📄 UNI-PASS-Based Customs Systems Insecure Direct Object Reference

A critical security vulnerability has been identified in customs platforms based on UNI-PASS, where a publicly exposed API endpoint allows unauthorized access to sensitive documents without proper authentication or authorization checks. The affected endpoint commonly structured under /api/public/...

📄 Spectrum ANOG Device Credential Extraction / Command Injection

This Metasploit auxiliary module targets Spectrum/ANOG devices and combines credential extraction, password decryption, and remote command execution through an authenticated command injection flaw...

📄 Dolibarr 23.0.0 dol_eval_standard() Whitelist Bypass

Dolibarr version 23.0.0 bypass proof of concept exploit. The whitelist mode of dolevalstandard does not apply $forbiddenphpstrings checks, and the function-call regex does not detect PHP dynamic callable syntax. This allows 'exec''cmd' to bypass all validation and reach eval. !/usr/bin/env python...

📄 Cockpit CMS 2.13.5 Cross Site Scripting

Cockpit CMS version 2.13.5 suffers from a persistent cross site scripting vulnerability in the content model display template. The $interpolate function in /modules/App/assets/js/app/utils.js uses new Function to evaluate template strings, allowing arbitrary JavaScript execution. Any authenticate...

📄 NocoBase 2.0.27 Sandbox Escape / Remote Code Execution

NocoBase versions 2.0.27 and below suffer from a sandbox escape vulnerability in the Workflow Script Node. The console object passed into the Node.js vm sandbox context exposes host-realm WritableWorkerStdio stream objects via console.stdout. An authenticated attacker can traverse the prototype...

📄 Zhiyuan OA Traversal / File Upload

Path traversal and improper validation in the multipart file upload handling of Zhiyuan OA's wpsAssistServlet allows an attacker to place crafted files outside the intended directories by controlling the realFileType and fileId parameters. Exploit Title: Zhiyuan OA - arbitrary file upload leading...

📄 ASP.net 8.0.10 HTTP Request Smuggling / Authentication Bypass

ASP.net version 8.0.10 suffers from HTTP request smuggling, bypass, and server-side request forgery vulnerabilities. Exploit Title: ASP.net 8.0.10 - Bypass Date: 2025-11-03 Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamersecurity GitHub: https://github.com/mbanyamer CV...

📄 WordPress Madera 2.2.2 Local File Inclusion

WordPress Madera plugin versions 2.2.2 and below suffer from a local file inclusion vulnerability. Exploit Title: WordPress Madara Local File Inclusion Date: November 1, 2025 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: WordPress Theme Madara Software Link: WordPress Theme Madara Teste...

📄 Grafana 11.6.0 Server-Side Request Forgery

Grafana versions 11.2.0 through 11.6.0 suffer from a server-side request forgery vulnerability. Exploit Title: Grafana 11.6.0 - SSRF FOFA: app="Grafana" Date: 2-11-2025 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://grafana.com/ Software Link: https://grafana.com/grafana/download...

📄 Fuel CMS 1.4.1 Remote Command Execution

Fuel CMS version 1.4.1 unauthenticated remote command execution exploit that leverages an issue discovered back in 2018. !/usr/bin/python3 Exploit Title: Fuel CMS 1.4.1 - Remote Code Execution RCE via filter parameter Google Dork: intitle:"Welcome to Fuel CMS" inurl:/fuel/ Date: 2025-04-05 Exploi...

📄 DigitalOcean Droplet Agent Remote Command Execution

DigitalOcean Droplet Agent versions through 1.3.2 suffer from a remote command injection vulnerability via metadata poisoning and side-channel attacks. CVE-2026-24516-DigitalOcean-RCE. Technical analysis and PoC for CVE-2026-24516: Unauthenticated Root Remote Code Execution in DigitalOcean Drople...

📄 Microsoft SQL Server 2022 / 2025 Privilege Escalation

Microsoft SQL Server versions 2022 and 2025 suffer from a privilege escalation vulnerability via the MSDatabaseManager role. Title: Microsoft SQL Server Privilege Elevation Through MSDatabaseManager Role CVE-2025-24999 Product: Database Manufacturer: Microsoft Affected Versions: SQL Server...

📄 Bloomberg Memray Cross Site Scripting

Bloomberg Memray prior to versions 1.19.2 rendered the command line of the tracked process directly into generated HTML reports without escaping, allowing for cross site scripting attacks. CVE-2026-32722 Bloomberg Memray’s Stored XSS via Unescaped Command-Line Metadata Intro I found this issue...

📄 Langflow 1.8.4 File Write / Traversal / Remote Code Execution

Langflow versions 1.8.4 and below have an issue where the POST /api/v2/files endpoint does not sanitize the filename parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences. When Langflow runs with...

📄 listmonk Session Persistence

listmonk has a flaw where sessions persist as valid after password reset and password change. CVE-2026-34828 listmonk’s Session Persistence After Password Reset and Password Change Intro I found this issue while reviewing listmonk, an open-source newsletter and mailing list manager, with a simple...

📄 MetInfo CMS 8.1 Code Injection

MetInfo CMS versions 8.1 and below suffer from a PHP code injection vulnerability in weixinreply.class.php. --------------------------------------------------------------------------- MetInfo CMS = 8.1 weixinreply.class.php PHP Code Injection Vulnerability...

📄 FreeScout 1.8.206 Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability in FreeScout versions less than or equal to 1.8.206 CVE-2026-28289. The sanitizeUploadedFileName function checks for dot-prefixed filenames before stripping Unicode format characters ZWSP U+200B, allowing...

📄 Langflow 1.8.1 Remote Code Execution

This Metasploit auxiliary module scans Langflow instances for CVE-2026-33017, an unauthenticated remote code execution vulnerability affecting versions 1.8.1 and below. ================================================================================================================================...

📄 NLTK StanfordSegmenter 3.9.2 Arbitrary Code Execution

nltk.tokenize.StanfordSegmenter dynamically loads external Java .jar files via subprocess without performing any integrity verification, signature checking, or sandboxing. The class accepts fully attacker-controlled parameters including pathtojar, pathtomodel, pathtodict, and javaclass, and passe...

📄 Google Keras 3.13.0 Denial of Service

A denial of service vulnerability exists in the HDF5 weight loading component of Google Keras versions 3.0.0 through 3.13.0 on all platforms. The vulnerability is caused by the absence of any validation or throttling when processing HDF5 dataset shape metadata declared inside a .keras archive...

📄 Wagtail CMS 6.4.1 Cross Site Scripting

Wagtail CMS version 6.4.1 is vulnerable to a persistent cross site scripting vulnerability in the document upload functionality. An attacker can embed a malicious payload inside a PDF file. When the uploaded document is accessed via the CMS interface, the payload may execute in the context of the...

📄 WordPress Datalogics Ecommerce Delivery Privilege Escalation

WordPress Datalogics Ecommerce Delivery plugin versions prior to 2.6.60 suffer from a privilege escalation vulnerability. ===============================================================================================================================================================================...

📄 Grav CMS 1.7.49.5 Remote Code Execution

Grav CMS versions 1.7.49.5 and below with Admin Plugin versions 1.10.49.3 and below are vulnerable to an authenticated remote code execution vulnerability via the "Direct Install" feature in the administrative interface. An authenticated administrator can upload a crafted plugin archive containin...

📄 NLTK 3.9.2 Arbitrary File Read / Path Traversal

NLTK versions 3.9.2 and below suffer from an arbitrary file read issue due to a path traversal vulnerability. CVE-2026-0847 — NLTK Multiple CorpusReader Classes: Arbitrary File Read via Path Traversal --- Overview | Field | Details | |---|---| | CVE ID | CVE-2026-0847 | | Package | nltk Natural...

📄 lollms-webui Server-Side Request Forgery

A critical server-side request forgery vulnerability has been identified in lollms-webui, the web interface for Lord of Large Language and Multi modal Systems. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to force the server into making arbitrary GET requests. This can b...

📄 Microsoft Windows RRAS Integer Overflow

This Metasploit module simulates a remote exploitation attempt against a hypothetical integer overflow vulnerability in Windows RRAS, which could lead to a heap-based overflow and potential remote code execution...

📄 Langflow 1.8.1 Remote Code Execution

This Python script is a multi-threaded tool targeting a suspected vulnerability in Langflow versions 1.8.1 and below that allows unauthenticated remote code execution through unsafe execution of CustomComponent code during flow compilation...

📄 Ghost CMS 6.19.0 SQL Injection

Ghost CMS versions 3.24.0 through 6.19.0 suffer from a remote SQL injection vulnerability via the content API. Exploit Title: Ghost CMS Unauthenticated SQLi via Content API Date: 2026-03-30 Exploit Author: Maksim Rogov Exploit Licence: GPL-3.0 Software Link: https://ghost.org/ Version: Ghost =...

📄 Forcepoint One Endpoint macOS 25.08.5008 DLP Bypass

Forcepoint One Endpoint DLP Endpoint for macOS version 25.08.5008 with DLP Policy Engine version 10.2.0.298 allows a local standard non-admin user to bypass DLP content inspection and policy enforcement by sending SIGSTOP to user-owned browser helper processes Websense Endpoint Helper,...

📄 Bludit CMS Shell Upload

Bludit CMS versions prior to 3.18.4 have an unrestricted API file upload vulnerability that allows for remote code execution. Exploit Title: Bludit CMS . The uploadFile function performs no file extension or content validation, allowing upload of PHP webshells that execute as www-data. The API...

📄 LuaJIT 2.1.1774638290 Arbitrary Code Execution

LuaJIT's Foreign Function Interface FFI provides unrestricted access to native C functions including syscall, mmap, mprotect and arbitrary shared library loading. When FFI is accessible to untrusted Lua code in embedding scenarios OpenResty, Redis, game engines, IoT, an attacker can achieve...

📄 Generic HTTP Command Execution

This Metasploit module interacts with existing command execution functionality on a target system, where user-supplied input is directly passed to system execution functions via a HTTP request. This could be from an existing vulnerability, or uploaded webshells. It is likely that HTTP evasion...

📄 textract 2.5.0 Command Injection

textract through version 2.5.0 allows OS command injection through the file path supplied to multiple extractors. Several code paths pass that file path into childprocess.exec with inadequate sanitization. An attacker who can influence the file name or path can break out of the command line and r...

📄 pdf-image 2.0.0 Command Injection

pdf-image through version 2.0.0 allows OS command injection via the pdfFilePath argument. The package builds shell command strings with util.format and executes them with childprocess.exec. If an application passes an attacker-controlled file path into PDFImage, shell metacharacters in that path...

📄 OpenEMR 8.0.0.2 SQL Injection

OpenEMR versions prior to 8.0.0.3 contain a remote SQL injection vulnerability in the new search popup that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the new search popup functionality. CVE-2026-29187 - SQL Injection Vulnerabilit...

📄 node-tesseract-ocr 2.2.1 Command Injection

node-tesseract-ocr through version 2.2.1 allows OS command injection in recognize in src/index.js. The package builds a shell command string and executes it with childprocess.exec. Because the input path is only wrapped in double quotes, an attacker can inject shell syntax through a crafted file...

📄 thumbler 1.1.2 Command Injection

thumbler through version 1.1.2 allows OS command injection in thumbnail in lib/thumbler.js. The package concatenates the input, output, time, and size values into a single ffmpeg command string and executes that string with childprocess.exec. An attacker who controls one of those values can injec...

📄 V8 StringToBigInt Memory Corruption Sandbox Bypass

V8 suffers from a sandbox bypass vulnerability due to memory corruption during StringToBigInt conversion. The function v8::internal::StringToBigInt is used by V8 when converting a string to a BigInt e.g. via BigInt“1337”. It first parses the string into individual digitt’s in the...

📄 V8 BytecodeArray Swapping Sandbox Bypass

V8 suffers from a sandbox bypass due to arbitrary bytecode execution from BytecodeArray swapping before code deoptimization. Vulnerability Details When deoptimizing compiled code and resuming execution in the interpreter, V8 uses the function Deoptimizer::DoComputeOutputFrames to reconstruct the...

📄 OpenEMR 8.0.0.2 SQL Injection

OpenEMR version 8.0.0.2 contains a remote SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the patient selection feature. CVE-2026-33910 - SQL Injection Vulnerability in...

📄 EspoCRM 9.3.3 Remote Code Execution / Path Traversal

EspoCRM versions 9.3.3 and below proof of concept remote code execution exploit that leverages formula ACL bypass, path traversal, and poisoning. !/bin/bash =========================================================================== EspoCRM command Example: ./poc.sh http://192.168.5.16:8090 admin...

📄 MCPJam Inspector 1.4.2 Remote Code Execution

MCPJam Inspector versions 1.4.2 and below proof of concept remote code execution exploit. !/usr/bin/env python3 CVE-2026-23744.py for testing only import requests import argparse import json import sys import urllib3 urllib3.disablewarningsurllib3.exceptions.InsecureRequestWarning def main: parse...

📄 activitypub-federation-rust 0.7.1 Server-Side Request Forgery

activitypub-federation-rust versions 0.7.1 and below suffer from a server-side request forgery vulnerability. CVE-2026-33693: SSRF via 0.0.0.0 Bypass in activitypub-federation-rust v4isinvalid CVSS 6.5 Moderate Keywords: SSRF, 0.0.0.0, IP validation bypass, activitypub-federation, Lemmy, Rust,...

📄 ddev/ddev ZipSlip Path Traversal

A ZipSlip path traversal vulnerability exists in ddev/ddev, a popular open-source local development tool for PHP, Python, and Node.js projects. Both the Untar and Unzip functions in pkg/archive/archive.go use filepath.Joindest, file.Name without any path containment validation, allowing a crafted...

📄 Payara Server Cross Site Scripting

Research details on exploitation for a cross site scripting vulnerability in Payara's administration REST interface. Versions below 4.1.2.191.54, 5.83.0, 6.34.0, and 7.2026.1 are affected. XSS to Admin account takeover CVE-2025-14340 A Cross-Site Scripting vulnerability in Payara’s Administration...

📄 esiclivre 0.2.2 SQL Injection

esiclivre versions 0.2.2 and below suffer from a remote SQL injection vulnerability. CVE-2026-30655 — SQL Injection in esiclivre password reset Summary A SQL injection vulnerability exists in the password reset endpoint of esiclivre. An unauthenticated attacker can inject SQL via the cpfcnpj POST...

📄 OpenEMR 8.0.0 Authenticated SQL Injection

OpenEMR version 8.0.0 authenticated remote SQL injection exploit that leverages the name parameter in ajax/graphs.php. ====================================================================================================================== | Title : OpenEMR 8.0.0 Authenticated SQL Injection via nam...

📄 Webb Fontaine Trade Portal Information Disclosure

A security vulnerability was identified in the Webb Fontaine Trade Portal affecting the codification module /trade/help/codification. The issue allows unauthorized users to trigger data export functionality via the /export/excel endpoint without proper validation of session state or user...

📄 Barracuda ESG TAR Filename Command Injection

This Metasploit module exploits CVE-2023-2868, a command injection vulnerability in Barracuda Email Security Gateway ESG appliances. The vulnerability exists in how the ESG processes TAR file attachments - filenames containing shell metacharacters backticks are passed directly to shell commands...

📄 Starlink DNS Rebinding

This Metasploit auxiliary module implements a DNS rebinding attack targeting Starlink infrastructure CVE-2023-52235. The module operates by running a malicious DNS server that dynamically switches responses from a public IP to internal network targets, enabling access to internal services. It als...