AkkuS

99 exploits Active since Nov 2018
EIP-2026-113596 EXPLOITDB text WORKING POC
WordPress Plugin Booking Calendar 3.0.0 - SQL Injection / Cross-Site Scripting
EIP-2026-113389 EXPLOITDB text WORKING POC
Wecodex Store Paypal 1.0 - SQL Injection
CVE-2019-5009 EXPLOITDB HIGH python WORKING POC
Vtiger CRM 7.1.0 - Code Injection
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.
CVSS 7.2
EIP-2026-112668 EXPLOITDB text WORKING POC
TI Online Examination System v2 - Arbitrary File Download
EIP-2026-112235 EXPLOITDB text WORKING POC
Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection
CVE-2018-20166 EXPLOITDB HIGH ruby WORKING POC
Rukovoditel 2.3.1 - Code Injection
A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in ".php" with mixed case, such as the .pHp extension.
CVSS 8.8
CVE-2018-18924 EXPLOITDB HIGH text WORKING POC
ProjeQtOr 7.2.5 - RCE
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.
CVSS 8.8
EIP-2026-110449 EXPLOITDB text WORKING POC
PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection
EIP-2026-110812 EXPLOITDB text WRITEUP
PHP-Fusion 9.03.50 - 'Edit Profile' Arbitrary File Upload
CVE-2018-19458 EXPLOITDB HIGH python WORKING POC
PHP Proxy 3.0.3 - Info Disclosure
In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
CVSS 7.5
EIP-2026-110696 EXPLOITDB text WORKING POC
PHP File Browser Script 1 - Directory Traversal
EIP-2026-110677 EXPLOITDB text WORKING POC
PHP Dashboards 4.5 - SQL Injection
EIP-2026-110676 EXPLOITDB text WORKING POC
PHP Dashboards 4.5 - 'email' SQL Injection
EIP-2026-110493 EXPLOITDB text WORKING POC
PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting
CVE-2019-11537 EXPLOITDB MEDIUM text WORKING POC
osTicket <1.12 - XSS
In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.php/users/import if an agent manager user uploads a crafted .csv file to the User Importer, because file contents can appear in an error message. The XSS can lead to local file inclusion.
CVSS 6.1
EIP-2026-109794 EXPLOITDB text WORKING POC
MySQL Blob Uploader 1.7 - 'download.php' SQL Injection / Cross-Site Scripting
EIP-2026-109919 EXPLOITDB text WORKING POC
NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection
EIP-2026-109918 EXPLOITDB text WORKING POC
NewsBee CMS 1.4 - 'download.php' SQL Injection
EIP-2026-109807 EXPLOITDB text WORKING POC
mySurvey 1.0 - 'id' SQL Injection
EIP-2026-109800 EXPLOITDB text WORKING POC
MySQL Smart Reports 1.0 - 'id' SQL Injection / Cross-Site Scripting
EIP-2026-109797 EXPLOITDB text WORKING POC
MySQL Blob Uploader 1.7 - 'home-filet-edit.php' SQL Injection / Cross-Site Scripting
EIP-2026-109796 EXPLOITDB text WORKING POC
MySQL Blob Uploader 1.7 - 'home-filet-edit.php' SQL Injection
EIP-2026-109795 EXPLOITDB text WORKING POC
MySQL Blob Uploader 1.7 - 'home-file-edit.php' SQL Injection / Cross-Site Scripting
EIP-2026-109664 EXPLOITDB text WORKING POC
My Directory 2.0 - SQL Injection / Cross-Site Scripting
EIP-2026-109170 EXPLOITDB text WORKING POC
Listing Hub CMS 1.0 - SQL Injection