior to 6.7.13, update to version 6.7.13 or later. For versions prior to 7.5.2.5, update to version 7.5.2.5 or later. For versions prior to 7.6.2.2, update to version 7.6.2.2 or later. For versions prior to 7.7.1.0, update to version 7.7.1.0 or later. As a temporary workaround, consider disabling the `unserialize()` function for the `rest data` parameter in the SugarRestSerialize.php script until a patch is available.

Name of the Vulnerable Software and Affected Versions: Invision Community versions 5.0.0 through 5.0.7 Description: The issue lies within the themeeditor controller, where a protected method named `customCss` can be invoked by unauthenticated users. This method passes the value of the `content` parameter to the `Theme::makeProcessFunction()` method, which is evaluated by the template engine. As a result, unauthenticated attackers can exploit this to inject and execute arbitrary PHP code by providing crafted template strings to the `/applications/core/modules/front/system/themeeditor.php` file. Recommendations: For Invision Community versions 5.0.0 through 5.0.7, update to a version later than 5.0.7 to resolve the issue. As a temporary workaround, consider disabling the `customCss` method in the themeeditor controller until a patch is available. Restrict access to the themeeditor controller to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GFI Kerio Control versions 9.2.5 through 9.4.5 **Description** An issue was discovered in GFI Kerio Control where the `dest` GET parameter passed to the "/nonauth/addCertException.cs", "/nonauth/guestConfirm.cs", and "/nonauth/expiration.cs" pages is not properly sanitized before being used to generate a Location HTTP header in a 302 HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface. Over 12,000 GFI KerioControl firewall instances are exposed to this critical remote code execution vulnerability. The estimated number of potentially affected devices worldwide is over 23,800. There have been real-world incidents where this issue was exploited, with hackers trying to steal admin CSRF tokens and launch 1-click RCE attacks. **Recommendations** GFI Kerio Control versions 9.2.5 through 9.4.5: Update to v9.4.5 Patch 1 and audit your firewall access points immediately. As a temporary workaround, consider restricting access to the vulnerable API endpoints "/nonauth/addCertException.cs", "/nonauth/guestConfirm.cs", and "/nonauth/expiration.cs" to minimize the risk of exploitation. Limit interface access and block '/admin' and '/noauth' until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Xenforo versions prior to 2.2.16 **Description** The issue allows for CSRF, which is a type of attack that tricks a user into performing unintended actions on a web application. **Recommendations** For versions prior to 2.2.16, update to version 2.2.16 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Xenforo versions prior to 2.2.16 **Description** The issue allows code injection. **Recommendations** For versions prior to 2.2.16, update to version 2.2.16 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Invision Community versions 4.4.0 through 4.7.15 **Description** The issue allows for SQL injection via the applications/nexus/modules/front/store/store.php `IPS exusmodulesfrontstore store:: categoryView()` method. User input passed through the `filter` request parameter is not properly sanitized before being used to execute SQL queries. This can be exploited by unauthenticated attackers to carry out Blind SQL Injection attacks. **Recommendations** For versions 4.4.0 through 4.7.15, update to version 4.7.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the `store.php` file or the `IPS exusmodulesfrontstore store:: categoryView()` method until a patch is available. Avoid using the `filter` request parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Invision Community versions prior to 4.7.17 **Description** The issue allows remote code execution via the applications/core/modules/admin/editor/toolbar.php `IPScoremodulesadmineditor toolbar::addPlugin()` method. This method handles uploaded ZIP files that are extracted into the applications/core/interface/ckeditor/ckeditor/plugins/ directory without properly verifying their content. This can be exploited by admin users to write arbitrary PHP files into that directory, leading to execution of arbitrary PHP code in the context of the web server user. **Recommendations** For versions prior to 4.7.17, update to a version that contains a fix for this issue to prevent remote code execution. As a temporary workaround, consider disabling the `IPScoremodulesadmineditor toolbar::addPlugin()` method until a patch is available. Restrict access to the applications/core/interface/ckeditor/ckeditor/plugins/ directory to minimize the risk of exploitation.