AikidoSec

18 exploits Active since Jan 2015
CVE-2026-1207 GITHUB MEDIUM javascript WORKING POC
Django 4.2-4.2.27 5.2-5.2.10 6.0-6.0.1 - SQL Injection via RasterField Band Index Parameter
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
6 stars
CVSS 5.4
CVE-2015-1369 GITHUB javascript WORKING POC
Sequelize <2.0.0-rc7 - SQL Injection
SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.
6 stars
CVE-2019-15597 GITHUB CRITICAL javascript WORKING POC
node-df 0.1.4 - Remote Code Execution via Unsanitized Input
A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input.
6 stars
CVSS 9.8
CVE-2020-26301 GITHUB HIGH javascript WORKING POC
ssh2 < 1.4.0 - OS Command Injection
ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.
6 stars
CVSS 7.5
CVE-2020-7687 GITHUB HIGH javascript WORKING POC
fast-http - Path Traversal via fs.readFile in index.js
This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js.
6 stars
CVSS 7.5
CVE-2020-7765 GITHUB MEDIUM javascript WORKING POC
@firebase/util <0.3.4 - Code Injection
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
6 stars
CVSS 5.6
CVE-2020-8116 GITHUB HIGH javascript WORKING POC
dot-prop <4.2.1, <5.1.1 - Prototype Pollution
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
6 stars
CVSS 7.3
CVE-2023-31719 GITHUB CRITICAL javascript WORKING POC
FUXA <= 1.1.12 - SQL Injection via /api/signin
FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.
6 stars
CVSS 9.8
CVE-2024-24806 GITHUB HIGH javascript WORKING POC
libuv 1.24.0-1.47.0 - Server-Side Request Forgery via Hostname Truncation
libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
6 stars
CVSS 7.3
CVE-2014-3744 GITHUB HIGH javascript WORKING POC
st module for Node.js < 0.2.5 - Path Traversal via Encoded Dot-Dot Sequences
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
6 stars
CVSS 7.5
CVE-2024-53900 GITHUB CRITICAL javascript WORKING POC
mongoosejs/mongoose < 6.13.5 and >=8.0.0-rc0 <8.8.3 - Search Injection via $where in Match
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
6 stars
CVSS 9.1
CVE-2025-23084 GITHUB MEDIUM javascript WORKING POC
Node.js 18.0-18.20.6 - Path Traversal in Windows Drive Name Handling
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.
6 stars
CVSS 5.5
CVE-2025-25975 GITHUB HIGH javascript WORKING POC
parse-git-config 3.0.0 - Exposure of Sensitive Information via expandKeys Function
An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function
6 stars
CVSS 7.5
CVE-2025-25977 GITHUB CRITICAL javascript WORKING POC
canvg 4.0.2 - Remote Code Execution via StyleElement Constructor
An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
6 stars
CVSS 9.8
CVE-2025-27152 GITHUB MEDIUM javascript WORKING POC
axios < 1.8.2 - Server-Side Request Forgery via Absolute URL Handling
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
6 stars
CVSS 5.3
CVE-2025-32020 GITHUB CRITICAL javascript WORKING POC
crud-query-parser < 0.1.0 - SQL Injection via TypeORM Order/Sort Parameter
The crud-query-parser library parses query parameters from HTTP requests and converts them to database queries. Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection. You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter. This vulnerability is fixed in 0.1.0.
6 stars
CVE-2025-2294 GITHUB CRITICAL javascript WORKING POC
Kubio AI Page Builder <2.5.1 - Local File Inclusion
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
6 stars
CVSS 9.8
CVE-2024-39338 GITHUB HIGH javascript WORKING POC
axios 1.3.2-1.7.3 - Server-Side Request Forgery via Path Relative URL Processing
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
6 stars
CVSS 7.5