Byte Reaper

46 exploits Active since Mar 2022
CVE-2025-47917 NOMISEC HIGH WORKING POC
Mbed TLS < 3.6.4 - Use-After-Free in mbedtls_x509_string_to_names()
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).
1 stars
CVSS 8.9
CVE-2025-59342 NOMISEC MEDIUM WORKING POC
esm.sh < 136.1 - Path Traversal and Arbitrary File Write via X-Zone-Id Header
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.
1 stars
CVE-2025-41373 NOMISEC HIGH WORKING POC
Gandia Integra Total 2.1.2217.3-4.4.2236.1 - Authenticated SQL Injection via idestudio Parameter
A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/hislistadoacciones.php.
1 stars
CVSS 8.8
CVE-2025-32429 NOMISEC CRITICAL WORKING POC
XWiki Platform - SQL Injection
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
CVSS 9.8
CVE-2025-32429 NOMISEC CRITICAL WORKING POC
XWiki Platform - SQL Injection
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
CVSS 9.8
CVE-2025-7766 EXPLOITDB HIGH c WORKING POC
Lantronix Provisioning Manager - RCE
Lantronix Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed.
CVSS 8.0
CVE-2025-41373 EXPLOITDB HIGH c WORKING POC
Gandia Integra Total 2.1.2217.3-4.4.2236.1 - Authenticated SQL Injection via idestudio Parameter
A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/hislistadoacciones.php.
CVSS 8.8
CVE-2025-59342 EXPLOITDB MEDIUM c WORKING POC
esm.sh < 136.1 - Path Traversal and Arbitrary File Write via X-Zone-Id Header
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.
CVE-2025-32429 EXPLOITDB CRITICAL c WORKING POC
XWiki Platform - SQL Injection
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
CVSS 9.8
CVE-2025-8471 EXPLOITDB HIGH c WORKING POC
projectworlds Online Admission System 1.0 - SQL Injection via /adminlogin.php a_id Parameter
A vulnerability, which was classified as critical, has been found in projectworlds Online Admission System 1.0. This issue affects some unknown processing of the file /adminlogin.php. The manipulation of the argument a_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS 7.3
CVE-2025-54769 EXPLOITDB HIGH c WORKING POC
lpar2rrd < 8.04 - Authenticated Directory Traversal and Remote Code Execution via File Upload
An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker.
CVSS 8.8
CVE-2025-6082 EXPLOITDB MEDIUM c WORKING POC
Birth Chart Compatibility <2.0 - Info Disclosure
The Birth Chart Compatibility plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0. This is due to insufficient protection against directly accessing the plugin's index.php file, which causes an error exposing the full path. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
CVSS 5.3
CVE-2025-8550 EXPLOITDB LOW c WORKING POC
pybbs < 6.0.0 - Cross-Site Scripting via Username Parameter in Admin Topic List
A vulnerability was found in atjiu pybbs up to 6.0.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/topic/list. The manipulation of the argument Username leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22. It is recommended to apply a patch to fix this issue.
CVSS 2.4
CVE-2025-7769 EXPLOITDB HIGH c WORKING POC
Tigo Energy's CCA - Command Injection
Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure.
CVE-2025-7795 EXPLOITDB HIGH c WORKING POC
Tenda FH451 1.0.0.9 - Buffer Overflow
A vulnerability, which was classified as critical, has been found in Tenda FH451 1.0.0.9. Affected by this issue is the function fromP2pListFilter of the file /goform/P2pListFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS 8.8
CVE-2025-9090 EXPLOITDB MEDIUM c WORKING POC
Tenda AC20 16.03.08.12 - Command Injection
A vulnerability was identified in Tenda AC20 16.03.08.12. Affected is the function websFormDefine of the file /goform/telnet of the component Telnet Service. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS 6.3
CVE-2025-8191 EXPLOITDB LOW c WORKING POC
macrozheng mall < 1.0.3 - Cross-Site Scripting via Swagger UI configUrl Parameter
A vulnerability, which was classified as problematic, was found in macrozheng mall up to 1.0.3. Affected is an unknown function of the file /swagger-ui/index.html of the component Swagger UI. The manipulation of the argument configUrl leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.
CVSS 3.5
CVE-2025-10046 EXPLOITDB MEDIUM c WORKING POC
ELEX WooCommerce Google Shopping <1.4.3 - SQL Injection
The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL Injection via the 'file_to_delete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS 4.9
CVE-2025-54589 EXPLOITDB MEDIUM c WORKING POC
copyparty < 1.18.7 - Reflected Cross-Site Scripting via Recent Uploads Filter Parameter
Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at `/?ru`, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a `<script>` block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7.
CVSS 6.3
CVE-2025-8730 EXPLOITDB CRITICAL c WORKING POC
Belkin F9K1009/F9K1010 <2.00.04/2.09 - Hard-coded Credentials
A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 9.8
CVE-2025-47917 EXPLOITDB HIGH c WORKING POC
Mbed TLS < 3.6.4 - Use-After-Free in mbedtls_x509_string_to_names()
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).
CVSS 8.9