Critical File Write and RCE Flaws Disclosed in Shopizer, JeeSite, and Krayin CRM
Newly published CVEs detail severe application-layer vulnerabilities in three widely used web platforms. Shopizer 3.2.5 is affected by CVE-2026-36767, a critical path traversal flaw in the /content/images/add endpoint that lets an unauthenticated attacker send a crafted POST request and write arbitrary files to any writable path. JeeSite 5.15.1 is affected by CVE-2026-36760, where the fileMd5 parameter in /a/file/upload can be abused during chunked uploads to traverse directories and write arbitrary files with whitelisted suffixes to attacker-chosen filesystem locations; exploitation requires authenticated access with file upload permissions.
A separate high-severity issue, CVE-2026-36340, affects Krayin CRM 2.1.5 and allows remote code execution through the compose email function. The flaw was classified as CWE-94 and has been fixed in Krayin CRM 2.1.6. The Shopizer and JeeSite bugs were both classified as CWE-22 and carry high-impact CVSS ratings reflecting serious risk to confidentiality and integrity, with Shopizer also exposing availability. Public references for all three issues were added alongside their CVE records, including linked GitHub documentation and issue reports describing the vulnerabilities.
Timeline
Apr 30, 2026
CVE-2026-36767 disclosed for Shopizer arbitrary file write
A new CVE was published for Shopizer 3.2.5 covering a path traversal vulnerability in the /content/images/add endpoint. The flaw allows an unauthenticated attacker to send a crafted POST request and write arbitrary files to any writable path.
Apr 30, 2026
CVE-2026-36340 updated with details for Krayin CRM RCE
The CVE record for Krayin CRM's remote code execution issue was updated with its description, references, CWE-94 classification, and CVSS v3.1 scoring. The update documented that the vulnerability affected version 2.1.5 and had been fixed in version 2.1.6.
Apr 30, 2026
CVE-2026-36760 disclosed for JeeSite arbitrary file write
A new CVE was published for JeeSite v5.15.1 describing a path traversal flaw in the /a/file/upload endpoint. Authenticated attackers with file upload permissions could abuse the fileMd5 parameter during chunked uploads to write arbitrary files with whitelisted suffixes to arbitrary filesystem locations.
Apr 30, 2026
Krayin CRM 2.1.6 fixes remote code execution flaw
Krayin CRM fixed a remote code execution vulnerability affecting version 2.1.5 in release 2.1.6. The flaw allowed remote attackers to execute arbitrary code through the compose email function.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
1 months ago
Multiple CMS Plugin Vulnerabilities: WordPress CVEs and Joomla Novarain/Tassos Framework Flaws
Three newly described **WordPress plugin vulnerabilities** affect ShopLentor, Advanced AJAX Product Filters, and WP Maps. **CVE-2026-1714** allows **unauthenticated email relay abuse** in *ShopLentor* (<= `3.3.2`) via the `woolentor_suggest_price_action` AJAX endpoint due to missing validation of parameters such as `send_to` and `product_title`; the `wlemail` parameter can be abused for **CRLF injection** to control sender details, enabling spam/phishing relay through the victim site. **CVE-2026-1426** is a **PHP object injection** issue in *Advanced AJAX Product Filters* (<= `3.1.9.6`) reachable by **authenticated users (Author+)** through deserialization of untrusted input in `shortcode_check` within a Live Composer compatibility layer; impact depends on the presence of a usable **POP chain** in another installed plugin/theme and requires the *Live Composer* plugin to be installed and active. **CVE-2025-12062** affects *WP Maps* (<= `4.8.6`) and enables **authenticated (Subscriber+) limited local file inclusion** via `fc_load_template`, potentially leading to sensitive data exposure or code execution in scenarios where attacker-controlled `.html` content can be uploaded and then included. Separately, Joomla sites using the **Novarain/Tassos Framework** (`plg_system_nrframework`) face critical issues enabling **unauthenticated file read, file deletion, and SQL injection**, which can be chained toward **administrator takeover** and potentially **persistent RCE**. The reported weaknesses stem from an AJAX handler that processes `task=include` without sufficient hardening, allowing attackers to reach internal classes implementing `onAjax` and abuse gadget-like behaviors (e.g., CSV loading for arbitrary file read, a `remove` action for path deletion, and attacker-influenced query construction for SQL injection). The risk propagates through multiple popular Tassos extensions that bundle the framework (including **Convert Forms**, **EngageBox**, **Google Structured Data**, **Advanced Custom Fields**, and **Smile Pack**), and remediation requires applying vendor updates for affected releases.
1 months ago
Unauthenticated RCE in com_mb24sysapi and High-Severity CSRF in DedeCMS
A newly recorded vulnerability, **CVE-2026-32968**, affects the `com_mb24sysapi` module and allows **unauthenticated remote code execution** through an OS command injection flaw. The weakness is classified as **CWE-78** and stems from improper neutralization of special elements in OS commands, enabling a remote attacker to execute arbitrary commands and potentially take full control of an affected system. The CVE is described as a variant of `CVE-2020-10383`, carries a **CVSS v3.1** vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, and is referenced by CERT VDE advisories **VDE-2026-024** and **VDE-2026-025**. A separate high-severity issue, **CVE-2026-29839**, was recorded for **DedeCMS v5.7.118** in the `/sys_task_add.php` component. The flaw is a **Cross-Site Request Forgery** vulnerability classified as **CWE-352**, and its updated **CVSS v3.1** vector is `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`, indicating that successful exploitation could significantly affect confidentiality, integrity, and availability. The record includes references to a public gist and the DedeCMS website, highlighting another internet-exposed web application weakness with potentially serious impact.
1 months ago