Karma(In)Security

	CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting Vulnerabilities
	SugarCRM <= 12.2.0 Two SQL Injection Vulnerabilities
	SugarCRM <= 12.2.0 (Docusign_GlobalSettings) PHP Object Injection Vulnerability
	SugarCRM <= 12.2.0 (updateGeocodeStatus) Bean Manipulation Vulnerability
	SugarCRM <= 12.2.0 (Notes) Unrestricted File Upload Vulnerability
	Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP Object Injection Vulnerability
	Tiki Wiki CMS Groupware <= 24.0 (grid.php) PHP Object Injection Vulnerability
	Tiki Wiki CMS Groupware <= 24.0 (structlib.php) PHP Code Injection Vulnerability
	Tiki Wiki CMS Groupware <= 25.0 Two Cross-Site Request Forgeries Vulnerabilities

+ 2022

	Drupal H5P Module <= 2.0.0 (isValidPackage) Zip Slip Vulnerability
	Joomla! <= 4.1.0 (Tar.php) Zip Slip Vulnerability
	ImpressCMS <= 1.4.3 (findusers.php) SQL Injection Vulnerability
	ImpressCMS <= 1.4.2 (findusers.php) Incorrect Access Control Vulnerability
	ImpressCMS <= 1.4.2 (image-edit.php) Path Traversal Vulnerability
	ImpressCMS <= 1.4.2 (autologin.php) Authentication Bypass Vulnerability

+ 2021

	Concrete5 <= 8.5.5 (Logging Settings) Phar Deserialization Vulnerability
	IPS Community Suite <= 4.5.4.2 (previewBlock) PHP Code Injection Vulnerability
	ExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection Vulnerability
	docsify <= 4.12.0 DOM-based Cross-Site Scripting Vulnerability
	IPS Community Suite <= 4.5.4 (Downloads REST API) SQL Injection Vulnerability

+ 2020

	qdPM <= 9.1 (executeExport) PHP Object Injection Vulnerability
	SugarCRM < 10.1.0 (Reports Export) SQL Injection Vulnerability
	SugarCRM < 10.1.0 Multiple Reflected Cross-Site Scripting Vulnerabilities
	openSIS <= 7.4 Multiple SQL Injection Vulnerabilities
	openSIS <= 7.4 (Bottom.php) Local File Inclusion Vulnerability
	openSIS <= 7.4 Incorrect Access Control Vulnerabilities
	SuiteCRM <= 7.11.10 Multiple SQL Injection Vulnerabilities
	SuiteCRM <= 7.11.11 (add_to_prospect_list) Broken Access Control Vulnerability
	SuiteCRM <= 7.11.11 (action_saveHTMLField) Bean Manipulation Vulnerability
	SuiteCRM <= 7.11.11 Multiple Phar Deserialization Vulnerabilities
	SuiteCRM <= 7.11.11 Second-Order PHP Object Injection Vulnerabilities

+ 2019

	YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
	SugarCRM <= 9.0.1 Multiple Phar Deserialization Vulnerabilities
	SugarCRM <= 9.0.1 Multiple PHP Object Injection Vulnerabilities
	SugarCRM <= 9.0.1 Multiple PHP Code Injection Vulnerabilities
	SugarCRM <= 9.0.1 Multiple Path Traversal Vulnerabilities
	SugarCRM <= 9.0.1 Multiple Broken Access Control Vulnerabilities
	SugarCRM <= 9.0.1 Multiple SQL Injection Vulnerabilities
	SugarCRM <= 9.0.1 Multiple Reflected Cross-Site Scripting Vulnerabilities
	vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability
	vBulletin <= 5.5.4 Two SQL Injection Vulnerabilities

+ 2018

	SugarCRM (Web Logic Hooks module) Path Traversal Vulnerability
	SugarCRM (Web Logic Hooks module) PHP Code Injection Vulnerability
	SugarCRM (addLabels) PHP Code Injection Vulnerability
	SugarCRM (SaveDropDown) PHP Code Injection Vulnerability
	SugarCRM (ConnectorsController) Server-Side Request Forgery Vulnerability
	SugarCRM (portal_get_related_notes) SQL Injection Vulnerability
	SugarCRM (WorkFlow module) PHP Code Injection Vulnerability
	Oracle Application Express (AnyChart) Flash-based Cross-Site Scripting Vulnerability

+ 2017

	Tuleap <= 9.6 Second-Order PHP Object Injection Vulnerability
	PEAR HTML_AJAX <= 0.5.7 (PHP Serializer) PHP Object Injection Vulnerability

+ 2016

	Piwik <= 2.16.0 (saveLayout) PHP Object Injection Vulnerability
	Symantec Web Gateway <= 5.2.2 (new_whitelist.php) OS Command Injection Vulnerability
	IPS Community Suite <= 4.1.12.3 Autoloaded PHP Code Injection Vulnerability
	Concrete5 <= 5.7.3.1 (Application::dispatch) Local File Inclusion Vulnerability
	Concrete5 <= 5.7.3.1 Multiple Stored Cross-Site Scripting Vulnerabilities
	Concrete5 <= 5.7.3.1 Multiple Cross-Site Request Forgeries Vulnerabilities
	SugarCRM <= 6.5.23 (SugarRestSerialize.php) PHP Object Injection Vulnerability
	SugarCRM <= 6.5.18 (MySugar::addDashlet) Insecure fopen() Usage Vulnerability
	SugarCRM <= 6.5.18 Two PHP Code Injection Vulnerabilities
	SugarCRM <= 6.5.18 Missing Authorization Check Vulnerabilities
	SugarCRM <= 6.5.18 (SAML Authentication) XML External Entity Vulnerability
	Magento <= 1.9.2.2 (RSS Feed) Information Disclosure Vulnerability
	CakePHP <= 3.2.0 “_method” CSRF Protection Bypass Vulnerability

+ 2015

	Piwik <= 2.14.3 (DisplayTopKeywords) PHP Object Injection Vulnerability
	Piwik <= 2.14.3 (viewDataTable) Autoloaded File Inclusion Vulnerability
	ATutor <= 2.2 (edit_marks.php) PHP Code Injection Vulnerability
	ATutor <= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability
	ATutor <= 2.2 (confirm.php) Session Variable Overloading Vulnerability
	ATutor <= 2.2 (Custom Course Icon) Unrestricted File Upload Vulnerability
	Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability
	Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability
	Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities
	Concrete5 <= 5.7.3.1 (sendmail) Remote Code Execution Vulnerability

+ 2014

	Symantec Web Gateway <= 5.2.1 (restore.php) OS Command Injection Vulnerability
	Mantis Bug Tracker <= 1.2.17 (ImportXml.php) PHP Code Injection Vulnerability
	GetSimple CMS <= 3.3.4 (api.php) XML External Entity Vulnerability
	Osclass <= 3.4.2 (contact.php) Unrestricted File Upload Vulnerability
	Osclass <= 3.4.2 (ajax.php) Local File Inclusion Vulnerability
	Osclass <= 3.4.2 (Search::setJsonAlert) SQL Injection Vulnerability
	Tuleap <= 7.6-4 (register.php) PHP Object Injection Vulnerability
	TestLink <= 1.9.12 (database.class.php) Path Disclosure Weakness
	TestLink <= 1.9.12 (execSetResults.php) PHP Object Injection Vulnerability
	X2Engine <= 4.1.7 (FileUploadsFilter.php) Unrestricted File Upload Vulnerability
	X2Engine <= 4.1.7 (SiteController.php) PHP Object Injection Vulnerability
	OpenCart <= 1.5.6.4 (cart.php) PHP Object Injection Vulnerability
	Dotclear <= 2.6.2 (categories.php) SQL Injection Vulnerability
	Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability
	Dotclear <= 2.6.2 (XML-RPC Interface) Authentication Bypass Vulnerability
	X2Engine <= 3.7.5 (ProfileController.php) Unrestricted File Upload Vulnerability
	Open Web Analytics <= 1.5.6 (queue.php) PHP Object Injection Vulnerability
	Zikula Application Framework <= 1.3.6 Multiple PHP Object Injection Vulnerabilities
	OpenPNE <= 3.8.9 (opSecurityUser.class.php) PHP Object Injection Vulnerability

+ 2013

	Sharetronix <= 3.1.1 (AJAX Services) Authentication Bypass Vulnerability
	Sharetronix <= 3.1.1 Cross-Site Request Forgery Vulnerability
	Sharetronix <= 3.1.1 (signup.php) Two SQL Injection Vulnerabilities
	Sharetronix <= 3.1.1 (attachments.php) Unrestricted File Upload Vulnerability
	Sharetronix <= 3.1.1 Two PHP Code Injection Vulnerabilities
	openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability
	Vanilla Forums <= 2.0.18.5 (class.utilitycontroller.php) PHP Object Injection Vulnerability
	vtiger CRM <= 5.4.0 (SOAP Services) Authentication Bypass Vulnerability
	vtiger CRM <= 5.4.0 (vtigerolservice.php) PHP Code Injection Vulnerability
	vtiger CRM <= 5.4.0 (SOAP Services) Multiple SQL Injection Vulnerabilities
	vtiger CRM <= 5.4.0 (customerportal.php) Two Local File Inclusion Vulnerabilities
	Joomla! <= 3.0.3 (remember.php) PHP Object Injection Vulnerability
	Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability
	CubeCart <= 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability
	DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability

+ 2012

	Invision Power Board <= 3.3.4 (core.php) PHP Object Injection Vulnerability
	Tiki Wiki CMS Groupware <= 9.2 Multiple PHP Object Injection Vulnerabilities
	Tiki Wiki CMS Groupware <= 8.3 Multiple Path Disclosure Weaknesses
	SugarCRM <= 6.3.1 Multiple PHP Object Injection Vulnerabilities
	OpenConf <= 4.11 (author/edit.php) SQL Injection Vulnerability
	WebCalendar <= 1.2.4 (install/index.php) PHP Code Injection Vulnerability
	WebCalendar <= 1.2.4 (pref.php) Local File Inclusion Vulnerability
	phpFox <= 3.0.1 (module.class.php) OS Command Injection Vulnerability
	WordPress Kish Guest Posting <= 1.2 (uploadify.php) Unrestricted File Upload Vulnerability
	appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Vulnerability

+ 2011

	Tiki Wiki CMS Groupware <= 8.2 (snarf_ajax.php) PHP Code Injection Vulnerability
	Traq <= 2.3 (admincp/common.php) Authentication Bypass / PHP Code Injection Vulnerability
	WikkaWiki <= 1.3.2 (actions/usersettings/usersettings.php) SQL Injection Vulnerability
	WikkaWiki <= 1.3.2 (actions/files/files.php) Unrestricted File Upload Vulnerability
	WikkaWiki <= 1.3.2 (handlers/files.xml/files.xml.php) Path Traversal Vulnerability
	WikkaWiki <= 1.3.2 (libs/Wakka.class.php) PHP Code Injection Vulnerability
	WikkaWiki <= 1.3.2 Cross-Site Request Forgery Vulnerability
	PmWiki <= 2.2.34 (pagelist.php) PHP Code Injection Vulnerability
	Support Incident Tracker <= 3.65 (translate.php) PHP Code Injection Vulnerability
	Support Incident Tracker <= 3.65 (translate.php) Path Disclosure Weakness
	FreeWebshop <= 2.2.9 R2 (ajax_save_name.php) PHP Code Injection Vulnerability
	WordPress Zingiri Web Shop <= 2.2.3 (ajax_save_name.php) PHP Code Injection Vulnerability
	Zenphoto <= 1.4.1.4 (ajax_create_folder.php) PHP Code Injection Vulnerability
	phpMyFAQ <= 2.7.0 (ajax_create_folder.php) PHP Code Injection Vulnerability
	aidiCMS v3.55 (ajax_create_folder.php) PHP Code Injection Vulnerability
	Ajax File and Image Manager v1.0 (ajax_create_folder.php) PHP Code Injection Vulnerability
	eFront <= 3.6.10 (save_template.php) PHP Code Injection Vulnerability
	eFront <= 3.6.10 (filesystem.class.php) Unrestricted File Upload Vulnerability
	eFront <= 3.6.10 (periodic_updater.php) SQL Injection Vulnerability
	eFront <= 3.6.10 (LMSFunctions.php) SQL Injection Vulnerability
	eFront <= 3.6.10 (send_notifications.php) SQL Injection Vulnerability
	eFront <= 3.6.10 (index.php) Authentication Bypass / Privilege Escalation Vulnerability
	eFront <= 3.6.10 (student.php) PHP Code Injection Vulnerability
	phpLDAPadmin <= 1.2.1.1 (lib/functions.php) PHP Code Injection Vulnerability
	Dolphin <= 7.0.7 (member_menu_queries.php) PHP Code Injection Vulnerability
	Feed on Feeds <= 0.5 (fof-main.php) PHP Code Injection Vulnerability
	JAKCMS PRO <= 2.2.5 (session.php) Session Variable Overloading Vulnerability
	JAKCMS PRO <= 2.2.5 (action.php) Unrestricted File Upload Vulnerability
	WeBid <= 1.0.2 (feedback.php) SQL Injection Vulnerability
	WeBid <= 1.0.2 (logout.php) SQL Injection Vulnerability
	WeBid <= 1.0.2 (user_login.php) SQL Injection Vulnerability
	WeBid <= 1.0.2 (includes/converter.inc.php) PHP Code Injection Vulnerability
	WeBid <= 1.0.2 (includes/messages.inc.php) Local File Inclusion Vulnerability

+ 2010

RoSPORA <= 1.5.0 (index.php) PHP Code Injection Vulnerability

+ 2009

	QuiXplorer <= 2.3.2 (init.php) Local File Inclusion Vulnerability
	TinyWebGallery <= 1.7.6 (init.php) Local File Inclusion Vulnerability
	LightBlog <= 9.9.2 (register.php) PHP Code Injection Vulnerability
	LightBlog <= 9.9.2 (check_user.php) Authentication Bypass / Local File Inclusion Vulnerability
	Dokeos LMS <= 1.8.5 (tablesort.lib.php) PHP Code Injection Vulnerability
	Lanius CMS <= 0.5.2 (upload.php) Unrestricted File Upload Vulnerability
	PHPizabi v0.848b (modules/interact/file.php) Unrestricted File Upload Vulnerability

+ 2008

	Nuke ET <= 3.4 (FCKEditor) Unrestricted File Upload Vulnerability
	Mantis Bug Tracker <= 1.1.3 (utility_api.php) PHP Code Injection Vulnerability
	PhpWebGallery <= 1.7.2 (comments.php) SQL Injection Vulnerability
	PhpWebGallery <= 1.7.2 (event_list.php) PHP Code Injection Vulnerability
	phpScheduleIt <= 1.2.11 (check.php) Multiple PHP Code Injection Vulnerabilities
	phpScheduleIt <= 1.2.10 (reserve.php) Multiple PHP Code Injection Vulnerabilities
	GdPicture Pro Imaging SDK <= 5.7.1 (gdpicturepro5s.ocx) Arbitrary File Overwrite Vulnerability
	GdPicture Light Imaging Toolkit <= 4.7.1 (gdpicture4s.ocx) Arbitrary File Overwrite Vulnerability
	PHP iCalendar <= 2.24 (admin/index.php) Unrestricted File Upload Vulnerability
	Coppermine Photo Gallery <= 1.4.18 (include/functions.inc.php) Local File Inclusion Vulnerability
	Coppermine Photo Gallery <= 1.4.18 (themes/sample/theme.php) Path Disclosure Weakness
	Seagull PHP Framework <= 0.6.4 (FCKEditor) Unrestricted File Upload Vulnerability
	PHPmotion <= 2.0 (update_profile.php) Unrestricted File Upload Vulnerability
	PHPmotion <= 2.0 (play.php) SQL Injection Vulnerability
	Flux CMS <= 1.5.0 (loadsave.php) Arbitrary File Overwrite Vulnerability
	Achievo <= 1.3.2 (FCKEditor) Unrestricted File Upload Vulnerability
	CMS from Scratch <= 1.1.3 (FCKEditor) Unrestricted File Upload Vulnerability
	MercuryBoard <= 1.1.5 (func/login.php) SQL Injection Vulnerability
	La-Nai CMS <= 1.2.16 (FCKEditor) Unrestricted File Upload Vulnerability
	CMS Made Simple <= 1.2.4 (javaUpload.php) Unrestricted File Upload Vulnerability
	DeluxeBB <= 1.2 (forums.php) SQL Injection Vulnerability
	DeluxeBB <= 1.2 (admincp.php) PHP Code Injection Vulnerability
	FLABER <= 1.1 (function/update_xml.php) Arbitrary File Overwrite Vulnerability
	Drake CMS <= 0.4.11 (components/guestbook/guestbook.php) SQL Injection Vulnerability
	Docebo <= 3.5.0.3 (doceboCore/lib/lib.regset.php) SQL Injection Vulnerability
	Docebo <= 3.5.0.3 Multiple Path Disclosure Weaknesses
	Site@School <= 2.3.10 (slideshow_full.php) SQL Injection Vulnerability

+ 2007

	CMS Made Simple <= 1.2.2 (content_css.php) SQL Injection Vulnerability
	ZeusCMS <= 0.3 (security.php) SQL Injection Vulnerability
	ZeusCMS <= 0.3 (image_viewer.php) Information Disclosure Weakness
	PMOS Help Desk <= 2.4 (form.php) PHP Code Injection Vulnerability
	eSyndiCat Link Exchange Script (suggest-link.php) SQL Injection Vulnerability
	Php-Stats 0.1.9.2 (php-stats.recjs.php) Multiple SQL Injection Vulnerabilities
	Php-Stats 0.1.9.2 Multiple PHP Code Injection Vulnerabilities
	LinPHA <= 1.3.1 (new_images.php) SQL Injection Vulnerability