Exploit for OS Command Injection in Std42 Elfinder

CVE-2019-9194 — elFinder Command Injection PoC Command in...

CVE-2025-9194

creationtimestamp| type| source ---|---|--- 2025-10-03 12:05:17+00:00| seen| Telegram/c-2h6erBWud6XcEQ4rgW56waQ-WXjiai0WEhLBiF0qzPqJ8...

WordPress Constructor Theme <= 1.6.5 is vulnerable to Broken Access Control

Software Constructor Type Theme Vulnerable versions = 1.6.5 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2025-9194 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID f6d9c8944054 Credits Sulabh Jain pentestmonkey11 Required...

MAL-2025-9194 Malicious code in @patrten/minima-id-molestias (npm)

The package @patrten/minima-id-molestias was found to contain malicious code...

CVE-2014-9194

creationtimestamp| type| source ---|---|--- 2025-07-29 17:41:51+00:00| seen| Telegram/E27Wr6NVHRJBRXcbeKI1yJCl-HFTGRWUaNPMN5R0Dziro...

RockyLinux 9 : python3.11-PyMySQL (RLSA-2024:9194)

The remote RockyLinux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2024:9194 advisory. python-pymysql: SQL injection if used with untrusted JSON input CVE-2024-36039 Tenable has extracted the preceding description block directly from the RockyLinux...

Linux Distros Unpatched Vulnerability : CVE-2017-9194

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read in the ReadImage function in input- tga.c:559:29. CVE-2017-9194 Note that Nessus relies on...

CVE-2024-9194

creationtimestamp| type| source ---|---|--- 2024-10-01 01:51:45+00:00| seen| https://t.me/cvedetector/6692...

CVE-2024-9194

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.This issue affects Octopus Server: from 2024.1.0 before 2024.1.13038, from 2024.2.0 before 2024.2.9482, from 2024.3...

CVE-2024-9194 SQL Injection in the Octopus Server REST API

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.This issue affects Octopus Server: from 2024.1.0 before 2024.1.13038, from 2024.2.0 before 2024.2.9482, from 2024.3...

CVE-2024-9194

CVE-2024-9194 describes an SQL injection in Octopus Server REST API due to improper neutralization of special elements in SQL commands. Affected are Octopus Server versions: 2024.1.0–2024.1.13038, 2024.2.0–2024.2.9482, and 2024.3.0–2024.3.12766. Reports (PT Security) align with the same version r...

CVE-2024-9194 SQL Injection in the Octopus Server REST API

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.This issue affects Octopus Server: from 2024.1.0 before 2024.1.13038, from 2024.2.0 before 2024.2.9482, from 2024.3...

elFinder PHP Connector &lt; 2.1.48 - &#039;exiftran&#039; Command Injection (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'elFinder PHP Connector exiftran Command Injection', 'Description' = %q This module exploits a command injection vulnerability in elFinder version...

elFinder 2.1.47 Command Injection

!/usr/bin/python ''' Exploit Title: elFinder SecSignal.php;echo SecSignal.jpg' def usage: if lensys.argv != 2: print "Usage: python exploit.py URL" sys.exit0 def uploadurl, payload: files = 'upload': payload, open'SecSignal.jpg', 'rb' data = "reqid" : "1693222c439f4", "cmd" : "upload", "target" :...

CVE-2019-9194

creationtimestamp| type| source ---|---|--- 2019-03-04 00:00:00+00:00| exploited| https://www.exploit-db.com/exploits/46481 2019-03-11 20:19:00+00:00| seen| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/elfinderphpconnectorexiftrancmdinjection.rb 2019-03-...

elFinder 2.1.47 - Command Injection vulnerability in the PHP connector Exploit

Exploit for php platform in category web applications !/usr/bin/python ''' Exploit Title: elFinder SecSignal.php;echo SecSignal.jpg' def usage: if lensys.argv != 2: print "Usage: python exploit.py URL" sys.exit0 def uploadurl, payload: files = 'upload': payload, open'SecSignal.jpg', 'rb' data =...

elFinder 2.1.47 - PHP connector Command Injection

elFinder 2.1.47 - PHP connector Command Injection !/usr/bin/python ''' Exploit Title: elFinder SecSignal.php;echo SecSignal.jpg' def usage: if lensys.argv != 2: print "Usage: python exploit.py URL" sys.exit0 def uploadurl, payload: files = 'upload': payload, open'SecSignal.jpg', 'rb' data = "reqi...

elFinder 2.1.47 - &#039;PHP connector&#039; Command Injection

!/usr/bin/python ''' Exploit Title: elFinder SecSignal.php;echo SecSignal.jpg' def usage: if lensys.argv != 2: print "Usage: python exploit.py URL" sys.exit0 def uploadurl, payload: files = 'upload': payload, open'SecSignal.jpg', 'rb' data = "reqid" : "1693222c439f4", "cmd" : "upload", "target" :...

CVE-2019-9194

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector...

CVE-2019-9194

The CVE-2019-9194 issue affects elFinder before 2.1.48 (PHP connector). The Nuclei/YAML entry and Exploit-DB records confirm a command injection in the PHP connector triggered during JPEG image operations, where the filename is passed to exiftran without proper sanitization, enabling remote comma...