Jumbo Website Manager - Remote Code Execution

Exploit Title: Jumbo Website Manager - Remote Code Execution Application: Jumbo Website Manager Version: v1.3.7 Bugs: RCE Technology: PHP Vendor URL: https://sourceforge.net/projects/jumbo/ Software Link: https://sourceforge.net/projects/jumbo/ Date of found: 28.10.2025 Author: Mirabbas Ağalarov...

ZSH 5.9 - RCE

Exploit ZSH 5.9 - RCE Date: 30-12-2025 Exploit Author: sinanadilrana import pexpect import sys import time def debugprintmsg: printf"DEBUG msg" def returntogdbgdb, maxattempts=3, timeout=3: """More reliable function to return to GDB prompt""" debugprint"Attempting to return to GDB..." for attempt...

React Server 19.2.0 - Remote Code Execution

Exploit Title: React Server 19.2.0 - Remote Code Execution Date: 2025-12-05 Exploit Author: EynaExp https://github.com/EynaExp Vendor Homepage: https://react.dev Software Link: https://react.dev/reference/rsc/server-components Version: 19.0.0, 19.1.0, 19.1.1, 19.2.0 Tested on: Windows,Linux CVE :...

RomM 4.4.0 - XSS_CSRF Chain

Exploit Title: RomM Application tab or Storage on Firefox Cookies - Copy the rommcsrftoken cookie value 3. Replace below with your token 4. Replace with the target RomM instance URL e.g., http://romm.local 5. Save this file as avatar.html 6. Upload it as your profile avatar...

FortiWeb 8.0.2 - Remote Code Execution

Exploit Title: FortiWeb 8.0.2 - Remote Code Execution Date: 2025-11-22 Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamersecurity GitHub: https://github.com/mbanyamer Vendor Homepage: https://www.fortinet.com Software Link:...

xibocms 3.3.4 - RCE

Exploit Title: XiboCMS 3.3.4- Remote Code Execution Google Dork: N/A Date: 2025-11-18 Exploit Author: complexusprada Vendor Homepage: https://xibo.org.uk/ Software Link: https://github.com/xibosignage/xibo-cms Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4 Tested on: Ubuntu Linux Docker, Xibo CMS 3.3.4...

7-Zip 24.00 - Directory Traversal

Exploit Title: 7-Zip 25.00 - Directory Traversal to RCE via Malicious ZIP Date: 2025-11-22 Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamersecurity GitHub: https://github.com/mbanyamer Vendor Homepage: https://www.7-zip.org Software Link:...

SQLite 3.50.1 - Heap Overflow

Exploit Title: SQLite 3.50.1 - Heap Overflow Date: 2025-11-05 Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamersecurity GitHub: https://github.com/mbanyamer Vendor Homepage: https://www.sqlite.org Software Link: https://www.sqlite.org/download.html Version: SQLite 3.50....

Horilla v1.3 - RCE

Exploit Title: Horilla v1.3 - RCE Date: 2025-05-29 Exploit Author: Raghad Abdallah Al-syouf Version: = 1.3 Tested on: Ubuntu / Docker CVE: CVE-2025-48868 Description: This script exploits the authenticated RCE vulnerability CVE-2025-48868. It logs into the target web app, creates a project, and...

Microsoft MMC MSC EvilTwin - Local Admin Creation

!/usr/bin/env python3 Exploit Title: Microsoft MMC MSC EvilTwin - Local Admin Creation Date: 2025-11-22 Author: Mohammed Idrees Banyamer Author Country: Jordan GitHub: https://github.com/mbanyamer Vendor Homepage: https://www.microsoft.com Software Link: N/A built-in Windows component - mmc.exe...

Windows Kernel - Elevation of Privilege

Exploit Title : Windows Kernel - Elevation of Privilege Author : E1.Coders Contact : E1.Coders at Mail dot RU Security Risk : CNA: Microsoft Corporation Base Score: 7.0 HIGH...

Zhiyuan OA - arbitrary file upload leading

Exploit Title: Zhiyuan OA - arbitrary file upload leading Google Dork / FOFA: app="致远互联-OA" && title="V8.0SP2" Date: 1-11-2025 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://service.seeyon.com/ Software Link: vendor download / product page if available Version: 5.0, 5.1–5.6sp1,...

WBCE CMS 1.6.4 - Remote Code Execution

Exploit Title: WBCE CMS 1.6.4 - Remote Code Execution Date: 2024-10-26 Exploit Author: Chokri Hammedi Vendor Homepage: https://wbce.org/ Software Link: https://github.com/WBCE/WBCECMS/releases/tag/v1.6.4 Version: 1.6.4 Tested on: Linux Debian/Parrot OS Vulnerability Description WBCE CMS version...

WordPress Madara - Local File Inclusion

Exploit Title: WordPress Madara Local File Inclusion Date: November 1, 2025 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: WordPress Theme Madara Software Link: WordPress Theme Madara Tested on: OS / PHP / WordPress versions used in testing — e.g., Ubuntu 22.04, PHP 8.1, WP 6.4 CVE:...

Fortinet FortiWeb v8.0.1 - Auth Bypass

Titles:Fortinet FortiWeb v8.0.1 - Auth Bypass Author: nu11secur1ty Date: 11/15/2025 Vendor: https://www.fortinet.com/ Software: v8.0.1 Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64446 Description: CVE-2025-64446 is a critical path traversal vulnerability affecting multiple versions of...

Desktop Window Manager Core Library 10.0.10240.0 - Privilege Escalation

Title: Desktop Window Manager Core Library 10.0.10240.0 — Privilege Escalation Heap-based Buffer Overflow sanitized evidence Author: nu11secur1ty Date: 2025-11-04 Vendor: Microsoft Software: Windows Desktop Window Manager DWM — DWM Core Library affected desktop/server releases as per vendor...

Grafana 11.6.0 - SSRF

Exploit Title: Grafana 11.6.0 - SSRF FOFA: app="Grafana" Date: 2-11-2025 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://grafana.com/ Software Link: https://grafana.com/grafana/download Version: 11.2.0 - 11.6.0 CVE: CVE-2025-4123 Description: An SSRF Server-Side Request Forgery...

RiteCMS 3.1.0 - Authenticated Remote Code Execution

Exploit Title: RiteCMS 3.1.0 - Authenticated Remote Code Execution Date: 2025-10-26 Exploit Author: Chokri Hammedi Vendor Homepage: https://github.com/handylulu/RiteCMS Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip Version: 3.1.0 Tested on: Window...

is-localhost-ip 2.0.0 - SSRF

Titles: is-localhost-ip 2.0.0 - SSRF Author: nu11secur1ty Date: 11/09/2025 Vendor: https://github.com/tinovyatkin/is-localhost-ip Software: https://github.com/tinovyatkin/is-localhost-ip/releases/tag/v2.0.0 Reference: https://portswigger.net/web-security/ssrf Description: SSRF PoC — Professional...

ASP.net 8.0.10 - Bypass

Exploit Title: ASP.net 8.0.10 - Bypass Date: 2025-11-03 Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamersecurity GitHub: https://github.com/mbanyamer CVE: CVE-2025-55315 Tested on: .NET Kestrel unpatched - ASP.NET Core on localhost lab environment Platform: remote Type...

WordPress Backup Migration 1.3.7 - Remote Command Execution

Exploit Title: WordPress Backup Migration 1.3.7 - Remote Command Execution Date: 2025-10-26 Exploit Author: DANG Vendor Homepage: https://backupbliss.com/ Software Link: https://wordpress.org/plugins/backup-backup/ Version: Backup Migration ≤1.3.7 Tested on: LINUX CVE : CVE-2023-6553 This module...

mailcow 2025-01a - Host Header Password Reset Poisoning

Exploit Title: mailcow 2025-01a - Host Header Password Reset Poisoning Date: 2025-10-21 Exploit Author: Iam Alvarez AKA Groppoxx / Maizeravla Vendor Homepage: https://mailcow.email Software Link: https://github.com/mailcow/mailcow-dockerized Version: 2025-01a REQUIRED Tested on: Ubuntu 22.04.5 LT...

Easy File Sharing Web Server v7.2 - Buffer Overflow

Exploit title: Easy File Sharing Web Server v7.2 - Buffer Overflow Date: 16/10/2025 Exploit Author: Donwor X: @realDonwor Discord: Donwor Website: https://github.com/D0nw0r Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe Version: Easy File Sharing Web...

Boss Mini v1.4.0 - Local File Inclusion (LFI)

Exploit Title: Boss Mini v1.4.0 - Local File Inclusion LFI Date: 07/12/2023 Exploit Author: nltt0 Version: 1.4.0 Build 6221 CVE: CVE-2023-3643 from requests import post from urllib.parse import quote from argparse import ArgumentParser banner = r""" / \ | | / | | / / | | \ --. | | / | |/ | ' \ /...

WeGIA 3.5.0 - SQL Injection

Exploit Title: WeGIA 3.5.0 - SQL Injection Date: 2025-10-14 Exploit Author: Onur Demir OnurDemir-Dev Vendor Homepage: https://www.wegia.org Software Link: https://github.com/LabRedesCefetRJ/WeGIA/ Version: " echo "Example: $0 http://127.0.0.1/WeGIA/ "admin" "wegia" "version"" exit 1 fi...

Windows 10.0.17763.7009 - spoofing vulnerability

Exploit Title: Windows 10.0.17763.7009 - spoofing vulnerability Google Dork: N/A Date: 2025-10-06 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://www.microsoft.com Software Link: N/A Version: Not applicable this is a generic Windows library file behavior Tested on: Windows 10 x64 ...

glibc 2.38 - Buffer Overflow

Exploit Title: glibc 2.38 - Buffer Overflow Google Dork: N/A Date: 2025-10-08 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://www.gnu.org/software/libc/ Software Link: https://ftp.gnu.org/gnu/libc/glibc-2.35.tar.gz Version: glibc 2.35 specifically 2.35-0ubuntu3.3 on Ubuntu 22.04.3...

motionEye 0.43.1b4 - RCE

Exploit Title: motionEye 0.43.1b4 - RCE Exploit PoC: motionEye RCE via client-side validation bypass safe PoC Filename: motioneyercepocedb.txt Author: prabhatverma47 Date tested: 2025-05-14 original test; prepared for submission: 2025-10-11 Affected Versions: motionEye = 0.43.1b4 Tested on: Debia...

FortiWeb Fabric Connector 7.6.x - SQL Injection to Remote Code Execution

Exploit Title: FortiWeb Fabric Connector 7.6.x - Pre-authentication SQL Injection to Remote Code Execution Date: 2025-10-05 Exploit Author: Milad Karimi Ex3ptionaL Contact: [email protected] Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL Tested on: Win, Ubuntu CVE : CVE-2025-25257 Overvi...

Docker Desktop 4.44.3 - Unauthenticated API Exposure

Exploit Title: Docker Desktop 4.44.3 - Unauthenticated API Exposure Date: 2025-10-06 Exploit Author: OilSeller2001 Vendor Homepage: https://www.docker.com/ Software Link: https://www.docker.com/products/docker-desktop/ Version: Affected on Windows and macOS versions prior to 4.44.3 Tested on:...

windows 10/11 - NTLM Hash Disclosure Spoofing

Exploit Title: windows 10/11 - NTLM Hash Disclosure Spoofing Date: 2025-10-06 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://www.microsoft.com Software Link: N/A Version: Not applicable this is a generic Windows library file behavior Tested on: Windows 10 x64 / Windows 11 x64 lab...

aiohttp 3.9.1 - directory traversal PoC

Exploit Title: Python aiohttp directory traversal PoC CVE-2024-23334 Google Dork: N/A Date: 2025-10-06 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://www.aiohttp.org / https://www.python.org Software Link: https://github.com/aio-libs/aiohttp vulnerable tag: 3.9.1 Version: aiohttp...

Ingress-NGINX Admission Controller v1.11.1 - FD Injection to RCE

Exploit Title: Ingress-NGINX Admission Controller v1.11.1 - FD Injection to RCE Date: 2025-10-07 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://kubernetes.io Software Link: https://github.com/kubernetes/ingress-nginx Version: Affects v1.10.0 to v1.11.1 potentially others Tested o...

OctoPrint 1.11.2 - File Upload

Exploit Title: OctoPrint 1.11.2 - File Upload Date: 2025-09-28 Exploit Author: prabhatverma.addada Vendor Homepage: https://octoprint.org Software Link: https://github.com/OctoPrint/OctoPrint Affected Versions: = 1.11.2 Patched Versions: 1.11.3 CVE: CVE-2025-58180 CVSS per advisory: 7.5 Platform:...

Redis 8.0.2 - RCE

Exploit Title: Ingress-NGINX Admission Controller v1.11.1 - FD Injection to RCE Date: 2025-10-07 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://redis.io/ Software Link: https://redis.io/ Version: Affects := 8.0.0, 8 + p8size & 0xff def buildmalformedhll: """ Construct a malformed...

RPi-Jukebox-RFID 2.8.0 - Stored Cross-Site Scripting (XSS)

Exploit Title: RPi-Jukebox-RFID 2.8.0 - Stored XSS CVE-2025-10370 Date: 2025-09-25 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://github.com/MiczFlor/RPi-Jukebox-RFID Software Link: https://github.com/MiczFlor/RPi-Jukebox-RFID/releases/tag/v2.8.0 Version: 2.8.0 Tested on: Raspber...

D-Link DIR-825 Rev.B 2.10 - Stack Buffer Overflow (DoS)

Exploit Title: D-Link DIR-825 Rev.B 2.10 - Stack Buffer Overflow DoS Google Dork: N/A Date: 2025-09-25 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://www.dlink.com/ Software Link: https://tsd.dlink.com.tw/downloads2008detail.asp Version: DIR-825 Rev.B = 2.10 Tested on: DIR-825...

Piranha CMS 12.0 - Stored XSS in Text Block

Exploit Title: Piranha CMS 12.0 - Stored Cross Site Scripting Date: 2025-09-26 Exploit Author: Chidubem Chukwu Terminal Venom LinkedIn : https://www.linkedin.com/in/chidubem-chukwu-20bb202a9? Vendor Homepage: https://piranhacms.org Software Link:...

Siklu EtherHaul Series EH-8010 - Arbitrary File Upload

Exploit Title: Siklu EtherHaul Series - Unauthenticated Arbitrary File Upload Shodan Dork: "EH-8010" or "EH-1200" Date: 2025-08-02 Exploit Author: semaja2 - Andrew James Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon Software Link: ftp://ftp.bubakov.net/siklu/ Version: EH-8010...

RPi-Jukebox-RFID 2.8.0 - Remote Command Execution

Exploit Title: RPi-Jukebox-RFID 2.8.0 - Remote Code Execution Date: 2025-09-25 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://github.com/MiczFlor/RPi-Jukebox-RFID Software Link: https://github.com/MiczFlor/RPi-Jukebox-RFID/releases/tag/v2.8.0 Version: 2.8.0 Tested on: Raspberry P...

Siklu EtherHaul Series EH-8010 - Remote Command Execution

Exploit Title:Siklu EtherHaul Series EH-8010 - Remote Command Execution Shodan Dork: "EH-8010" or "EH-1200" Date: 2025-08-02 Exploit Author: semaja2 - Andrew James Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon Software Link: ftp://ftp.bubakov.net/siklu/ Version: EH-8010 and...

Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie

Exploit Title: Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie Date: 19-12-2025 Exploit Author: Karuppiah Sabari Kumar0xsabre Vendor Homepage: https://wordpress.org/plugins/chained-quiz/ Software Link: https://downloads.wordpress.org/plugin/chained-quiz.1.3.3.zip...

WordPress Quiz Maker 6.7.0.56 - SQL Injection

Exploit Title: WordPress Quiz Maker 6.7.0.56 - SQL Injection Date: 2025-12-16 Exploit Author: Rahul Sreenivasan Tr0j4n Vendor Homepage: https://ays-pro.com/wordpress/quiz-maker Software Link: https://wordpress.org/plugins/quiz-maker/ Version: = 6.7.0.56 Tested on: WordPress 6.x with Quiz Maker...

FreeBSD rtsold 15.x - Remote Code Execution via DNSSL

Exploit Title: FreeBSD rtsold 15.x - Remote Code Execution via DNSSL Date: 2025-12-16 Exploit Author: Lukas Johannes Möller Vendor Homepage: https://www.freebsd.org/ Version: FreeBSD 13.x, 14.x, 15.x before 2025-12-16 patches Tested on: FreeBSD 14.1-RELEASE CVE: CVE-2025-14558 Description: rtsold...

esm-dev 136 - Path Traversal

Exploit Title: esm-dev 136 - Path Traversal Date: 2025-07-11 Exploit Author: Byte Reaper Vendor Homepage: https://github.com/esm-dev/esm.sh Software Link: https://github.com/esm-dev/esm.sh CVE-2025-59342 - File : exploit.c - Date : 09/17/2025 - Target : esm-dev - Version: 136 - Target Endpoint :...

Summar Employee Portal 3.98.0 - Authenticated SQL Injection

Exploit Title: Summar Employee Portal 3.98.0 - Authenticated SQL Injection Google Dork: inurl:"/MemberPages/quienesquien.aspx" Date: 09/22/2025 Exploit Author: Peter Gabaldon - https://pgj11.com/ Vendor Homepage: https://www.summar.es/ Software Link: https://www.summar.es/software-recursos-humano...

Pluck 4.7.7-dev2 - PHP Code Execution

Exploit Title: Pluck 4.7.7-dev2 - PHP Code Execution Date: 2024-10-26 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/pluck-cms/pluck Software Link: https://github.com/pluck-cms/pluck Version: 4.74-dev5 Tested on: Ubuntu Windows CVE : CVE-2018-11736 PoC: 1） 1. Log in to the Pluck...

phpMyFAQ 2.9.8 - Cross-Site Request Forgery(CSRF)

Exploit Title: phpMyFAQ 2.9.8 - Cross-Site Request ForgeryCSRF Date: 2024-10-26 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/thorsten/phpMyFAQ Software Link: https://github.com/thorsten/phpMyFAQ Version: 2.9.8 Tested on: Ubuntu Windows CVE : CVE-2017-15734 PoC: Get...

Django 5.1.13 - SQL Injection

Exploit Title: Django 5.1.13 - SQL Injection Google Dork: none Not applicable for this vulnerability Date: 2025-12-03 Exploit Author: Wafcontrol Security Team Vendor Homepage: https://www.djangoproject.com/ Software Link: https://www.djangoproject.com/download/ Version: 5.2 before 5.2.8, 5.1 befo...

MobileDetect 2.8.31 - Cross-Site Scripting (XSS)

Exploit Title: MobileDetect 2.8.31 - Cross-Site Scripting XSS Date: 2025-11-25 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/serbanghita/Mobile-Detect/ Software Link: https://github.com/serbanghita/Mobile-Detect/ Version: 4da80e5 Tested on: Windows CVE : CVE-2018-25080 Proof Of...