edit_requests.php in yTakkar Instagram-clone through 2018-04-23 has XSS via an onmouseover payload because of an inadequate XSS protection mechanism based on preg_replace.

Eval injection vulnerability in admin/op/disp.php in Netwerk Smart Publisher 1.0.1 allows remote attackers to execute arbitrary PHP code via the filedata parameter.