50621 matches found
📄 OpenBabel 3.1.1 Parsing Issues
This Metasploit auxiliary module generates specially crafted proof of concept files targeting potential parsing vulnerabilities in OpenBabel version 3.1.1 such as NULL pointer dereference and out-of-bounds read conditions...
📄 telnetd Environment Variable Bypass
It has been discovered that telnetd has further bypass issues relating to environment variables that can achieve remote root. For 27 years, this issue persists. From: Justin Swartz Date: Tue, 24 Feb 2026 03:17:02 +0200 Greetings, I have been reviewing the recent vulnerability report by Ron Ben...
📄 PJSIP PJMEDIA H.264 Denial of Service
A logic validation flaw was identified in the H.264 packetization routine within the PJMEDIA component of PJSIP. Specifically, insufficient validation of FU-A Fragmentation Unit – Type A state handling in pjmediah264packetize may allow malformed RTP payloads to trigger unsafe pointer arithmetic...
📄 MS‑EVEN TOCTOU ElfrBackupELFW Arbitrary File Write
This module exploits a Time-of-Check Time-of-Use TOCTOU vulnerability in the MS-EVEN protocol Windows Event Log service. A low-privileged authenticated user can write arbitrary files to a remote Windows machine by abusing the ElfrBackupELFW RPC function. This module strictly follows the MS-EVEN...
📄 Frigate NVR 0.16.3 Remote Command Execution
This Python exploit targets a critical configuration manipulation vulnerability in Frigate NVR versions up to 0.16.3 both authenticated and unauthenticated paths. By injecting a malicious go2rtc stream and a fake camera entry, it triggers arbitrary command execution as the Frigate process during...
📄 BeyondTrust PRA / RS Unauthenticated Remote Code Execution
This Metasploit module exploit achieves unauthenticated remote code execution against BeyondTrust Privileged Remote Access PRA and Remote Support RS. It leverages three different vulnerabilities depending on the user-selected target. The default target leverages CVE-2026-1731, a direct command...
📄 Moodle TeX Formula Rendering Denial of Service
A denial of service vulnerability was identified in the TeX formula rendering component of Moodle. The issue occurs when rendering TeX content using the mimetex engine without enforcing sufficient execution time or resource limitations. By submitting specially crafted TeX formulas designed to...
📄 PDF Object Injection Generator
PDF object injection is a vulnerability in applications that dynamically generate PDFs from user input without proper validation or escaping. This proof of concept generates a malicious pdf for testing software such as jsPDF...
📄 Open Babel 3.1.1 CIF File Memory Corruption
This Metasploit auxiliary module generates a crafted .cif file designed to test for memory corruption conditions in Open Babel version 3.1.1. By providing an excessive number of symmetry operations, it triggers a crash DoS during file parsing. The exact outcome depends on the target's build,...
📄 SPIP Gadget Chain Insecure Deserialization
SPIP Gadget Chain versions prior to 4.4.9 suffer from a potential PHP object deserialization vulnerability. ============================================================================================================================================= | Title : SPIP Gadget Chain before 4.4.9...
📄 FUX 1.2.8 Authentication Bypass / Remote Command Execution
This Python exploit targets CVE-2025-69985, an authentication bypass in FUXA web-based SCADA/HMI software that allows access to the protected /api/runscript endpoint even when authentication is enabled. By sending a crafted JavaScript payload using childprocess.execSync, it achieves full remote...
📄 Ollama Model Registry Path Traversal / Remote Code Execution
Ollama versions prior to 0.1.34 are vulnerable to a path traversal attack via the model pull mechanism CVE-2024-37032. When pulling a model, the digest field in OCI manifests is not validated, allowing an attacker to inject path traversal sequences to write arbitrary files on the server. This...
📄 Calibre 9.2.1 Path Traversal / Arbitrary File Write
Calibre versions 9.2.1 and below are vulnerable to a path traversal flaw in the PDB file parser, affecting both the 132-byte and 202-byte header variants of the PDB reader implementation. The vulnerability allows a specially crafted PDB file to embed directory traversal sequences such as ../ with...
📄 Cosign 3.0.4 Certificate Chain Validation Bypass
A logic flaw in the certificate verification process of Cosign versions 3.0.4 and below allows signatures to be accepted even when the issuing Intermediate Certificate Authority CA has already expired. This proof of concept generates a chain that can be tested with this software in order to prove...
📄 Icinga for Windows 1.13.3 Private Key Disclosure
This Metasploit module identifies and exploits insecure default ACL permissions in vulnerable versions of the Icinga for Windows PowerShell Framework. The certificate directory is created with overly permissive read access for the BUILTIN\Users group, allowing any local user to access the...
📄 Echo Framework 5.0.4 Path Traversal
This Python script is a security testing tool designed to detect a path traversal vulnerability in web applications built with the Echo framework version 5 running on Windows systems...
📄 Microsoft Event Log Remote Protocol Arbitrary File Write
This Python script demonstrates the abuse of the Microsoft Event Log Remote Protocol MS-EVEN to achieve an arbitrary file write over SMB using low-privileged credentials. By interacting with the Windows \pipe\eventlog named pipe through DCERPC, the script leverages the ElfrOpenBELW and...
📄 SPIP Saisies 5.11.0 Remote Code Execution
This Metasploit module exploits a PHP code injection vulnerability in the Saisies plugin for SPIP. The vulnerability allows an attacker to inject and execute arbitrary PHP code through the vulnerable parameter anciennesvaleurs. Versions 5.4.0 through 5.11.0 are affected...
📄 Tattile Cameras 1.181.5 Default Credentials
Tattile Cameras version 1.181.5 ship with default credentials that remain active after installation and commissioning without enforcing a mandatory password change. Tattile Cameras 1.181.5 Use of Default Credentials Vendor: Tattile s.r.l. Product web page: https://www.tattile.com Affected version...
📄 SPIP Cross Site Scripting
SPIP versions prior to 4.4.9 suffer from a persistent cross site scripting injection vulnerability in the editor. ============================================================================================================================================= | Title : SPIP before 4.4.9 Stored XSS...
📄 SPIP Blind Server-Side Request Forgery
SPIP versions prior to 4.4.9 suffers from a blind server-side request forgery vulnerability within the private administration interface. ============================================================================================================================================= | Title : SPIP 4.4...
📄 Tattile Cameras 1.181.5 Insufficient Token Expiration
Tattile Cameras version 1.181.5 suffers an insufficient session expiration. This occurs when the web application permits an attacker to reuse old session credentials or tokens for authorization. Insufficient session expiration increases the device's exposure to attacks that can steal or reuse...
📄 Tattile Cameras 1.181.5 Unauthenticated RTSP Stream Disclosure
Tattile Cameras version 1.181.5 suffer from an unauthenticated and unauthorized live RTSP video stream access. Tattile Cameras 1.181.5 Unauthenticated RTSP Stream Disclosure Vendor: Tattile s.r.l. Product web page: https://www.tattile.com Affected version: Smart+ family: Smart+ Tolling+ Smart+...
📄 GrandStream GXP1600 Unauthenticated Remote Code Execution
An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution RCE with root privileges on a target device. The vulnerability affects all six...
📄 QEMU VMDK Out-Of-Bounds Read
A flaw was found in QEMU's VMDK block driver implementation. When processing compressed grain markers within a monolithicSparse VMDK image, insufficient bounds validation may allow the decompression routine to read beyond the allocated buffer. A specially crafted VMDK image could trigger an...
📄 Windows File Explorer Information Disclosure
Proof of concept exploit that demonstrates how the Microsoft Windows File Explorer fails to properly restrict access to sensitive system locations. Exploit Title: Windows File Explorer Information Disclosure CVE-2026-20937 Date: 2026-02-24 Exploit Author: nu11secur1ty Vendor Homepage:...
📄 SPIP Unauthenticated Remote Code Execution / Insecure Deserialization
A remote code execution vulnerability was identified in SPIP due to improper handling of user-supplied serialized data. The application fails to properly validate or restrict unsafe object deserialization, allowing an attacker to supply crafted input that triggers unintended object instantiation...
📄 Advanced JUNG Smart Visu Security Scanner
This is a multi-threaded security scanner for JUNG Smart Visu servers that detects reflected cross site scripting, header injection, open redirects, and JSON injection. It tests predefined endpoints with custom payloads, analyzes HTTP responses for vulnerabilities, and generates a detailed report...
📄 Cilium 1.18.5 Traffic Bypass
This Python proof of concept script performs a comprehensive node-level analysis to assess a vulnerability in Cilium versions 1.18.0 through 1.18.5 that allows cross-node Pod traffic to bypass Host Firewall policies when Native Routing, WireGuard, and Node Encryption are enabled...
📄 SPIP Saisies 5.11.0 Remote Code Execution
Proof of concept exploit for a PHP code injection vulnerability in the Saisies plugin for SPIP. The vulnerability allows an attacker to inject and execute arbitrary PHP code through the vulnerable parameter anciennesvaleurs. Versions 5.4.0 through 5.11.0 are affected. Written in PHP...
📄 AMSS++ 4.7 Backdoor Admin Account
AMSS++ version 4.7 has a hardcoded backdoor administrative account. Title: AMSS++ 4.7 - Backdoor Admin Account Author: indoushka Date: 2020-02-23 Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 65.032-bit Vendor : http://amssplus.ubn4.go.th/amssplusdownload/amssplus431install.ra...
📄 Telesquare TLR-2005KSH Remote Command Execution
Telesquare TLR-2005KSH proof of concept remote command execution exploit. ============================================================================================================================================= | Title : Telesquare TLR-2005KSH - Remote Command Execution vulnerability | |...
📄 SuiteCRM 7.11.18 Log File Remote Code Execution
SuiteCRM version 7.11.18 allows modification of the logging configuration. The log filename extension is not validated properly .pHp accepted, causing the log to be interpreted as PHP. Then attacker injects PHP payload into the logs changing username lastname field resulting in the log file...
📄 sudo 1.9.17 chroot Privilege Escalation
This Metasploit module exploits CVE-2025-32463, a local privilege escalation vulnerability in Sudo's chroot functionality. The vulnerability allows attackers to load malicious NSS Name Service Switch modules from within a chroot environment, leading to arbitrary code execution as root...
📄 Supermicro Onboard IPMI X9SCL / X9SCM SMT_X9_214 PHP Buffer Overflow
Supermicro Onboard IPMI X9SCL and X9SCM with firmware SMTX9214 PHP proof of concept buffer overflow exploit that spawns a reverse shell. It exploits an older vulnerability from 2013...
📄 OWASP CRS WAF Bypass
OWASP core rule set CRS versions prior to 4.22.0 and 3.3.8 suffer from a bypass vulnerability. CVE-2026-21876 OWASP CRS WAF bypass CVE-2026-21876 docker container + minimal PoC. I would like to thank @airween and @fzipi separately for their quick response! The vulnerability fix was ready in a ver...
📄 Telerik Report Server 2024 Q1-10.0.24.305 Remote Code Execution
Telerik Report Server versions 2024 Q1 10.0.24.305 and potentially earlier contain a critical vulnerability that allows unauthenticated attackers to achieve remote code execution through insecure deserialization in report processing functionality. The vulnerability exists due to improper input...
📄 jsPDF PDF Object Injection
jsPDF versions prior to 4.2.0 suffer from a PDF object injection vulnerability the addJS method. CVE-2026-25755: PDF Object Injection in jsPDF addJS Method Description A PDF Object Injection vulnerability was identified in the addJS method of jsPDF. The library fails to sanitize user-supplied inp...
📄 Termius 9.9.0 Remote Code Execution
This Metasploit module demonstrates a remote code execution vulnerability in the Termius Electron application caused by an exposed symbol in the global JavaScript Symbol Registry. By accessing a shared Symbol.for key that unintentionally references preloaded Node.js modules, attacker-controlled...
📄 Icinga for Windows 1.13.3 Private Key Exposure
Icinga for Windows PowerShell Framework versions prior to 1.13.4, 1.12.4, and 1.11.2 install the certificate directory with insecure default permissions. The directory C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate is created with BUILTIN\Users:RX permissions,...
📄 SolarWinds Web Help Desk Access Control Bypass / Unsafe Deserialization
This Metasploit module exploits access control bypass and unsafe deserialization vulnerabilities in SolarWinds Web Help Desk to achieve unauthenticated remote code execution...
📄 Squirrel Out-Of-Bounds Read
A vulnerability exists in the Squirrel engine's stack implementation due to missing bounds checking in the PopTarget function. When attempting to pop from an empty stack, the function reads from datasize - 1 index -1, causing a heap buffer underflow...
📄 Google Chrome CSSFontFeatureValuesMap Use-After-Free
Google Chrome versions prior to 145.0.7632.75 CSSFontFeatureValuesMap use-after-free proof of concept exploit. When an iterator is created over a CSSFontFeatureValuesMap object and the underlying HashMap is mutated during iteration, a rehash operation occurs, freeing the original memory while the...
📄 Tactical RMM 1.3.1 Jinja2 Server-Side Template Injection
This Metasploit module targets a server-side template injection vulnerability in Tactical RMM's template preview endpoint. The implementation is clearly marked as experimental and manually ranked due to the inherently unstable exploitation technique it relies on. The module attempts to achieve...
📄 Dell RecoverPoint for Virtual Machines Shell Upload
This proof of concept leverage Tomcat manager credentials to upload and execute a malicious WAR file containing a JSP web shell on Dell RecoverPoint appliances...
📄 SmarterMail 100.0.9413 GUID File Remote Code Execution
This PHP code implements a fully automated remote exploitation framework targeting SmarterMail version 100.0.9413. It is designed to identify the service, determine the underlying operating system, abuse a file upload mechanism with path traversal, and achieve arbitrary file write leading to remo...
📄 GLPI Accessible Documents Insecure Direct Object Reference
This Metasploit auxiliary module scans a GLPI installation for improperly exposed documents linked to KnowbaseItem objects via the document.send.php endpoint. The module performs an automated enumeration of docid values within a defined range and attempts to access documents without authenticatio...
📄 Solar FTP Server 2.1.1 PASV Denial of Service
Solar FTP Server version 2.1.1 PASV command denial of service proof of concept exploit written in PHP. ============================================================================================================================================= | Title : Solar FTP Server 2.1.1 PASV Command - Deni...
📄 Apache Traffic Server 9.2.5 Denial of Service
Proof of concept remote denial of service exploit for Apache Traffic Server versions 9.2.0 through 9.2.5 that leverages the host header. ============================================================================================================================================= | Title : Apache...
📄 Splunk Enterprise 8.2.9 / 9.0.2 Authenticated Remote Code Execution
Proof of concept exploit for CVE-2022-43571, a critical authenticated remote code execution vulnerability affecting Splunk Enterprise versions 8.2.9 and 9.0.2. The flaw resides in the SimpleXML dashboard PDF generation process, where insufficient input sanitization allows a privileged authenticat...