CVE-2022-34212

A missing permission check in Jenkins vRealize Orchestrator Plugin 3.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL...

CVE-2022-36552

Tenda AC6AC1200 v5.0 Firmware v02.03.01.114 and below contains an issue in the component /cgi-bin/DownloadFlash which allows attackers to steal all data such as source code and system files via a crafted GET request...

CVE-2022-45460

Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow an unauthenticated and remote user to exploit a stack-based buffer overflow and crash the web server, resulting in a system reboot. An unauthenticat...

CVE-2021-25828

Emby Server versions 4.6.0.50 is vulnerable to Cross Site Scripting XSS vulnerability via a crafted GET request to /web...

CVE-2021-21919

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ord’ parameter. However, the high privilege super-administrator account needs to be used to achieve exploitation without cross-site request forgery attack...

CVE-2020-6125

An exploitable SQL injection vulnerability exists in the GetSchool.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability...

CVE-2019-17510

D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetWizardConfig with shell metacharacters to /squashfs-root/www/HNAP1/control/SetWizardConfig.php...

CVE-2002-2190

ArtsCore Studios CuteCast Forum 1.2 stores passwords in plaintext under the web document root, which allows remote attackers to obtain the passwords via an HTTP request to a .user file...

CVE-2025-47791

The vulnerability CVE-2025-47791 affects Nextcloud Server (self-hosted) and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3. The issue is an improperly protected, currently unused endpoint used to verify a share recipient, which could proxy requests to another server. Affected v...

CVE-2025-2527 Improper access control to group information

Mattermost versions 10.5.x = 10.5.2, 9.11.x = 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request...

CVE-2025-46052

CVE-2025-46052 involves WebERP v4.15.2 with an error-based SQL Injection affecting the DEL form field in a POST request to /StockCounts.php. The underlying issue allows an attacker to execute arbitrary SQL and extract sensitive data. Multiple connected sources confirm the vulnerable endpoint and ...

SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation

Exploit Title: SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation Date: 2025-05-7 Exploit Author: Abdualhadi khalifa https://x.com/absholi7ly/ Affected: Versions All versions of OttoKit SureTriggers ≤ 1.0.82. Conditions for Exploitation The vulnerability can be exploited under the followin...

CVE-2025-45020

A SQL Injection vulnerability was discovered in the normal-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary SQL code via the todate parameter in a POST request...

CVE-2025-24351

The CVE-2025-24351 entry affects the ctrlX OS web application’s “Remote Logging” functionality. A remote authenticated (low-privileged) attacker can execute arbitrary OS commands in the context of user “root” via a crafted HTTP request. Reports consistently describe this as a root-level command e...

📄 AlegroCart 1.2.9 Logic Flaw

AlegroCart version 1.2.9 suffers from a business logic flaw that allows for price manipulation. Exploit Title: Business Logic Flaw: Price Manipulation - alegrocartv1.2.9 Date: 04/2025 Exploit Author: Andrey Stoykov Version: 1.2.9 Tested on: Debian 12 Blog: https://msecureltd.blogspot.com/ Busines...

CVE-2025-32906

Summary: CVE-2025-32906 affects libsoup and is described in multiple connected advisories. A flaw in the function soup_headers_parse_request() may cause an out-of-bounds read, enabling a malicious HTTP request to crash the Libsoup-based HTTP server. The issue is documented across Red Hat, Debian,...

CVE-2025-32807

A path traversal vulnerability in FusionDirectory before 1.5 allows remote attackers to read arbitrary files on the host that end with .png and .svg or .xpm for some configurations via the icon parameter of a GET request to geticon.php...

CVE-2025-3248 Langflow < 1.3.0 Unauthenticated RCE via /api/v1/validate/code

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code...

Azure Linux 3.0 Security Update: nodejs / nodejs18 (CVE-2024-22019)

The version of nodejs / nodejs18 installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-22019 advisory. - A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP reque...

CVE-2024-10307 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A maliciously crafted file can cause uncontrolled CPU consumption when viewing the associated merge request...