thawphone

2 exploits Active since Sep 2025
CVE-2025-61183 NOMISEC MEDIUM WRITEUP
vaahcms 2.3.1 - Cross-Site Scripting via UserBase.php storeAvatar() Upload Method
Cross Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php
CVSS 6.1
CVE-2025-57055 NOMISEC MEDIUM WRITEUP
WonderCMS 3.5.0 Module Installer - Admin Server-Side Request Forgery
WonderCMS 3.5.0 is vulnerable to Server-Side Request Forgery (SSRF) in the custom module installation functionality. An authenticated administrator can supply a malicious URL via the pluginThemeUrl POST parameter. The server fetches the provided URL using curl_exec() without sufficient validation, allowing the attacker to force internal or external HTTP requests.
CVSS 6.5