211 matches found
CVE-2017-20216
FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem functi...
VulnCheck KEV: CVE-2017-20216
FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem functi...
PT-2026-1713
Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 18.6 before 18.6.3 GitLab CE/EE versions 18.7 before 18.7.1 Description An issue in GitLab CE/EE could allow an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser. This is...
📄 flatCore 1.5 Shell Upload
flatCore version 1.5 proof of concept remote shell upload exploit. ============================================================================================================================================= | Title : flatCore 1.5 Advanced File Upload Exploit | | Author : indoushka | | Tested on...
Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks
A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence. The remote code execution vulnerability in question is CVE-2025-6389 CVSS score: 9.8, which affects all versions of the plugin prior to and including 8.3. It has...
CVE-2025-66571
UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profileid POST parameter is passed to PHP unserialize without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially wri...
Imperva Customers Protected Against React Server Components (RSC) Vulnerability
Overview On December 3, 2025, the React and Next.js teams disclosed a critical security vulnerability CVSS 10.0, identified as React2Shell, affecting applications that leverage React Server Components together with Server Actions or Server Functions. The React2Shell vulnerability stems from...
Exploit for CVE-2025-55182
CVE-2025-55182 This repository contains a PoC reproduction of...
CVE-2025-9501
The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the parsedynamicmfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post...
PT-2025-46845
A stack buffer overflow vulnerability exists in the ToToLink LR1200GB V9.1.0u.6619 B20230130 and NR1800X V9.1.0u.6681 B20230703 Router firmware within the cstecgi.cgi binary sub 42F32C function. The web interface reads the "lang" parameter and constructs Help URL strings using sprintf into...
CVE-2025-60699
A buffer overflow vulnerability exists in the TOTOLINK A950RG Router firmware V5.9c.4592B20191022ALL within the global.so binary. The getSaveConfig function retrieves the httphost parameter from user input via websGetVar and copies it into a fixed-size stack buffer v13 using strcpy without...
CVE-2025-11546
CLUSTERPRO X for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2 and EXPRESSCLUSTER X for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2, CLUSTERPRO X SingleServerSafe for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2, EXPRESSCLUSTER X SingleServerSafe for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2 allows an attacker sends...
CVE-2025-12487
oobabooga text-generation-webui trustremotecode Reliance on Untrusted Inputs Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of oobabooga text-generation-webui. Authentication is not required to exploit this...
CVE-2022-50589 SuiteCRM < 7.12.6 SQL Injection via 'export' Functionality
SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the ‘uid’ parameter within the ‘export’ functionality. Successful exploitation allows remote unauthenticated attackers to ultimately execute arbitrary code...
CVE-2025-55108
The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled i.e. in the default configuration. NOTE: The vendor believes that this vulnerability only occurs when...
CVE-2025-55108
The CVE-2025-55108 entry concerns BMC Control-M/Agent and describes unauthenticated remote code execution, plus arbitrary file read/write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (default configuration). Affected component: Control-M/Agent; root cause cen...
Exploit for Deserialization of Untrusted Data in Microsoft
WSUS-CVE-2025-59287-RCE CVE-2025-59287 is a critical CVSS...
CVE-2025-34503 Shuffle Master Deck Mate 1 Unauthenticated EEPROM Firmware Execution
Deck Mate 1 executes firmware directly from an external EEPROM without verifying authenticity or integrity. An attacker with physical access can replace or reflash the EEPROM to run arbitrary code that persists across reboots. Because this design predates modern secure-boot or signed-update...
Adobe Commerce / Magento Insecure Deserialization (SessionReaper)
Adobe Magento Open Source / Commerce is prone to an unauthenticated Remote Code Execution vulnerability due to insecure deserialization of untrusted data. An attacker can exploit this issue to execute arbitrary code in the context of the web server process. No source data...
EUVD-2025-34807
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting XSS vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 t...