Critical File Write and RCE Flaws Disclosed in Shopizer, JeeSite, and Krayin CRM
Newly published CVEs detail severe application-layer vulnerabilities in three widely used web platforms. Shopizer 3.2.5 is affected by CVE-2026-36767, a critical path traversal flaw in the /content/images/add endpoint that lets an unauthenticated attacker send a crafted POST request and write arbitrary files to any writable path. JeeSite 5.15.1 is affected by CVE-2026-36760, where the fileMd5 parameter in /a/file/upload can be abused during chunked uploads to traverse directories and write arbitrary files with whitelisted suffixes to attacker-chosen filesystem locations; exploitation requires authenticated access with file upload permissions.
A separate high-severity issue, CVE-2026-36340, affects Krayin CRM 2.1.5 and allows remote code execution through the compose email function. The flaw was classified as CWE-94 and has been fixed in Krayin CRM 2.1.6. The Shopizer and JeeSite bugs were both classified as CWE-22 and carry high-impact CVSS ratings reflecting serious risk to confidentiality and integrity, with Shopizer also exposing availability. Public references for all three issues were added alongside their CVE records, including linked GitHub documentation and issue reports describing the vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-36767 disclosed for Shopizer arbitrary file write
A new CVE was published for Shopizer 3.2.5 covering a path traversal vulnerability in the /content/images/add endpoint. The flaw allows an unauthenticated attacker to send a crafted POST request and write arbitrary files to any writable path.
CVE-2026-36340 updated with details for Krayin CRM RCE
The CVE record for Krayin CRM's remote code execution issue was updated with its description, references, CWE-94 classification, and CVSS v3.1 scoring. The update documented that the vulnerability affected version 2.1.5 and had been fixed in version 2.1.6.
CVE-2026-36760 disclosed for JeeSite arbitrary file write
A new CVE was published for JeeSite v5.15.1 describing a path traversal flaw in the /a/file/upload endpoint. Authenticated attackers with file upload permissions could abuse the fileMd5 parameter during chunked uploads to write arbitrary files with whitelisted suffixes to arbitrary filesystem locations.
Krayin CRM 2.1.6 fixes remote code execution flaw
Krayin CRM fixed a remote code execution vulnerability affecting version 2.1.5 in release 2.1.6. The flaw allowed remote attackers to execute arbitrary code through the compose email function.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-36767 - Shopizer Path Traversal File Write Vulnerability
cvefeed.io
Open sourceCVE-2026-36760 - JeeSite File Upload Path Traversal Write Arbitrary Files
cvefeed.io
Open sourceCVE-2026-36340 - Krayin CRM Remote Code Execution
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
Mar 21, 2026
Multiple CMS Plugin Vulnerabilities: WordPress CVEs and Joomla Novarain/Tassos Framework Flaws
Three newly described **WordPress plugin vulnerabilities** affect ShopLentor, Advanced AJAX Product Filters, and WP Maps. **CVE-2026-1714** allows **unauthenticated email relay abuse** in *ShopLentor* (<= `3.3.2`) via the `woolentor_suggest_price_action` AJAX endpoint due to missing validation of parameters such as `send_to` and `product_title`; the `wlemail` parameter can be abused for **CRLF injection** to control sender details, enabling spam/phishing relay through the victim site. **CVE-2026-1426** is a **PHP object injection** issue in *Advanced AJAX Product Filters* (<= `3.1.9.6`) reachable by **authenticated users (Author+)** through deserialization of untrusted input in `shortcode_check` within a Live Composer compatibility layer; impact depends on the presence of a usable **POP chain** in another installed plugin/theme and requires the *Live Composer* plugin to be installed and active. **CVE-2025-12062** affects *WP Maps* (<= `4.8.6`) and enables **authenticated (Subscriber+) limited local file inclusion** via `fc_load_template`, potentially leading to sensitive data exposure or code execution in scenarios where attacker-controlled `.html` content can be uploaded and then included. Separately, Joomla sites using the **Novarain/Tassos Framework** (`plg_system_nrframework`) face critical issues enabling **unauthenticated file read, file deletion, and SQL injection**, which can be chained toward **administrator takeover** and potentially **persistent RCE**. The reported weaknesses stem from an AJAX handler that processes `task=include` without sufficient hardening, allowing attackers to reach internal classes implementing `onAjax` and abuse gadget-like behaviors (e.g., CSV loading for arbitrary file read, a `remove` action for path deletion, and attacker-influenced query construction for SQL injection). The risk propagates through multiple popular Tassos extensions that bundle the framework (including **Convert Forms**, **EngageBox**, **Google Structured Data**, **Advanced Custom Fields**, and **Smile Pack**), and remediation requires applying vendor updates for affected releases.
Mar 21, 2026
Critical SSTI in JTL Shop Enables Unauthenticated RCE and Webshell Deployment
A critical **server-side template injection** flaw tracked as `CVE-2026-54390` affects **JTL Shop** versions **5.2.0 through 5.7.1**, where unsanitized user input is passed to the **Smarty** template engine. The vulnerability allows **unauthenticated remote attackers** to inject malicious template syntax and access sensitive server-side information, including **database credentials** and **encryption keys**. On **JTL Shop 5.4.0 through 5.7.1**, the flaw can be escalated to **remote code execution** by abusing registered Smarty modifiers such as `unserialize` and `file_get_contents` to write a **webshell** into the web root and run arbitrary commands as the web server user. The issue has been rated **critical** with **CVSS 3.1 9.8** and **CVSS 4.0 9.3**, and affected organizations are advised to upgrade to **JTL Shop 5.7.2 or later** and ensure user input reaching the template engine is properly sanitized.
Jun 18, 2026