Lucene search
K
PacketstormRecent

50738 matches found

Packet Storm
Packet Storm
added 2026/04/17 12:0 a.m.161 views

📄 MCPJam Inspector 1.4.2 Remote Code Execution

This Metasploit auxiliary module targets a remote code execution vulnerability in MCPJam Inspector version 1.4.2. The flaw exists in the /api/mcp/connect endpoint, where user-controlled input is improperly passed to a backend execution mechanism...

9.8CVSS6.7AI score0.38374EPSS
Exploits29
Packet Storm
Packet Storm
added 2026/04/17 12:0 a.m.115 views

📄 V8 Sandbox Bypass: BigInt Division Memory Corruption

This is a variant of crbug.com/474041332. The issue there was that MultiplyFFT, an optimized version of integer multiplication for very large inputs, is not robust against concurrent modification of its input buffers, but was called from ProcessorImpl::FromStringLarge with a temporary buffer insi...

5.9AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/16 12:0 a.m.95 views

📄 ChurchCRM Database Restore Remote Code Execution

This Metasploit module exploits a remote code execution vulnerability in ChurchCRM versions prior to 6.2.0. The vulnerability resides in the Database Restore functionality, which allows an authenticated user with administrative privileges to upload a malicious backup file. By bypassing upload...

9.1CVSS6.4AI score0.01381EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/16 12:0 a.m.96 views

📄 Fortinet FortiSandbox 4.4.8 Remote Command Execution

Fortinet FortiSandbox versions 4.4.0 through 4.4.8 suffer from a remote command execution vulnerability. CVE-2026-39808 On November 2025, a critical vulnerability was discovered on Fortinet's FortiSandbox which allowed an unauthenticated attacker to execute commands in the underlying OS as root...

9.8CVSS6AI score0.48668EPSS
Exploits6
Packet Storm
Packet Storm
added 2026/04/15 12:0 a.m.108 views

📄 Siemens SICAM A8000 25.30 Denial of Service

Siemens SICAM A8000 CP-8050/CP-8031/CP-8010/CP-8012 versions 25.30 and below suffer from a resource exhaustion denial of service vulnerability. CyberDanube Security Research 20260408-0 ------------------------------------------------------------------------------- title| Remote Operation Denial o...

7.1CVSS5.8AI score0.00269EPSS
Exploits1
Packet Storm
Packet Storm
added 2026/04/15 12:0 a.m.130 views

📄 Siemens SICAM A8000 25.30 Denial of Service / Memory Corruption

Siemens SICAM A8000 CP-8050/CP-8031/CP-8010/CP-8012 versions 25.30 and below suffer from Content-Length denial of service and XML related memory corruption vulnerabilities. CyberDanube Security Research 20260408-1 -------------------------------------------------------------------------------...

8.7CVSS5.8AI score0.00358EPSS
Exploits1
Packet Storm
Packet Storm
added 2026/04/15 12:0 a.m.109 views

📄 Kiuwan SAST 2.8.2412.0 Improper Enforcement

It was found out that a user is still able to login at the Kiuwan WebUI via SSO, even if the Kiuwan mapped account has been disabled in the user settings by an admin. This issue has been addressed in version 2.8.2509.4. SEC Consult Vulnerability Lab Security Advisory...

5.4CVSS5.7AI score0.00189EPSS
Exploits1
Packet Storm
Packet Storm
added 2026/04/14 12:0 a.m.223 views

📄 Twig Sandbox Bypass / XXE / Remote Code Execution / LFI

Research describing a critical vulnerability that exists in the October CMS Twig sandbox Safe Mode that allows authenticated users with template editing privileges to bypass security restrictions and execute arbitrary PHP code or read arbitrary files via XML injection or local file inclusion from...

4.9CVSS6.1AI score0.00395EPSS
Exploits2
Packet Storm
Packet Storm
added 2026/04/14 12:0 a.m.102 views

📄 Selenium Grid/Selenoid Unauthenticated Remote Code Execution

Selenium Grid and Selenoid expose a WebDriver API that allows creating browser sessions with arbitrary capabilities. When deployed without authentication the default for both, an attacker can achieve remote code execution through two browser-specific techniques: For Chrome, the goog:chromeOptions...

6.5AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/14 12:0 a.m.75 views

📄 CMS Sense 2.0 Cross Site Scripting

CMS Sense version 2.0 suffers from a cross site scripting vulnerability. ================================================================================================================================== | Title : CMS sense v 2.0 HTML Injection Leading to XSS via Attribute Breakout | | Author :...

5.2AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/14 12:0 a.m.99 views

📄 WebRemoteControl Unauthenticated Remote Code Execution

WebRemoteControl suffers from an unauthenticated remote code execution vulnerability. Exploit Title: WebRemoteControl - Unauthenticated Remote Code Execution Date: 2026-04-14 Exploit Author: Chokri Hammedi Vendor Homepage: https://github.com/wolfgangasdf/WebRemoteControl Software Link:...

6.4AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/14 12:0 a.m.74 views

📄 WebRemoteControl Unauthenticated Remote Filesystem Access

WebRemoteControl suffers from an unauthenticated remote filesystem access vulnerability. This proof of concept exploit lets you browse directory contents and access files. Exploit Title: WebRemoteControl - Unauthenticated Remote Filesystem Access Date: 2026-04-14 Exploit Author: Chokri Hammedi...

5.8AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.82 views

📄 Redaxo 5.20.1 Path Traversal

Redaxo versions 5.20.1 and below suffer from a path traversal vulnerability. CVE-2026-21857: Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read Overview | Field | Details | |---|---| | CVE ID | CVE-2026-21857 | | Severity | HIGH | | Advisory | View Advisory | | Discovered by...

8.3CVSS5.8AI score0.00493EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.79 views

📄 Pachno 1.0.6 Wiki TextParser XML Injection

Pachno version 1.0.6 suffers from an XML eXternal Entity XXE vulnerability in the wiki textparser. Pachno 1.0.6 Wiki TextParser XXE Vulnerability Vendor: Daniel André Eikeland Product web page: https://github.com/pachno/pachno Affected version: 1.0.6 Summary: Pachno is an open-source collaboratio...

5.8AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.80 views

📄 EGroupware SQL Injection

EGroupware versions prior to 23.1.20260113 and greater than or equal to 26.0.20251208 but less than 26.0.20260113 are affected by a remote SQL injection vulnerability in the Nextmatch filter processing. CVE-2026-22243: EGroupware has SQL Injection in Nextmatch Filter Processing Overview | Field |...

8.8CVSS5.9AI score0.0036EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.160 views

📄 Shopware Improper Control

Shopware versions greater than or equal to 6.7.0.0 and less than 6.7.6.1 has an improper control related to Twig rendered views. CVE-2026-23498: Shopware Has Improper Control of Generation of Code in Twig rendered views Overview | Field | Details | |---|---| | CVE ID | CVE-2026-23498 | | Severity...

7.2CVSS7.2AI score0.00407EPSS
Exploits1
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.89 views

📄 WBCE CMS 1.6.4 SQL Injection

WBCE CMS versions 1.6.4 and below suffer from a remote time-bsed SQL injection vulnerability via the groups parameter. CVE-2025-65950: WBCE CMS is Vulnerable to Time-Based Blind SQL Injection through groups Parameter Overview | Field | Details | |---|---| | CVE ID | CVE-2025-65950 | | Severity |...

9.4CVSS5.9AI score0.00462EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.102 views

📄 ChurchCRM Cross Site Scripting

ChurchCRM versions 6.5.2 and below suffer from a persistent cross site scripting vulnerability in the person property assignment functionality. Note that the advisory says versions 6.3.0 and below are affected but the CVE entry states versions prior to 6.5.3. CVE-2025-67875: ChurchCRM has stored...

8.5CVSS5.2AI score0.00164EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.93 views

📄 FacturaScripts SQL Injection

FacturaScripts versions prior to 2025.81 suffer from a remote SQL injection vulnerability in the Autocomplete Actions functionality. CVE-2026-25514: FacturaScripts has SQL Injection in Autocomplete Actions Overview | Field | Details | |---|---| | CVE ID | CVE-2026-25514 | | Severity | HIGH | |...

8.8CVSS6.2AI score0.00473EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.75 views

📄 Pachno 1.0.6 FileCache Deserialization Remote Code Execution

Pachno version 1.0.6 uses the unserialize function on the contents of cache files stored under PACHNOPATH/cache/ during the framework bootstrap sequence, before any authentication, routing, or controller logic is executed. Cache files are created with world-writable permissions chmod 0666 and use...

6.4AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.109 views

📄 ChurchCRM 6.4.0 Cross Site Scripting

ChurchCRM versions 6.4.0 and below suffer from persistent cross site scripting vulnerability in group role name assignment. CVE-2025-67876: ChurchCRM has Stored XSS in Group Role Name Leading to Admin Session Hijacking Overview | Field | Details | |---|---| | CVE ID | CVE-2025-67876 | | Severity ...

9.3CVSS5.2AI score0.00165EPSS
Exploits2
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.86 views

📄 Pachno 1.0.6 Shell Upload

Pachno version 1.0.6 suffers from a remote shell upload vulnerability. The multipart file parameter to the /uploadfile endpoint allows authenticated users to upload files directly to the server. File upload must be enabled by an admin, who can also configure the storage path, within a...

6.2AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.96 views

📄 FacturaScripts SQL Injection

FacturaScripts versions prior to 2025.81 suffer from a remote SQL injection vulnerability in the API ORDER BY clause. CVE-2026-25513: FacturaScripts has SQL Injection in API ORDER BY Clause Overview | Field | Details | |---|---| | CVE ID | CVE-2026-25513 | | Severity | HIGH | | Advisory | View...

8.8CVSS6.2AI score0.00473EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.73 views

📄 Pachno 1.0.6 Cross Site Request Forgery

Pachno version 1.0.6 suffers from a cross site request forgery vulnerability. Pachno 1.0.6 Cross-Site Request Forgery Vendor: Daniel André Eikeland Product web page: https://github.com/pachno/pachno Affected version: 1.0.6 Summary: Pachno is an open-source collaboration platform formerly known as...

5.2AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.72 views

📄 Authentic 8 Insecure Direct Object Reference / Broken Access Control

Authentic 8 has an broken access control that can be leveraged via insecure direct object reference that can lead to PII information disclosure. ================================================================================================================================== | Title : Authentic 8...

5.8AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.95 views

📄 InvoicePlane 1.6.3 Path Traversal

InvoicePlane versions 1.6.3 and below suffer from a path traversal vulnerability in the getfile method of the Guest module. CVE-2026-23491: InvoicePlane has Unauthenticated Path Traversal in Guest Controller Overview | Field | Details | |---|---| | CVE ID | CVE-2026-23491 | | Severity | CRITICAL ...

9.3CVSS5.8AI score0.0105EPSS
Exploits2
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.91 views

📄 OpenSTAManager 2.9.8 SQL Injection

OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in the Scadenzario bulk operations module. CVE-2026-24418: OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module Overview | Field | Details | |---|---| | CVE ID |...

8.7CVSS5.9AI score0.00356EPSS
Exploits4
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.75 views

📄 Pachno 1.0.6 Privilege Escalation

The authorization check in the runSwitchUser action in Pachno version 1.0.6 evaluates the expression !canSaveConfiguration && !hasCookie'originalusername' and only forbids the request when both subexpressions are true. The presence of the originalusername cookie is sufficient to satisfy the secon...

5.9AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.108 views

📄 ChurchCRM SQL Injection

ChurchCRM versions prior to 6.5.3 suffer from a remote SQL injection vulnerability in ConfirmReportEmail.php. CVE-2025-68400: ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php Overview | Field | Details | |---|---| | CVE ID | CVE-2025-68400 | | Severity | CRITICAL |...

9.3CVSS5.9AI score0.00323EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.89 views

📄 OpenSTAManager 2.9.8 Cross Site Scripting

OpenSTAManager versions 2.9.8 and below suffer from a cross site scripting vulnerability in modificaiva.php via the righe parameter. CVE-2026-24415: OpenSTAManager Affected by XSS in modificaiva.php via righe parameter Overview | Field | Details | |---|---| | CVE ID | CVE-2026-24415 | | Severity ...

6.1CVSS5.2AI score0.00245EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.80 views

📄 Cockpit CMS 2.13.5 NoSQL Injection

Cockpit CMS version 2.13.5 is vulnerable to NoSQL operator injection on multiple API endpoints. User-supplied filter objects are forwarded to the Mongolite query engine without stripping MongoDB operators. Authenticated users can bypass intended query filters and perform boolean-based blind queri...

5.8AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.107 views

📄 TypiCMS Cross Site Scripting

TypiCMS versions prior to 16.1.7 suffer from a persistent cross site scripting via SVG file uploads. CVE-2026-27621: TypiCMS Core has Stored Cross-Site Scripting XSS via SVG File Upload Overview | Field | Details | |---|---| | CVE ID | CVE-2026-27621 | | Severity | MEDIUM | | Advisory | View...

6.8CVSS5.2AI score0.00188EPSS
Exploits2
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.93 views

📄 WBCE CMS 1.6.4 Brute Force

WBCE CMS versions 1.6.4 suffers from a brute force protection bypass vulnerability. CVE-2025-66204: WBCE CMS allows brute-force protection bypass using X-Forwarded-For header Overview | Field | Details | |---|---| | CVE ID | CVE-2025-66204 | | Severity | MEDIUM | | Advisory | View Advisory | |...

8.1CVSS5.8AI score0.00402EPSS
Exploits2
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.67 views

📄 Pachno 1.0.6 Cross Site Scripting

Pachno version 1.0.6 suffers from persistent cross site scripting vulnerabilities. Pachno 1.0.6 Stored Cross-Site Scripting Vendor: Daniel André Eikeland Product web page: https://github.com/pachno/pachno Affected version: 1.0.6 Summary: Pachno is an open-source collaboration platform formerly...

5.2AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.109 views

📄 OpenSTAManager 2.9.8 SQL Injection

OpenSTAManager versions 2.9.8 and below suffer from a remote time-based SQL injection vulnerability in the Article Pricing module. CVE-2026-24416: OpenSTAManager has a Time-Based Blind SQL Injection in Article Pricing Module Overview | Field | Details | |---|---| | CVE ID | CVE-2026-24416 | |...

8.7CVSS5.9AI score0.00366EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.127 views

📄 XWiki Blog Cross Site Scripting

XWiki Blog versions prior to 9.15.7 suffer from a persistent cross site scripting vulnerability via the blog post title. CVE-2025-66024: XWiki Blog Application home page vulnerable to Stored XSS via Post Title Overview | Field | Details | |---|---| | CVE ID | CVE-2025-66024 | | Severity | HIGH | ...

9CVSS5.2AI score0.00353EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.145 views

📄 OpenSTAManager 2.9.8 SQL Injection

OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in the Stampe module. CVE-2025-69215: OpenSTAManager has an SQL Injection in the Stampe Module Overview | Field | Details | |---|---| | CVE ID | CVE-2025-69215 | | Severity | HIGH | | Advisory | View Advisory...

8.8CVSS5.9AI score0.00374EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.107 views

📄 WBCE CMS Privilege Escalation / Insecure Direct Object Reference

WBCE CMS versions prior to 1.6.4 suffers from insecure direct object reference and privilege escalation vulnerabilities. CVE-2025-65094: WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation IDOR Overview | Field | Details | |---|---| | CVE ID | CVE-2025-65094 | | Severity | HI...

8.8CVSS5.8AI score0.00331EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.145 views

📄 OpenSTAManager 2.9.8 SQL Injection

OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in ajaxcomplete.php. CVE-2025-69213: OpenSTAManager has a SQL Injection in ajaxcomplete.php getsedi endpoint Overview | Field | Details | |---|---| | CVE ID | CVE-2025-69213 | | Severity | HIGH | | Advisory |...

8.8CVSS5.9AI score0.00381EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.88 views

📄 Pachno 1.0.6 Open Redirection

Pachno version 1.0.6 suffers from an open redirection vulnerability. Input passed via the returnto GET/POST parameter to the login endpoint is not properly verified before being used to redirect users. The getLoginForwardUrl helper applies htmlentities to the value which is intended for HTML outp...

5.9AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.75 views

📄 Omega-PSIR Cross Site Scripting

Omega-PSIR suffers from a cross site scripting vulnerability via the lang parameter. CVE-2026-1434: Omega-PSIR is vulnerable to Reflected XSS via the lang parameter. An attacker can craft a... Overview | Field | Details | |---|---| | CVE ID | CVE-2026-1434 | | Severity | MEDIUM | | Advisory | N/A...

6.1CVSS5.2AI score0.00158EPSS
Exploits2
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.106 views

📄 OpenSTAManager 2.9.8 SQL Injection

OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in the Scadenzario Print Template. CVE-2025-69216: OpenSTAManager has a SQL Injection in Scadenzario Print Template Overview | Field | Details | |---|---| | CVE ID | CVE-2025-69216 | | Severity | HIGH | |...

8.7CVSS5.9AI score0.00354EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.87 views

📄 OpenSTAManager 2.9.8 SQL Injection

OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in the Prima Nota module. CVE-2026-24419: OpenSTAManager has a SQL Injection in the Prima Nota module Overview | Field | Details | |---|---| | CVE ID | CVE-2026-24419 | | Severity | HIGH | | Advisory | View...

8.7CVSS5.9AI score0.00344EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.154 views

📄 OpenSTAManager 2.9.8 Command Injection

OpenSTAManager versions 2.9.8 and below suffer from a command injection vulnerability via the P7M file processing functionality. CVE-2025-69212: OpenSTAManager has an OS Command Injection in P7M File Processing Overview | Field | Details | |---|---| | CVE ID | CVE-2025-69212 | | Severity | CRITIC...

9.4CVSS5.8AI score0.01755EPSS
Exploits12
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.128 views

📄 Dolibarr 22.0.4 Command Injection

Dolibarr versions 22.0.4 and below suffer from a remote code injection vulnerability via via MAINODTASPDF. CVE-2026-23500: OS Command Injection RCE via MAINODTASPDF configuration in Dolibarr Overview | Field | Details | |---|---| | CVE ID | CVE-2026-23500 | | Severity | CRITICAL | | Advisory |...

9.4CVSS6AI score0.00922EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.203 views

📄 OpenSTAManager 2.9.8 SQL Injection / Denial of Service

OpenSTAManager versions 2.9.8 and below suffer from a remote time-based SQL injection vulnerability in the search functionality that can lead to a denial of service condition. CVE-2026-24417: OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service Overview | Field |...

8.7CVSS5.9AI score0.00366EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.464 views

📄 OpenSTAManager 2.9.8 SQL Injection

OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in ajaxselect.php. CVE-2025-69214: OpenSTAManager has a SQL Injection in ajaxselect.php componenti endpoint Overview | Field | Details | |---|---| | CVE ID | CVE-2025-69214 | | Severity | HIGH | | Advisory |...

8.8CVSS5.9AI score0.00423EPSS
Exploits3
Packet Storm
Packet Storm
added 2026/04/10 12:0 a.m.87 views

📄 WordPress IndieWeb 4.0.5 Cross Site Scripting

WordPress IndieWeb plugin versions 4.0.5 and below suffers from persistent cross site scripting vulnerability. CVE-2025-14893: Authenticated Stored Cross-Site Scripting XSS in IndieWeb WordPress Plugin Disclaimer: This repository is created for educational purposes and ethical disclosure only. Th...

6.4CVSS5.2AI score0.00205EPSS
Exploits2
Packet Storm
Packet Storm
added 2026/04/10 12:0 a.m.85 views

📄 D-Link DIR-650IN Command Injection

Proof of concept details for an authenticated command injection vulnerability in D-Link DIR-650IN. Exploit Title: D-Link DIR-650IN - Authenticated Command Injection Date: 2023-01-08 Exploit Author: Sanjay Singh Vendor Homepage: https://www.dlink.com Software Link:...

5.8AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/10 12:0 a.m.146 views

📄 SQLite 3.50.1 Heap Overflow

SQLite version 3.50.1 proof of concept that triggers a heap overflow in winsqlite3.dll via excessive aggregate functions. Exploit Title: SQLite 3.50.1 - Heap Overflow Date: 2025-11-05 Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamersecurity GitHub:...

9.8CVSS6.8AI score0.73495EPSS
Exploits3
Total number of security vulnerabilities50738