Alex Perrakis (Stolichnayer)

15 exploits Active since May 2025
CVE-2025-70368 NOMISEC MEDIUM WRITEUP
Worklenz 2.1.5 - Stored Cross-Site Scripting in Project Updates Feature
Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.
CVSS 5.4
CVE-2025-5182 WRITEUP MEDIUM WRITEUP
Summer Pearl Group Vacation Rental Management Platform < 1.0.2 - Authorization Bypass in Listing Handler
A vulnerability has been found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 and classified as critical. This vulnerability affects unknown code of the component Listing Handler. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 4.3
CVE-2026-3049 WRITEUP MEDIUM WRITEUP
horilla-opensource horilla <=1.0.2 - Open Redirect
A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horilla_generics/global_search.py of the component Query Parameter Handler. The manipulation of the argument prev_url results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.3 is capable of addressing this issue. The patch is identified as 730b5a44ff060916780c44a4bdbc8ced70a2cd27. The affected component should be upgraded.
CVSS 4.3
CVE-2026-3050 WRITEUP LOW WRITEUP
horilla < 1.0.3 - Cross-Site Scripting via Leads Module Notes Parameter
A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 1.0.3 is recommended to address this issue. Patch name: fc5c8e55988e89273012491b5f097b762b474546. It is suggested to upgrade the affected component.
CVSS 3.5
CVE-2025-13584 WRITEUP LOW WRITEUP
Eigenfocus < 1.4.1 - Cross-Site Scripting via Description Handler
A security vulnerability has been detected in Eigenfocus up to 1.4.0. This vulnerability affects unknown code of the component Description Handler. The manipulation of the argument entry.description/time_entry.description leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.4.1 is able to resolve this issue. The identifier of the patch is 7dec94c9d1f3e513e0ee38ba68caaba628e08582. Upgrading the affected component is advised.
CVSS 3.5
CVE-2025-15241 WRITEUP LOW WRITEUP
CloudPanel Community Edition <2.5.1 - Open Redirect
A security vulnerability has been detected in CloudPanel Community Edition up to 2.5.1. The affected element is an unknown function of the file /admin/users of the component HTTP Header Handler. Such manipulation of the argument Referer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.5.2 is sufficient to fix this issue. Upgrading the affected component is recommended.
CVSS 3.5
CVE-2025-5181 WRITEUP LOW WRITEUP
Summer Pearl Group Vacation Rental Management Platform < 1.0.2 - Cross-Site Scripting via spgLsTitle Parameter
A vulnerability, which was classified as problematic, was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. This affects an unknown part of the file /spgpm/updateListing. The manipulation of the argument spgLsTitle leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 3.5
CVE-2025-54955 WRITEUP HIGH WORKING POC
OpenNebula CE/EE <7.0.0/<6.10.3 - Privilege Escalation
OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition that can lead to full account takeover. By exploiting this, an unauthenticated attacker can obtain a valid JSON Web Token (JWT) belonging to a legitimate user without knowledge of their credentials.
CVSS 8.1
CVE-2025-5409 WRITEUP HIGH WORKING POC
Mist Community Edition < 4.7.2 - Improper Access Control in API Token Handler
A vulnerability was found in Mist Community Edition up to 4.7.1. It has been classified as critical. This affects the function create_token of the file src/mist/api/auth/views.py of the component API Token Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The identifier of the patch is db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component.
CVSS 7.3
CVE-2025-5411 WRITEUP LOW WRITEUP
Mist Community Edition < 4.7.2 - Cross-Site Scripting via Tag Argument in tag_resources Function
A vulnerability was found in Mist Community Edition up to 4.7.1. It has been rated as problematic. This issue affects the function tag_resources of the file src/mist/api/tag/views.py. The manipulation of the argument tag leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The patch is named db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component.
CVSS 3.5
CVE-2025-5412 WRITEUP LOW WRITEUP
Mist Community Edition < 4.7.2 - Cross-Site Scripting via Login Return_To Parameter
A vulnerability classified as problematic has been found in Mist Community Edition up to 4.7.1. Affected is the function Login of the file src/mist/api/views.py of the component Authentication Endpoint. The manipulation of the argument return_to leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The name of the patch is db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component.
CVSS 3.5
CVE-2025-63561 WRITEUP HIGH WRITEUP
Summer Pearl Group Vacation Rental Management Platform <1.0.2 - DoS
Summer Pearl Group Vacation Rental Management Platform prior to 1.0.2 is susceptible to a Slowloris-style Denial-of-Service (DoS) condition in the HTTP connection handling layer, where an attacker that opens and maintains many slow or partially-completed HTTP connections can exhaust the server’s connection pool and worker capacity, preventing legitimate users and APIs from accessing the service.
CVSS 7.5
CVE-2025-63562 WRITEUP MEDIUM WRITEUP
Summerpearlgroup Vacation Rental Management Platform < 1.0.2 - Improper Access Control
Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 suffers from insufficient server-side authorization. Authenticated attackers can call several endpoints and perform create/update/delete actions on resources owned by arbitrary users by manipulating request parameters (e.g., owner or resource id).
CVSS 6.3
CVE-2025-63563 WRITEUP MEDIUM WRITEUP
Summer Pearl Group Vacation Rental Management Platform <1.0.2 - Inf...
Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 does not properly invalidate active user sessions after a password change. This allows an attacker with a valid session token to maintain access to the account even after the legitimate user changes their password.
CVSS 6.5
CVE-2026-2553 WRITEUP MEDIUM WRITEUP
Hotel-Management-System - SQL Injection
A security flaw has been discovered in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. This affects an unknown part of the file /home.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Name/Email results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 6.3