50738 matches found
📄 Voyager 1.8.0 Arbitrary File Upload
Voyager version 1.8.0 has an issue where an attacker with minimal privileges any role allowed to upload images in a Rich Text Box can upload a polyglot file masquerading as an image while embedding server-side executable code...
📄 VirtualBox 7.0.16 Local Privilege Escalation / Race Condition
VirtualBox version 7.0.16 proof of concept local privilege escalation exploit that leverages a race condition vulnerability. ============================================================================================================================================= | Title : VirtualBox 7.0.16...
📄 usbmuxd 1.1.1-1 Path Traversal / Arbitrary File Write
A path traversal vulnerability exists in usbmuxd, a system daemon responsible for multiplexing USB connections to mobile devices. Due to insufficient validation and sanitization of file path inputs processed through its message-handling interface, a local attacker with access to the usbmuxd UNIX...
📄 Router Fingerprint / Command Injection Scanner
This Python tool is designed to automatically identify the vendor of IoT routers through HTTP fingerprinting and attempt command-injection testing using vendor-specific payloads. The scanner analyzes HTTP headers and response bodies to detect device signatures from common manufacturers such as...
📄 Universal‑Ctags V Language 6.2.1 Parser Uncontrolled Recursion
A denial of service issue has been discovered in Universal‑Ctags versions 6.2.1 and below affecting the V language parser component. ============================================================================================================================================= | Title :...
📄 ASUS Router Multi-Stage Command Injection
A multi‑stage command injection vulnerability allows an attacker to achieve remote command execution on a vulnerable ASUS router by abusing the SETROOTCERTIFICATE and APPLYAPP HTTP methods. In the first stage, a malicious shell script is uploaded to the target system disguised as a certificate fi...
📄 Tutor LMS 2.6.2 Missing Authorization / Privilege Escalation
Proof of concept for a missing authorization vulnerability in the Tutor LMS WordPress plugin versions 2.6.2 and below. ============================================================================================================================================= | Title : Tutor LMS 2.6.2 Missing...
📄 Vite 6.2.2 Arbitrary File Read
Proof of concept exploit for an arbitrary file read in Vite version 6.2.2. ============================================================================================================================================= | Title : Vite 6.2.2 Arbitrary File Read – PHP Exploit | | Author : indoushka | ...
📄 SPIP Saisies 5.11.0 Remote Code Execution
This Metasploit module exploits an unauthenticated PHP code injection in the SPIP Saisies plugin. The anciennesvaleurs form parameter is interpolated unsanitized into a hidden field rendered with interdirescripts=false, allowing direct PHP code execution via template eval. Exploitation requires a...
📄 Router Fingerprint / Command Injection Scanner
This Metasploit module targets multiple IoT routers by automatically fingerprinting the device vendor and attempting to exploit command injection vulnerabilities. The module sends an HTTP request to identify the router manufacturer by analyzing response headers and page content. Once the vendor i...
📄 Web‑Check 1 Command Injection
A command injection vulnerability was identified in the Web‑Check application's /api/screenshot endpoint. The issue stems from the backend function that spawns a Chromium screenshot process using childprocess.exec with user‑controlled input passed via the url query parameter. Because the input wa...
📄 WatchGuard IKEv2 Detection Scanner
This Metasploit module checks for potential vulnerability to CVE-2022-23176 in WatchGuard Firmware IKEv2 service by analyzing malformed IKESAINIT responses. ============================================================================================================================================...
📄 Vivotek Camera Firmware OS 0125c Command Injection
Vivotek Camera Firmware OS versions 0100a through 0125c suffer from a command injection vulnerability. The issue resides in the CGI binary uploadmap.cgi, which operates under the Boa Webserver environment. The vulnerability occurs because the application improperly processes the POSTFILENAME...
📄 Vertex AI Experiments 1.132.x Predictable Bucket Naming
A vulnerability identified as CVE-2026-2473 affected Google Cloud Vertex AI, specifically the Vertex AI Experiments component, in versions 1.21.0 through 1.132.x fixed in 1.133.0 and later. The issue stemmed from predictable Cloud Storage bucket naming patterns, enabling a class of attack known a...
📄 GLib Memory Exhaustion
The gbase64decode function in the GLib library fails to enforce input size limits, allowing attackers to input extremely large Base64-encrypted data, resulting in uncontrolled memory allocation. This vulnerability can be exploited by providing a specially crafted, but syntactically correct, Base6...
📄 WBCE CMS 1.6.5 LFI / Config Disclosure / Cross Site Scripting
The WBCE CMS frontend loader includes template files without sanitization. This allows local file inclusion, reading configuration files, and persistent cross site scripting via crafted templates. Version 1.6.5 is affected...
📄 Vvveb CMS 1.0.5 Insecure Direct Object Reference
A one liner of details for how to leverage the insecure direct object reference vulnerability in Vvveb CMS version 1.0.5. The research later discovered this also affects version 1.0.7.3...
📄 Ubuntu 25.10 Containerd Insecure Directory Permissions
This proof of concept exploit demonstrates and detects CVE-2024-25621, a security vulnerability in containerd caused by insecure permissions on critical runtime and data directories. Affected versions may expose container metadata and runtime artifacts due to directories being readable or writabl...
📄 OpenBabel 3.1.1 Heap Buffer Overflow
This project is a local exploitation research and crash detection framework designed to evaluate memory-safety weaknesses in Open Babel version 3.1.1 under controlled laboratory conditions...
📄 F5 BIG-IP TMUI Unauthenticated Remote Code Execution
This Metasploit module exploits a directory traversal vulnerability in the F5 BIG-IP TMUI interface that allows unauthenticated attackers to execute arbitrary system commands via tmshCmd.jsp...
📄 Ipswitch WhatsUp Gold 1.0.0.24 Directory Traversal
Proof of concept exploit for a 2011 finding where Ipswitch WhatsUp Gold version 1.0.0.24 had a directory traversal in the included TFTP server. ============================================================================================================================================= | Title :...
📄 tracker-extract 3.8.2 / tracker-miners 3.x Crash
Proof of concept exploit for tracker-extract version 3.8.2 and tracker-miners version 3.x that demonstrates a crash when parsing oversized or malformed frames from MP3/APEv2 tags...
📄 dr_libs 0.14.4 Heap Buffer Overflow
A heap buffer overflow exists in the function drwavreadsmpltometadataobj when processing WAV files with a crafted smpl chunk. The vulnerability arises due to a mismatch between sampleLoopCount validation in pass 1 and unconditional processing in pass 2, allowing 36 bytes of attacker-controlled da...
📄 DOMPurify 3.13 Cross Site Scripting
A mutation cross site scripting vulnerability exists in DOMPurify versions 3.1.3 and below when the SAFEFORXML configuration is enabled. ============================================================================================================================================= | Title : DOMPurif...
📄 Splunk Enterprise 9.1.5 / 9.2.2 Remote Code Execution
This PHP script is a proof of concept exploit for CVE-2024-36985, an authenticated Remote Code Execution vulnerability affecting Splunk instances where the splunkarchiver app is installed and enabled. It is a conversion of a Metasploit module into PHP...
📄 tpAdmin 1.3.12 Shell Upload
tpAdmin versions 1.3.12 and below suffer from a remote shell upload vulnerability due to improper validation of file uploads within the preview.php component under /admin/lib/webuploader/0.1.5/server/...
📄 ThreatFire System Monitor 4.7.0.53 Kernel‑Mode Arbitrary Process Termination
This Metasploit module terminates the Windows Defender process MsMpEng.exe by sending a specific IOCTL to the TfSysMon driver. ============================================================================================================================================= | Title : ThreatFire System...
📄 Jinja 2 1.4.0 Tactical RMM SSTI Detection
This proof of concept script detects potential server-side template injection vulnerabilities in web applications using template engines such as Jinja. The script sends a dynamically generated mathematical expression within a template payload to a target URL parameter. If the server evaluates the...
📄 libbiosig 3.9.2 Buffer Overflow
A specially crafted Intan CLP file can trigger a heap buffer overflow in applications that parse the CLP format without properly validating the HeadLen field. The vulnerable parser allocates memory based on the value of HeadLen but continues reading additional data from the file without enforcing...
📄 Splunk Enterprise 9.1.5 / 9.2.2 Remote Code Execution
Proof of concept exploit for a critical authenticated remote code execution vulnerability that affects multiple versions of Splunk Enterprise when the splunkarchiver application is enabled...
📄 MajorDoMo Remote Code Execution
A critical vulnerability in the MajorDoMo web console allows unauthenticated remote attackers to execute arbitrary system commands on the target server. By sending crafted requests to the /admin.php endpoint with manipulated console parameters, an attacker can inject and execute PHP code remotely...
📄 OpenEXR Integer Overflow
Proof of concept exploit for a potential integer overflow condition when processing specially crafted multi‑part DeepScanLine EXR files with OpenEXR. The program generates a malicious .exr file containing 86 parts, where each pixel is assigned 50,000,000 samples. When these values are summed...
📄 c3p0 Insecure Deserialization
A critical vulnerability in c3p0 prior to version 0.12.0 allows attackers to achieve remote code execution through insecure handling of the userOverridesAsString property in several ConnectionPoolDataSource implementations...
📄 pypdf Memory Exhaustion / Denial of Service
pypdf versions prior to 6.7.3 were vulnerable to a denial of service condition caused by uncontrolled memory allocation during decompression of XFA streams. An attacker could craft a malicious PDF file containing a highly compressed stream using /FlateDecode...
📄 joserfc JWE PBES2 1.6.2 Denial of Service
A denial of service condition can occur in applications using the joserfc library when processing malicious JSON Web Encryption tokens that use the PBES2-HS256+A128KW algorithm...
📄 basic-ftp Path Traversal / Arbitrary File Write
basic-ftp versions prior to 5.2.0 proof of concept that demonstrates an arbitrary file write using a path traversal. ============================================================================================================================================= | Title : basic-ftp prior to version...
📄 psd-tools Denial of Service
When a specially crafted PSD file contains malformed RLE-compressed image data for example, a literal run extending beyond the expected row size, the internal decoderle function raises a ValueError in psd-tools, resulting in a denial of service condition...
📄 minimatch Denial of Service
minimatch suffers from a regular expression denial of service vulnerability. Versions prior to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 are affected...
📄 Apache Artemis / ActiveMQ Artemis Missing Authentication
Proof of concept exploit for CVE-2026-27446 targeting Apache Artemis versions 2.50.0 through 2.51.0 and Apache ActiveMQ Artemis versions 2.11.0 through 2.44.0...
📄 OpenStack Remote Code Execution
A remote code execution vulnerability exists in the query parser of OpenStack Vitrage prior to versions 12.0.1, 13.0.0, 14.0.0, and 15.0.0.The issue resides in the createqueryfunction method...
📄 Siklu EtherHaul Series EH-8010 / EH-1200 File Upload
PHP proof of concept for a critical vulnerability that exists in Siklu EtherHaul EH-8010 and EH-1200 devices running firmware versions 7.4.0 through 10.7.3. The rfpiped service exposed on TCP port 555 uses hardcoded AES-256-CBC encryption parameters static key and IV and lacks any authentication...
📄 Honeywell Trend IQ4 Unauthenticated Add Admin
This Metasploit module exploits an insecure default configuration in Honeywell Trend IQ4 controllers. By default, these devices do not enforce authentication, allowing a remote user to enable the User Module and create a new administrative account. Note: This action permanently changes the device...
📄 dottie 2.0.6 Prototype Pollution Bypass
CVE-2026-27837 describes an incomplete patch in dottie versions 2.0.4 through 2.0.6, following the original CVE-2023-26132 fix attempt. The protection added in commit 7d3aee1 validates only the first segment of a dot-separated property path against dangerous keys such as proto. However, the...
📄 Adobe SDK 1.7.1 2410 Integer Overflow / Denial of Service
A logic flaw in the processing of the ProfileHueSatMapDims 0xC6F5 tag within the Adobe DNG SDK can lead to an integer overflow condition when parsing crafted DNG files. By supplying excessively large dimension values e.g., 0x15555554 in the Hue/Saturation map metadata, an attacker can trigger...
📄 Wireshark Dissector Crash Denial of Service
A vulnerability in the RF4CE Profile protocol dissector of Wireshark versions 4.6.0 through 4.6.3 and 4.4.0 through 4.4.13 allows an attacker to trigger a denial of service condition by supplying a specially crafted IEEE 802.15.4 packet capture file. The flaw exists in the handling of malformed...
📄 basic-ftp downloadToDir() Path Traversal
basic-ftp versions prior to 5.2.0 suffer from a path traversal vulnerability in downloadToDir. ============================================================================================================================================= | Title : basic-ftp prior to version 5.2.0 Path Traversal in...
📄 Juniper JunosEvolved Remote Command Execution
This Metasploit module exploits an unauthenticated command injection vulnerability in the Juniper JunosEvolved API. The exploit workflow involves creating a custom command entity, mapping it to a Directed Acyclic Graph DAG, and triggering an execution instance. The module uses a non-destructive...
📄 Windows SMB Client Privilege Escalation
This Metasploit module exploits CVE-2025-33073 in Windows SMB clients through a complex attack chain involving DNS record injection, NTLM relay attacks, and RPC coercion. The vulnerability allows privilege escalation and remote code execution on affected Windows systems including Windows 11,...
📄 Tactical RMM Jinja2 SSTI Remote Code Execution
This Metasploit module exploits a Server-Side Template Injection SSTI vulnerability in Tactical RMM versions prior to 1.4.0 CVE-2025-69516. The reporting template preview endpoint passes user-controlled Jinja2 template content to Environment.fromstring without sandboxing, allowing arbitrary Pytho...
📄 Wireshark USB HID Protocol Dissector Memory Exhaustion
CVE-2026-3201 is a denial of service vulnerability affecting the USB HID protocol dissector in Wireshark versions 4.6.0 through 4.6.3 and 4.4.0 through 4.4.13. The vulnerability is triggered when Wireshark parses a specially crafted USB HID Report Descriptor containing an excessively large...