50738 matches found
📄 Zscaler Client Connector macOS Fail-Open SIGSTOP Bypass
Zscaler Client Connector for macOS can be bypassed by a standard local user during the Restart Services / Repair App workflow by suspending user-owned Zscaler processes with SIGSTOP. The reported impact is fail-open loss of ZIA/ZPA enforcement, DLP, telemetry, and tunnel routing while the console...
📄 Whistlelink Site-Access Password Exposed
The Whistlelink reporting portal protects optionally-enabled, password-gated whistleblowing sites with a site-access password. When a visitor unlocks such a site, the client validates the password by issuing an HTTP GET request that carries the password as a URL query-string parameter which is...
📄 Horde Groupware IMP Webmail Path Traversal / Local File Inclusion
Horde Groupware's IMP Webmail solution contains a path traversal / local file inclusion vulnerability which could be exploited to escalate privileges or bypass authentication. This is patched in version 7.0.1. this is my first time sending to a mailing list so ive chosen something easy. here goes...
📄 ImageMagick 7.x MIFF Decoder Denial of Service
This code generates a malicious MIFF image file designed to exploit a flaw in ImageMagick’s BZip decompression handling. The issue is triggered by a zero-length compressed block, which can cause ImageMagick to enter an infinite loop and consume 100% CPU...
📄 Cacti 1.2.30 Remote Code Execution
This Metasploit module is an authenticated remote code execution exploit for Cacti versions 1.2.30 and below. ================================================================================================================================== | Title : Cacti ≤ 1.2.30 Authenticated RCE via Host...
📄 Samsung Galaxy Zero-Click HFP/A2DP Takeover
Samsung Galaxy buds have an issue where an attacker within Bluetooth range can force a transition of the active audio session to an attacker-controlled device without requiring user interaction. Samsung believes it is a non-issue. MESSAGE HASH SHA-256:...
📄 Zig 0.16.0 Denial of Service / Integer Overflow
Zig version 0.16.0 suffers from an integer overflow vulnerability that results in a denial of service condition. Agent Spooky’s Fun Parade hereby reports, with the solemnity of a raccoon presenting a subpoena, an integer-overflow panic in Zig’s std.http chunked request-body reader. In Zig 0.16.0...
📄 Cockpit CMS 2.13.5 Cross Site Scripting / Account Takeover
Cockpit CMS versions 2.13.5 and below suffer from persistent cross site scripting and cross site request forgery vulnerabilities. CVE-2026-39275 - Stored XSS Leading to Account Takeover in Cockpit CMS Note: Responsibly disclosed to and patched by the Cockpit CMS maintainers prior to publication. ...
📄 ImageMagick 7.x MIFF BZip Decoder Infinite Loop Denial of Service
A vulnerability in ImageMagick's MIFF decoder coders/miff.c allows an attacker to cause an infinite loop and CPU exhaustion by providing a specially crafted MIFF file with a compressed block length of zero when BZip compression is enabled...
📄 Cacti 1.2.30 Remote Code Execution
Cacti versions 1.2.30 and below authenticated remote code execution exploit that uses variable injection via graph rendering. Written in Python. ================================================================================================================================== | Title : Cacti ≤...
📄 Atlassian Central GraphQL Email Enumeration
The loomUnauthenticatedprimaryAuthTypeForEmail GraphQL query on Atlassian's central GraphQL gateway returns different responses depending on whether an email address is registered with Atlassian, allowing unauthenticated user enumeration. CVE-2026-XXXX: Atlassian Central GraphQL — Email Enumerati...
📄 Control Web Panel 0.9.8.1224 SQL Injection
Control Web Panel versions 0.9.8.1224 and below suffer from a remote SQL injection vulnerability via the userRes POST parameter. --------------------------------------------------------------------- Control Web Panel = 0.9.8.1224 userRes SQL Injection Vulnerability...
📄 Flowise CSV Agent Prompt Injection Remote Code Execution
This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run method of the CSVAgents class. The issue results from the lack of proper...
📄 ProtonVPN 4.4.1 Unquoted Service Path
ProtonVPN version 4.4.1 suffers from an unquoted service path vulnerability. Exploit Title: ProtonVPN v4.4.1 - Unquoted Service Path Date: 2026-06-22 Exploit Author: Milad Karimi Contact: [email protected] Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL Vendor Homepage:...
📄 WordPress WP Full Stripe Free 8.4.3 Missing Authorization
The WP Full Stripe Free plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 8.4.3 via the wpfsupdatefailedpaymentstatus AJAX action. CVE-2026-12432: WP Full Stripe Free = 8.4.4 - Published: June 26, 2026 - Last Updated: June 27, 2026 - Researcher: Netwurm...
📄 ICagenda 3.9.14 / 4.0.7 Shell Upload
iCagenda, a popular events and calendar component for Joomla, contains an unauthenticated file upload vulnerability that allows remote attackers to upload and execute arbitrary PHP code on Joomla 6 sites. Versions 3.2.1 through 3.9.14 and 4.0.0 through 4.0.7 are affected.:1 CVE-2026-48939 -...
📄 Peyara Remote Mouse 1.0.1 Unauthenticated Remote Code Execution
This Metasploit module exploits an unauthenticated remote code execution vulnerability in Peyara Remote Mouse 1.0.1. The application exposes a Socket.IO WebSocket service on TCP port 1313 and accepts unauthenticated keyboard input events. The module sends keyboard events to open the Windows comma...
📄 Docmost 0.70.x Authorization Bypass
A low-privileged Docmost user could supply a victim attachmentId to the generic upload endpoint and overwrite another page's stored attachment inside the same workspace. Versions 0.3.0 through 0.70.x are affected. CVE-2026-34213 A low-privileged Docmost user could supply a victim attachmentId to...
📄 Docmost 0.70.2 Authorization Bypass
In Docmost versions 0.70.0 through 0.70.2, restricted child pages hidden from public share viewers could still leak through public share search results. CVE-2026-33146 A public share looked clean in the page tree, but the search endpoint told a different story. In Docmost, restricted child pages...
📄 Penpot Server-Side Request Forgery
Penpot's remote image import let an authenticated file editor turn a normal media convenience feature into backend-origin server-side request forgery because attacker-controlled URLs crossed into a redirect-following server fetch path without destination filtering. CVE-2026-45806 Penpot's remote...
📄 Yeoman Environment 6.0.0 Code Execution
Yeoman Environment versions 2.9.0 through 6.0.0 have an issue where missing generators can be installed without user confirmation, turning attacker-controlled project metadata into a package-install and code-execution path. CVE-2026-42089 A local package installation helper trusted caller-supplie...
📄 TypeBot Server-Side Request Forgery
TypeBot versions prior to 3.16.0 suffer from a server-side request forgery vulnerability. CVE-2026-34207 The SSRF filter checked hostname text, but the actual destination was decided later by DNS. That gap let attacker-controlled Webhook URLs reach loopback, metadata, and private network targets...
📄 Docmost Cross Site Scripting
Docmost versions prior to 0.71.0 suffer from a persistent cross site scripting vulnerability. CVE-2026-34212 Docmost accepted a javascript: URL inside an attachment node, preserved it through storage and rendering, and turned it back into a clickable anchor in the Docmost origin. Intro I...
📄 phpSysInfo 3.4.5 IP Allowlist Bypass
phpSysInfo versions 3.4.5 and below suffer from an IP Allowlist bypass vulnerability. CVE-2026-55584 - phpSysInfo IP Allowlist Bypass CWE-290, CVSS 7.5 High, phpSysInfo = 3.4.5 Refs: GHSA-786w-p5pm-cvgh, CVE.org PSIALLOWED resolves the client IP from the attacker-controlled X-Forwarded-For then...
📄 Plane Improper Authorization
Plane's asset subsystem trusted workspace slugs and asset UUIDs without enforcing the right membership checks, which let one authenticated user read, copy, delete, and overwrite assets in other workspaces. All versions prior to 1.3.1 are affected. CVE-2026-46558 Plane’s V2 asset subsystem trusted...
📄 Dalfox Found-Action Deserialization Remote Code Execution
When dalfox versions less than or equal to 2.12.0 is started in REST API server mode dalfox server, the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options - including FoundAction and FoundActionShell - is...
📄 HTTP.sys HTTP/2 Denial of Service
This advisory provides simple proof of concept details to trigger the HTTP/2 denial of service condition related to malformed Accept-Encoding headers. Titles: CVE-2026-49160 - HTTP.sys HTTP/2 Denial of Service DoS Vulnerability Author: nu11secur1ty Date: 06/24/2026 Vendor: Microsoft Corporation...
📄 N-able Mail Assure Authentication Bypass
N-able Mail Assure appears to suffer from a cross-tenant authentication bypass vulnerability via spoofing. CVE-2025-68624: Cross-Tenant Authentication Bypass by Spoofing in N-able Mail Assure CVE ID: CVE-2025-68624 Status: DISPUTED CWE: CWE-290 Authentication Bypass by Spoofing Affected Product:...
📄 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow
PHP version 8.5.7 suffers from a stack overflow vulnerability due to unbounded recursion in domxmlserializationalgorithm and domxmlserializeelementnode. PHP 8.5.7 domxmlserializationalgorithm stack-overflow Author: Khashayar Fereidani Disclosure Date: 2026-06-18 Advisory:...
📄 Sprecher Automation SPRECON-E-C/-E-P/-E-T3 Missing Secure-Boot / Static Passwords
Sprecher Automation SPRECON-E-C/-E-P/-E-T3 leaks the firmware signing private key, is missing a secure-boot mechanism, has unencrypted flash memory, use of static passwords, and hard-coded vendor accounts. SEC Consult Vulnerability Lab Security Advisory...
📄 PHP 8.5.7 levenshtein() Signed-Integer Overflow
The levenshtein function calculates the Levenshtein distance between two strings, optionally accepting custom costs for insertion, replacement, and deletion operations. In PHP version 8.5.7, the implementation lacks proper bounds checking for these cost parameters. PHP 8.5.7 levenshtein...
📄 OpenBSD sppp_pap_input PAP Authentication Bypass
OpenBSD suffers from a PAP authentication bypass vulnerability via a zero-length bcmp. All versions through 7.6 are affected. ------------------------------------------------------------------------ OpenBSD sppppapinput: PAP Authentication Bypass via Zero-Length bcmp...
📄 PHP 8.5.7 mb_substr() Underflow
PHP version 8.5.7 suffers an underflow condition that can be exploited to trigger a denial of service condition. PHP 8.5.7 mbsubstr 'SJIS-mac' sizet underflow Author: Khashayar Fereidani Disclosure Date: 2026-06-18 Advisory: https://fereidani.com/php-857-mbsubstr-sjis-mac-sizet-underflow Contact:...
📄 OpenBSD mpls_do_error Stack Disclosure
OpenBSD suffers from an mplsdoerror remote kernel stack disclosure vulnerability via an MPLS label stack. ------------------------------------------------------------------------ OpenBSD mplsdoerror: Remote Kernel Stack Disclosure via MPLS Label Stack Over-read...
📄 PHP 8.5.7 FILTER_SANITIZE_ENCODED Uninitialized Read
PHP version 8.5.7 suffers from an uninitialized read issue that does not appear immediately useful for any sort of exploitation. PHP 8.5.7 FILTERSANITIZEENCODED uninitialized read Author: Khashayar Fereidani Disclosure Date: 2026-06-18 Advisory:...
📄 Worksnaps.net Worksnaps Hardcoded Root Cloud Credentials
Silver Leaf Technologies - Worksnaps.net Worksnaps suffers from a hardcoded credential vulnerability. Several application binaries contained hardcoded credentials, such as AWS access keys and S3 bucket names, which granted access to the production environment. Those hardcoded AWS cloud credential...
📄 TOTOLINK N300RH Buffer Overflow
This is a Metasploit auxiliary module that targets a stack-based buffer overflow in the TOTOLINK N300RH router's setWiFiBasicConfig CGI handler. The vulnerability occurs when the KeyStr parameter is copied into a fixed-size stack buffer without proper bounds checking. Version V6.1c.1390B20191101 ...
📄 Android Kernel /dev/umts_ipc0 Out-Of-Bounds Read / Write
Proof of concept exploit targeting a vulnerability in an Android kernel driver related to GNSS/UMTS IPC /dev/umtsipc0. ================================================================================================================================== | Title : Android Kernel Exploit OOB Read/Write...
📄 Veno File Manager 4.4.9 Log Disclosure
This Metasploit module allows unauthenticated attackers to download application logs from Veno File Manager version 4.4.9 by exploiting the save-csv.php endpoint. ================================================================================================================================== |...
📄 Veno File Manager 4.4.9 Arbitrary File Read / Log Disclosure
Veno File Manager version 4.4.9 proof of concept exploit that demonstrates file and log disclosure vulnerabilities. ================================================================================================================================== | Title : Veno File Manager 4.4.9 - Exploit Tool |...
📄 HP Poly Voice Unauthenticated Remote Code Execution
CVE-2026-0826 is a critical unauthenticated stack-based buffer overflow vulnerability affecting all models in the VVX series VVX 150, VVX 250, VVX 350, and VVX 450, as well as three models from the Trio IP Conference series Trio 8800, Trio 8500, and Trio 8300. A remote attacker can leverage...
📄 Grav CMS Zip Slip Remote Code Execution
This Metasploit module exploits a vulnerability in Grav CMS versions prior to 2.0.0-beta.2. The Direct Install feature in the Admin plugin allows administrators to upload plugins as ZIP files...
📄 Microsoft Windows Kernel ISO Mount / Oplock Deserialization Denial of Service
Proof of concept exploit for a logic-based denial of service vulnerability in Windows 11 25H2 Build 26200 that causes permanent kernel state corruption through ISO mounting, oplocks, and Windows Defender scanning...
📄 WordPress WP Maps Pro 6.1.0 Authentication Bypass
A vulnerability in the WP Maps Pro plugin for WordPress allows unauthenticated attackers to generate valid authentication tokens via the wpgmptempaccessajax AJAX action. The vulnerability exists because the nonce check can be bypassed, allowing attackers to obtain a temporary access token that...
📄 Wing FTP Server 8.1.2 Remote Code Execution via Session Poisoning
This proof of concept remote code execution exploit abuses a flaw in how Wing FTP Server handles admin session serialization, specifically the mydirectory basefolder field. Version 8.1.2 is affected...
📄 WordPress PickPlugins 2.0.46 OTP Bypass
WordPress PickPlugins plugin version 2.0.46 proof of concept user verification OTP authentication bypass exploit. ================================================================================================================================== | Title : WordPress PickPlugins 2.0.46 User...
📄 Genetec RabbitMQ Local Privilege Escalation
Genetec RabbitMQ local privilege escalation proof of concept exploit for Windows mimicking techniques used in token impersonation-based attacks such as Rotten Potato–style methods...
📄 Microsoft Windows Defender MsMpEng.exe Race Condition / Privilege Escalation
A race condition exists between Windows Defender's MpCleanCallbackFunction cleanup routine and Volume Shadow Copy creation. This vulnerability allows an attacker to escalate privileges to NT AUTHORITY\SYSTEM. This Metasploit module demonstrates the issue...
📄 Microsoft Windows Defender MsMpEng.exe Race Condition / Privilege Escalation
This PowerShell script demonstrates a local privilege escalation attack targeting a race condition in the Windows Defender engine MsMpEng.exe. ================================================================================================================================== | Title : Windows...
📄 CMS Academy Booking 1.0 SQL Injection
CMS Academy Booking version 1.0 suffers from a remote SQL injection vulnerability. ================================================================================================================================== | Title : CMS academy booking v1.0 sql injection vulnerability | | Author : indoush...