📄 n8n Workflow Automation Remote Configuration / Admin Data Extraction

This Metasploit module exploits multiple vulnerabilities in n8n workflow automation tool. It leverages a file read vulnerability to steal encryption keys and database, then uses stolen credentials to authenticate and execute arbitrary commands via the Execute Command node...

📄 Pymatgen 2024.1 CIF Parser Reverse Shell

Pymatgen version 2024.1 contains a critical remote code execution vulnerability in its Crystallographic Information File CIF parser that allows attackers to execute arbitrary Python code through specially crafted CIF files, leading to complete system compromise. The vulnerability exists in the CI...

📄 Pterodactyl Panel Remote Code Execution

This Metasploit module exploits a remote code execution vulnerability in Pterodactyl Panel versions before 1.11.11. The vulnerability allows an attacker to write a malicious PHP file via the locale functionality and then execute it to gain a reverse shell...

📄 eNet SMART HOME Server 2.3.1 Remote Privilege Escalation

The eNet Smart Home system suffers from a privilege escalation vulnerability due to insufficient authorization checks in the JSON-RPC endpoint for user management. A low-privileged user, can exploit the setUserGroup method by sending a crafted POST request to /jsonrpc/management, specifying their...

📄 NFR Agent SRS Record 1.0.4.3 PHP Code Injection

Proof of concept code injection exploit for NFR Agent SRS Record version 1.0.4.3. This is for an older finding from 2012. ============================================================================================================================================= | Title : NFR Agent SRS Record...

📄 PluckCMS 4.7.10 Shell Upload

PluckCMS version 4.7.10 remote shell upload proof of concept exploit. ============================================================================================================================================= | Title : PluckCMS 4.7.10 Unrestricted File Upload RCE | | Author : indoushka | |...

📄 eNet SMART HOME Server 2.3.1 Arbitrary User Deletion

The eNet Smart Home system contains an authorization weakness in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user UGUSER to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce proper role-based access...

📄 Precurio Intranet Portal 4.4 Cross Site Request Forgery / Shell Upload

Precurio Intranet Portal version 4.4 proof of concept cross site request forgery and remote shell upload exploit. ============================================================================================================================================= | Title : Precurio Intranet Portal 4.4...

📄 JUNG Smart Visu Server Cache Poisoning

Python proof of concept web cache poisoning exploit for JUNG Smart Visu Server that builds on the finding from LiquidWorm. ============================================================================================================================================= | Title : JUNG Smart Visu Server...

📄 PivotX 3.0.0 RC 3 Command Injection

PivotX content management system versions up to and including 3.0.0-rc3 contain an authenticated remote code execution vulnerability that allows administrative users to modify PHP files directly through the web interface, leading to complete system compromise...

📄 eNet SMART HOME Server 2.3.1 Default Credentials

The eNet Smart Home system ships with default credentials that remain active after installation and commissioning without enforcing a mandatory password change. Version 2.3.1 is affected. eNet SMART HOME server 2.3.1 Use of Default Credentials Vendor: Gira Giersiepen GmbH & Co. KG | ALBRECHT JUNG...

📄 eNet SMART HOME Server 2.3.1 Account Takeover

The eNet Smart Home system contains an authorization flaw in the resetUserPassword functionality that allows any authenticated low-privileged user UGUSER to reset the password of arbitrary accounts, including those in the UGADMIN and UGSUPERADMIN groups, without supplying the current password or...

📄 JUNG Smart Panel 5.1 KNX (L1.12.22) Path Traversal

JUNG Smart Panel version 5.1 KNX L1.12.22 unauthenticated path traversal proof of concept exploit that builds on the finding from LiquidWorm. ============================================================================================================================================= | Title : JUN...

📄 mailcow: Dockerized Host Header Password Reset Poisoning

mailcow: dockerized versions prior to 2025-01a are vulnerable to Host header poisoning in the password reset workflow. The application incorrectly trusts the Host header when generating password reset links, allowing an attacker to inject an attacker-controlled domain into the reset URL. If a...

📄 Netgate pfSense Community Edition 2.7.2 / 2.8.0 Remote Code Execution

Netgate pfSense Community Edition versions 2.7.2 and 2.8.0 appear to suffer from multiple authenticated remote code execution vulnerabilities that the vendor has written off as abusive administrator behavior but a non-issue. 🔐 CVE-2025-69690 & CVE-2025-69691 Authenticated Remote Code Execution in...

📄 phpIPAM 1.4 Code Execution / Local File Inclusion

A critical local file inclusion vulnerability exists in in index.php in phpIPAM version 1.4. Attackers can exploit this to read sensitive system files and potentially perform remote code execution. phpIPAM 1.4 LFI to RCE Exploit...

📄 JUNG Smart Visu Server 1.1.1050 Denial of Service

Proof of concept exploit for a security vulnerability in JUNG Smart Visu Server version 1.1.1050 that allows unauthenticated remote attackers to trigger a system reboot or shutdown via a crafted HTTP POST request to a publicly exposed REST API endpoint...

📄 ChurchCRM 6.8.0 Unauthenticated Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability in the installation process of ChurchCRM versions 6.8.0 and earlier. By sending a specially crafted POST request to the setup page, an attacker can execute arbitrary commands on the target server. This Metasplo...

📄 PopojiCMS 2.0.1 Code Injection

PopojiCMS version 2.0.1 remote PHP code injection proof of concept exploit. ============================================================================================================================================= | Title : PopojiCMS 2.0.1 PHP COde Injection Vulnerability | | Author : indoush...

📄 PPOM for WooCommerce 33.0.15 SQL Injection / Code Execution

This is an extensive exploit that leverages a remote SQL injection vulnerability in PPOM for WooCommerce version 33.0.15 to also achieve remote code execution and local file inclusion...

📄 GNU Inetutils 2.7 Authentication Bypass

GNU Inetutils version 2.7 telnet authentication bypass proof of concept exploit written in PHP. ============================================================================================================================================= | Title : GNU Inetutils Telnet Authentication Bypass PHP...

📄 FortiGate Advanced Symlink Bypass Exploit

This Python script is an advanced exploitation tool targeting vulnerable FortiGate devices manufactured by Fortinet. It attempts to exploit a symlink/path bypass vulnerability via the /lang//custom/ endpoint in order to access sensitive internal files that should not be publicly accessible...

📄 PandoraFMS Netflow 7.0.777.10 Command Injection

PandoraFMS versions 7.0.774 through 7.0.777.10 contain an authenticated command injection vulnerability in the Netflow configuration component. An authenticated attacker with valid credentials can inject arbitrary system commands via the netflownamedir parameter, leading to remote code execution ...

📄 Xerte Online Toolkits 3.14 Template Import Shell Upload

This Metasploit module exploits an authentication bypass allowing arbitrary file upload in Xerte Online Toolkits versions 3.14 and earlier to upload and execute a shell. Specifically, this targets /websitecode/php/import/import.php. Note: this Metasploit module results in directories being create...

📄 SolarWinds Web Help Desk Unauthenticated Remote Code Execution

This Metasploit module exploits an access control bypass vulnerability CVE-2025-40536 and an unsafe deserialization vulnerability CVE-2025-40551 to achieve unauthenticated remote code execution against a vulnerable SolarWinds Web Help Desk WHD server. This module requires Metasploit:...

📄 Online Grievance Redressal Software 2.6 Cross Site Scripting

Online Grievance Redressal Software version 2.6 suffers from a cross site scripting vulnerability. ============================================================================================================================================= | Title : Online Grievance Redressal Software 2.6 XSS...

📄 FreeBSD rtsold/rtsol DNSSL Command Injection

This Metasploit module exploits a command injection vulnerability CVE-2025-14558 in FreeBSD's rtsol8 and rtsold8 programs. These programs do not validate the domain search list options provided in IPv6 Router Advertisement messages; the option body is passed to resolvconf8 unmodified. resolvconf8...

📄 Oracle Database Server 9.2.0.5 SQL Injection

Oracle Database Server version 9.2.0.5 proof of concept remote SQL injection exploit that leverages SYS.DBMSCDCSUBSCRIBE.ACTIVATESUBSCRIPTION and makes use of an older vulnerability from 2005...

📄 Xerte Online Toolkits 3.14 Upload Image Shell Upload

This Metasploit module exploits the user template file import functions unrestricted file upload in Xerte Online Toolkits versions 3.14 and earlier to upload and execute a shell. This targets editor/uploadImage.php. This has only been tested in implementations where the authentication type is Db...

📄 OpenSSL 3.x PKCS#12 PBMAC1 KeyLength Buffer Overflow

This proof of concept demonstrates a buffer overflow vulnerability in OpenSSL versions 3.4 to 3.6 related to improper handling of the PBMAC1 keyLength parameter in PKCS12 files. By crafting a malicious PKCS12 structure with an excessively large keyLength value, the proof of concept triggers a...

📄 Xerte Online Toolkits 3.14 Import Language Shell Upload

This Metasploit module exploits an authentication bypass allowing arbitrary file upload in Xerte Online Toolkits versions 3.14 of and earlier to upload and execute a shell. This module requires Metasploit: https://metasploit.com/download Current source:...

📄 Peyara Remote Mouse 1.0.1 Shell Upload / Code Execution

The Peyara Remote Mouse desktop control software exposes an unauthenticated file upload endpoint, along with an unauthenticated WebSocket control channel. An attacker can upload arbitrary files including .LNK shortcuts to the victim environment and trigger command execution via simulated...

📄 Patients Waiting Area Queue Management System 1.0 SQL Injection

Patients Waiting Area Queue Management System version 1.0 is vulnerable to SQL injection due to improper sanitization on the appointmentID parameter. Authentication bypass and full database dump are possible. The application also appears to have a hardcoded JWT key, suffers from a username...

📄 JUNG Smart Visu Server 1.1.1050 Request URL Override

JUNG Smart Visu Server version 1.1.1050 has a vulnerability that enables unauthenticated attackers to perform cache poisoning attacks by overriding the effective host in proxied requests through manipulation of the X-Forwarded-Host header. When a malicious actor sends a request with an arbitrary...

📄 GNU Inetutils Telnet Authentication Bypass

A Metasploit module has been released that exploit telnetd. The telnetd service from GNU InetUtils is vulnerable to authentication bypass, tracked as CVE-2026-24061, in versions up to version 2.7. During Telnet authentication the SB byte can be sent to indicate sub-negotiation which allows for th...

📄 JUNG Smart Visu Server 1.1.1050 Remote Server Shutdown

JUNG Smart Visu Server version 1.1.1050 suffers from a denial of service vulnerability. An unauthenticated attacker can reboot or shutdown the server by sending one GET request. JUNG Smart Visu Server 1.1.1050 Remote Server Shutdown Vendor: ALBRECHT JUNG GMBH & CO. KG Product web page:...

📄 libuser Denial of Service / Privilege Escalation

This is an old proof of concept from 2015 that demonstrates userhelper chfn newline filtering and libuser passwd file handling vulnerabilities. / roothelper.c - an unusual local root exploit against: CVE-2015-3245 userhelper chfn newline filtering CVE-2015-3246 libuser passwd file handling...

📄 Qualys Security Advisory - GHOST glibc gethostbyname Buffer Overflow

During a code audit performed internally at Qualys, they discovered a buffer overflow in the nsshostnamedigitsdots function of the GNU C Library glibc. This bug is reachable both locally and remotely via the gethostbyname functions, so we decided to analyze it -- and its impact -- thoroughly, and...

📄 Qualys Security Advisory - Exim 21Nails Advisory

Qualys audited central parts of the Exim mail server and discovered 21 vulnerabilities, with 11 being local vulnerabilities and 10 being remote vulnerabilities. This is older research from 2021 that was missing from the archive. Qualys Security Advisory 21Nails: Multiple vulnerabilities in Exim...

📄 motionEye 0.43.1b4 Remote Code Execution

Client-side validation in motionEye's web UI can be bypassed via overriding the JS validation function. Arbitrary values including shell interpolation syntax can be saved into the motion config. When motion is restarted, the motion process interprets the config and can execute shell syntax embedd...

📄 JUNG Smart Panel 5.1 KNX Unauthenticated Absolute File Path Traversal

The JUNG Smart Panel 5.1 KNX controller suffers from a directory traversal vulnerability. Exploiting this issue will allow an unauthenticated attacker to view arbitrary files within the context of the web server. JUNG Smart Panel 5.1 KNX Unauthenticated Absolute File Path Traversal Vendor: ALBREC...

📄 glibc 2.38 Buffer Overflow

This is a local privilege escalation exploit for CVE-2023-4911, also known as "Looney Tunables", caused by a buffer overflow in the glibc dynamic loader's environment variable parsing logic. The vulnerability is triggered by crafting a maliciously long GLIBCTUNABLES string which corrupts internal...

📄 Ivanti Endpoint Manager Mobile (EPMM) Unauthenticated Remote Code Execution

This Metasploit module exploits a OS command injection issue in Ivanti Endpoint Manager Mobile EPMM, formerly known as MobileIron. A remote attacker can achieve unauthenticated RCE with root privileges on an affected device. This module requires Metasploit: https://metasploit.com/download Current...

📄 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization

Proof of concept exploit for an unauthenticated Java deserialization vulnerability in the OpenSSO Agent component of Oracle Access Manager that allows remote attackers to execute arbitrary commands without authentication. The vulnerability exists in the session handling mechanism of the OpenSSO...

📄 jsonpath 1.1.1 Prototype Pollution

Proof of concept exploit for a prototype pollution vulnerability in jsonpath version 1.1.1, where unsafe writes to $.constructor.prototype allows attackers to inject arbitrary properties and functions into Object.prototype. By abusing jsonpath.value, an attacker can globally modify object...

📄 yuan1994 tpadmin Shell Upload

yuan1994 tpadmin versions up to 1.3.12 suffers from a remote shell upload vulnerability. tpadmin-CVE-2026-2113-poc A proof-of-concept exploiting a Remote Code Execution with web server privileges via Arbitrary File Upload. Vulnerability Description A critical Remote Code Execution vulnerability...

📄 Palo Alto Networks PAN-OS 11.2 PHP Code Injection

Palo Alto Networks PAN-OS version 11.2 proof of concept remote command execution exploit that also leverages an authentication bypass vulnerability. ============================================================================================================================================= | Titl...

📄 openSIS Classic 9.2 Path Traversal

openSIS Classic version 9.2 suffers from a path traversal vulnerability that allows for local file inclusion. ============================================================================================================================================= | Title : openSIS Classic v 9.2 Path Traversa...

📄 Samsung MP3 Decoder Out-Of-Bounds Read

Proof of concept exploit for a Samsung MP3 Decoder smp123djointstereov1 out-of-bounds read enabling potential ASLR bypass. ============================================================================================================================================= | Title : Samsung MP3 Decoder...

📄 crypto/x509 TLS Certificate Parsing

This Go program demonstrates a theoretical denial of service risk associated with handling unusually large X.509 certificates in TLS connections. It programmatically generates a self-signed certificate containing a very large number of Subject Alternative Names SANs and configures an HTTP client ...