CVE-2026-2515

The Hostinger Reach plugin for WordPress (v

Cisco IOS XE Software Lobby Ambassador Privilege Escalation Vulnerability

A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate their privileges and access management APIs that would not normally be available for Lobby Ambassador users. This vulnerability exists because...

EUVD-2026-8950

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the firmware update route...

CVE-2026-27732 AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php

WWBN AVideo is an open source video platform. Prior to version 22.0, the aVideoEncoder.json.php API endpoint accepts a downloadURL parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests ...

CVE-2020-37009 MedDream PACS Server 6.8.3.751 - Remote Code Execution

MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. Attackers can exploit the uploadImage.php endpoint by authenticating and uploading a PHP shell to execute arbitrary system commands with elevate...

EUVD-2017-1584

Malware in sbrugna...

Critical Veeam Backup & Replication CVE-2025-23120

Update Friday, March 28, 2025: Security researchers at CODE WHITE GmbH have noted on social media that it is possible to bypass the patch for CVE-2025-23120. Rapid7 has not directly confirmed the patch bypass, but we are relatively confident in the validity of the finding. Customers should ensure...

PT-2022-6575 · NetGear · Netgear Rax30

Name of the Vulnerable Software and Affected Versions: NETGEAR RAX30 affected versions not specified Description: The issue is related to the handling of JSON data and results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based...

Croogo 3.0.2 Remote Code Execution

Exploit Title: Croogo 3.0.2 - Remote Code Execution Authenticated Date: 05/12/2021 Exploit Author: Deha Berkin Bir Vendor Homepage: https://croogo.org/ Software Link: https://downloads.croogo.org/v3.0.2.zip Version: 3.0.2 Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 ==...

orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)

Exploit Title: orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting XSS Authenticated Date: 28/11/2021 Exploit Author: Hubert Wojciechowski Contact Author: [email protected] Company: https://redteam.pl Vendor Homepage: https://www.orangescrum.org/ Software Link: https://www.orangescrum.org/...

Command injection

The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed by TrueOnline has three user accounts with default passwords, including two hardcoded service accounts: one with the username true and password true, and another with the username user3 and and a long password consisting of a...

DEBIAN-CVE-2017-9774

Remote Code Execution was found in HordeImage 2.x before 2.5.0 via a crafted GET request. Exploitation requires authentication...