Özkan Mustafa Akkuş (AkkuS)

59 exploits Active since Nov 2018
EIP-2026-110493 EXPLOITDB text WORKING POC
PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting
EIP-2026-110449 EXPLOITDB text WORKING POC
PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection
EIP-2026-110676 EXPLOITDB text WORKING POC
PHP Dashboards 4.5 - 'email' SQL Injection
EIP-2026-110677 EXPLOITDB text WORKING POC
PHP Dashboards 4.5 - SQL Injection
EIP-2026-110696 EXPLOITDB text WORKING POC
PHP File Browser Script 1 - Directory Traversal
CVE-2018-19458 EXPLOITDB HIGH python WORKING POC
php-proxy 3.0.3 - Unauthenticated Local File Inclusion via index.php q Parameter
In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
CVSS 7.5
CVE-2019-11537 EXPLOITDB MEDIUM text WORKING POC
osTicket < 1.12 - Cross-Site Scripting via User Importer CSV File Upload
In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.php/users/import if an agent manager user uploads a crafted .csv file to the User Importer, because file contents can appear in an error message. The XSS can lead to local file inclusion.
CVSS 6.1
EIP-2026-109919 EXPLOITDB text WORKING POC
NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection
EIP-2026-109918 EXPLOITDB text WORKING POC
NewsBee CMS 1.4 - 'download.php' SQL Injection
EIP-2026-109807 EXPLOITDB text WORKING POC
mySurvey 1.0 - 'id' SQL Injection
EIP-2026-109800 EXPLOITDB text WORKING POC
MySQL Smart Reports 1.0 - 'id' SQL Injection / Cross-Site Scripting
EIP-2026-109797 EXPLOITDB text WORKING POC
MySQL Blob Uploader 1.7 - 'home-filet-edit.php' SQL Injection / Cross-Site Scripting
EIP-2026-109796 EXPLOITDB text WORKING POC
MySQL Blob Uploader 1.7 - 'home-filet-edit.php' SQL Injection
EIP-2026-109795 EXPLOITDB text WORKING POC
MySQL Blob Uploader 1.7 - 'home-file-edit.php' SQL Injection / Cross-Site Scripting
EIP-2026-109664 EXPLOITDB text WORKING POC
My Directory 2.0 - SQL Injection / Cross-Site Scripting
EIP-2026-109794 EXPLOITDB text WORKING POC
MySQL Blob Uploader 1.7 - 'download.php' SQL Injection / Cross-Site Scripting
EIP-2026-109170 EXPLOITDB text WORKING POC
Listing Hub CMS 1.0 - SQL Injection
CVE-2018-20159 EXPLOITDB HIGH python WORKING POC
i-doit 1.11.2 - Authenticated Remote Code Execution via Plugin ZIP Upload
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a ".zip" file because a ZIP archive is accepted by /admin/?req=modules&action=add as a plugin, and extracted to the main directory. In order for the ".zip" file to be accepted, it must also contain a package.json file.
CVSS 7.2
EIP-2026-107295 EXPLOITDB text WORKING POC
FTP2FTP 1.0 - Arbitrary File Download
EIP-2026-107467 EXPLOITDB text WORKING POC
GPSTracker 1.0 - 'id' SQL Injection
EIP-2026-107409 EXPLOITDB text WORKING POC
Gigs 2.0 - 'username' SQL Injection
EIP-2026-106737 EXPLOITDB text WORKING POC
EasyService Billing 1.0 - SQL Injection / Cross-Site Scripting
EIP-2026-107067 EXPLOITDB text WORKING POC
Feedy RSS News Ticker 2.0 - 'cat' SQL Injection
EIP-2026-106865 EXPLOITDB text WORKING POC
Employee Work Schedule 5.9 - 'cal_id' SQL Injection
EIP-2026-106736 EXPLOITDB text WORKING POC
EasyService Billing 1.0 - 'p1' SQL Injection