📄 School Management System PHP 1.0.0 Cross Site Scripting

School Management System PHP version 1.0.0 suffers from a persistent cross site scripting vulnerability that can lead to administrative account takeover. ==================================================== School Management System PHP - Stored XSS leading to Admin Account Takeover...

📄 Pizzafy Ecommerce System 1.0 Shell Upload

The savemenu function in Pizzafy Ecommerce System version 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the file extension using pathinfo but never actually checks or restricts the allowed file types before moving the uploaded file...

JuzaWeb CMS 3.4.2 - Authenticated Remote Code Execution

Exploit Title: JuzaWeb CMS 3.4.2 - Authenticated Remote Code Execution Date: 2026-01-10 Exploit Author: Sardor Shoakbarov Author GitHub: https://github.com/TheDeepOpc Vendor Homepage: https://juzaweb.com/ Software Link: https://github.com/juzaweb/ CVE: N/A Pending import requests import argparse...

Xibo CMS 4.3.0 - RCE via SSTI

Exploit Title: Xibo CMS - Authenticated Remote Code Execution via SSTI Date: 2025-11-04 Exploit Author: Cristian Branet Vendor Homepage: https://xibosignage.com/ Software Link: https://github.com/xibosignage/xibo-cms/ Version: 4.3.1 Tested on: Linux Ubuntu 22.04 CVE : CVE-2025-62639 Article:...

Fedora - Local Privilege Escalation

Exploit Title: Fedora Local Privilege Escalation via ABRT Date: 07-October-2025 Exploit Author: initstring Vendor Homepage: https://fedoraproject.org Software Link: https://fedoraproject.org/server/download Version: Fedora 43 and below running ABRT v 2.17.7 and below Tested on: Fedora 42...

FacturaScripts 2025.43 - XSS

Exploit Title: FacturaScripts 2025.43 - XSS Date: 30-12-2025 Exploit Author: VETTRIVEL U Author Profile: https://www.linkedin.com/in/vettrivel2006 Vendor Homepage: https://facturascripts.com/ Software Link: https://github.com/NeoRazorX/facturascripts Affected Versions: = 2025.4, = 2025.11, =...

Atlona ATOMERX21 - Authenticated Command Injection

// Exploit Title: Atlona AT-OME-RX21 Authenticated Command Injection // Google Dork: N/A // Date: 2025-12-28 // Exploit Author: RIZZZIOM // Vendor Homepage: https://atlona.com // Software Link: https://atlona.com/product/at-ome-rx21/ // Version: Firmware -u -p -l -P -c package main import "bytes"...

OpenWrt 23.05 - Authenticated Remote Code Execution (RCE)

Exploit Title: OpenWrt 23.05 - Authenticated Remote Code Execution RCE Date: 2026-01-17 Exploit Author: Ahmet Mersin Vendor Homepage: https://github.com/stangri/luci-app-https-dns-proxy Software Link: https://github.com/stangri/luci-app-https-dns-proxy Version: All versions prior to 2026-01-17...

HAX CMS 24.x - Stored Cross-Site Scripting (XSS)

Exploit Title: HAX CMS 24.x - Stored Cross-Site Scripting XSS Date: 2026-01-28 Google Dork: "N/A" Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamersecurity Vendor Homepage: https://www.drupal.org/project/hax Software Link: https://github.com/elmsln/haxcms Version: PoC/t...

GeographicLib v2.5.1 - stack buffer overflow

Exploit title: GeographicLib v2.5.1 - stack buffer overflow Date of discovery: 20 August 2025 Exploit Author: Me zer0matt Rosario Matteo Grammatico Vendor homepage: https://github.com/geographiclib/ Software link: https://github.com/geographiclib/geographiclib Affected version: GeographicLib =...

phpMyFAQ 4.0.16 - Improper Authorization

Exploit Title: phpMyFAQ = 4.0.16 - Improper Authorization Google Dork: N/A Date: 2026-01-23 Exploit Author: GUIA BRAHIM FOUAD Vendor Homepage: https://www.phpmyfaq.de/ Software Link: https://www.phpmyfaq.de/download/ Version: = 4.0.16 REQUIRED Tested on: Ubuntu 22.04, Apache 2.4.52, PHP 8.2.x,...

LangChain Core 1.2.4 - SSTI/RCE

Exploit Title: LangChain Core - SSTI/RCE Date: 2025-12-29 Exploit Author: Mohammed Idrees Banyamer Author Country: Jordan Contact: @banyamersecurity Instagram GitHub: https://github.com/mbanyamer Vendor Homepage: https://www.langchain.com/ Software Link: https://pypi.org/project/langchain-core/...

OpenKM 6.3.12 - Multiple

Exploit Title: OpenKM Multiple Critical Zero-Day Date: 17 Jan 2026 Exploit Author: Terra System Labs Pvt. Ltd. Vendor Homepage: https://www.openkm.com/ Software Link: https://hub.docker.com/r/openkm/openkm-ce Version: OpenKM Community Edition 6.3.12 and OpenKM Pro Edition 7.1.47 and previous...

GUnet OpenEclass E-learning platform < 4.2 - Remote Code Execution (RCE)

Exploit Title: GUnet OpenEclass E-learning platform """ def banner: printf'''YELLOW ┏━╸╻ ╻┏━╸ ┏━┓┏━┓┏━┓┏━┓ ┏━┓┏━┓┏━┓╻ ╻╺┓ ┃ ┃┏┛┣╸ ╺━╸┏━┛┃┃┃┏━┛┣━┓╺━╸┏━┛┏━┛┏━┛┗━┫ ┃ ┗━╸┗┛ ┗━╸ ┗━╸┗━┛┗━╸┗━┛ ┗━╸┗━╸┗━╸ ╹╺┻╸ RED Author: @Ashif1337 RESET''' def cleanserveropeneclass,filename: printf"ORANGE+ Removing...

Craft CMS 5.6.16 - RCE

Exploit Title: Craft CMS 5.6.16 - RCE Google Dork: N/A Date: 2026-01-24 Exploit Author: Mohammed Idrees Banyamer Author Country: Jordan Vendor Homepage: https://craftcms.com Software Link: https://github.com/craftcms/cms Version: = 3.9.14, = 4.14.14, = 5.6.16 Tested on: Linux, Apache/Nginx, PHP 8...

GNU InetUtils 2.6 - Telnetd Remote Privilege Escalation

Exploit Title: GNU InetUtils telnetd - Remote Privilege Escalation Date: 2026-01-24 Exploit Author: Ali Guliyev infat0x Author GitHub: https://github.com/infat0x Vendor Homepage: https://www.gnu.org/software/inetutils/ Software Link: https://ftp.gnu.org/gnu/inetutils/ Version: GNU InetUtils 2.0...

ExploitSense

ExploitSense ExploitSense is a local-first vulnerability anal...

Exploit for CVE-2026-39816

Apache NiFi CVE-2026-39816 POC Proof-of-concept demonstration...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Mozilla Firefox

CVE-202...

Exploit for Command Injection in Github Enterprise_Server

ExploitCVE-2026-3854 CVE-2026-3854 is a Remote Code Executio...