CVE-2026-7459

The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated Subscriber+ account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints reacttoevent / unreacttoevent. The endpoints register getitemspermissionschec...

Wing FTP Server 8.1.3 - Authenticated Remote Code Execution

Exploit Title: Wing FTP Server 8.1.3 - Authenticated Remote Code Execution Date: 12.05.2026 Exploit Author: Ünsal Furkan Harani Vendor Homepage: https://www.wftpserver.com/ Software Link: https://www.wftpserver.com/download.htm Version: v8.1.2 Tested on: Wing FTP Server = 8.1.2, fixed in 8.1.3 CV...

CVE-2026-5509 Arbitrary Command Injection via Browser Developer Console in TP-Link Archer BE450 and BE7200

An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the...

Exploit for CVE-2026-6741

CVE-2026-6741 CVE-2026-6741 is a CVSS 8.8 High Authenticated...

Exploit for Unrestricted Upload of File with Dangerous Type in Wordpress

WordPress Crop Image RCE — CVE-2019-8942 / CVE-2019-8943 Pyth...

PT-2026-42258

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm query POST parameter directly into an HTML input field VALUE attribute. Attacker...

CVE-2026-44194 OPNsense: RCE on user managment

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution RCE vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatti...

CVE-2026-44011 Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior

Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled...

CVE-2026-23821

A vulnerability in the configuration processing logic of Access Points running AOS-10 could allow an authenticated remote attacker to execute system commands under certain pre-existing conditions. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying...

CVE-2026-4665

The CVE-2026-4665 entry concerns the WP Carousel Free plugin for WordPress (versions up to 2.7.10). Concrete details from connected documents describe a Stored Cross-Site Scripting flaw in the handling of fancybox data-caption attributes. The root cause is the fancybox-config.js logic reading the...

CVE-2026-6255

The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'num' attribute of the 'owlswrapper' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

Rajodiya ERPGo SaaS 安全漏洞

Rajodiya ERPGo SaaS is an online enterprise resource planning system provided by Rajodiya Corporation. Version 3.9 of Rajodiya ERPGo SaaS contains a security vulnerability. This vulnerability stems from a CSV injection flaw, allowing authenticated attackers to execute arbitrary code by injecting...

📄 Atlona AT-OME-RX21 Authenticated Command Injection

Atlona AT-OME-RX21 suffers from an authenticated command injection vulnerability. // Exploit Title: Atlona AT-OME-RX21 Authenticated Command Injection // Google Dork: N/A // Date: 2025-12-28 // Exploit Author: RIZZZIOM // Vendor Homepage: https://atlona.com // Software Link:...

Linksys E1200 2.0.04 - Authenticated Stack Buffer Overflow (RCE)

Exploit Title: Linksys E1200 2.0.04 - Authenticated Stack Buffer Overflow RCE Date: 2026-15-03 Exploit Author: JarrettgxzSec Vendor Homepage: www.linksys.com Version: FW " printf"! Example: python3 sys.argv0 192.168.1.100 192.168.1.1\n" sys.exit1 TARGETIP = sys.argv2 TARGETPORT = 80 ATTACKERIP =...

Xibo CMS 4.3.0 - RCE via SSTI

Exploit Title: Xibo CMS - Authenticated Remote Code Execution via SSTI Date: 2025-11-04 Exploit Author: Cristian Branet Vendor Homepage: https://xibosignage.com/ Software Link: https://github.com/xibosignage/xibo-cms/ Version: 4.3.1 Tested on: Linux Ubuntu 22.04 CVE : CVE-2025-62639 Article:...

EUVD-2026-25226

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

📄 Hoverfly 1.11.3 Remote Command Execution

This Python script is an exploitation tool targeting a vulnerable Hoverfly API endpoint, specifically the /api/v2/hoverfly/middleware functionality, which allows execution of user-supplied input through a backend binary...

Exploit for CVE-2025-68999

CVE-2025-68999 Happy Addons for Elementor = 3.20.4 —...

Exploit for Code Injection in Flowiseai Flowise

CVE-2025-59528-PoC A simple python script to exploit CVE-2025-...

CVE-2026-3689

OpenClaw Canvas contains a path traversal information disclosure in the canvas gateway endpoint due to improper validation of user-supplied path parameters. The issue, affecting OpenClaw Canvas (various versions), can allow remote attackers to disclose sensitive information within the service acc...