Chokri Hammedi

18 exploits Active since May 2023
CVE-2024-58344 EXPLOITDB MEDIUM text WRITEUP
Carbon Forum 5.9.0 Persistent XSS via Forum Name Field
Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft.
CVSS 6.4
CVE-2025-66576 EXPLOITDB CRITICAL python WORKING POC
Remote Keyboard Desktop 1.0.1 - Code Injection
Remote Keyboard Desktop 1.0.1 enables remote attackers to execute system commands via the rundll32.exe exported function export, allowing unauthenticated code execution.
CVSS 9.8
CVE-2024-58292 EXPLOITDB MEDIUM text WRITEUP
XMB Forum 1.9.12.06 - XSS
XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for all forum users when pages are rendered.
CVE-2023-31904 EXPLOITDB HIGH text WORKING POC
savysoda Wifi HD Wireless Disk Drive 11 - Local File Inclusion
savysoda Wifi HD Wireless Disk Drive 11 is vulnerable to Local File Inclusion.
CVSS 7.5
CVE-2023-31903 EXPLOITDB CRITICAL text WORKING POC
GuppY CMS 6.00.10 - RCE
GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file.
CVSS 9.8
CVE-2023-31902 EXPLOITDB CRITICAL python WORKING POC
RPA Technology Mobile Mouse 3.6.0.4 - RCE
RPA Technology Mobile Mouse 3.6.0.4 is vulnerable to Remote Code Execution (RCE).
CVSS 9.8
CVE-2025-66555 EXPLOITDB HIGH python WORKING POC
AirKeyboard iOS App 1.0.5 - RCE
AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type arbitrary keystrokes directly into the victim's iOS device in real-time without user interaction, resulting in full remote input control.
CVE-2024-58303 EXPLOITDB HIGH text WORKING POC
FoF Pretty Mail 1.1.2 - Code Injection
FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.
CVE-2024-58302 EXPLOITDB MEDIUM text WRITEUP
FoF Pretty Mail 1.1.2 - Local File Inclusion
FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like /etc/passwd during email generation.
CVE-2023-37165 EXPLOITDB CRITICAL php WORKING POC
Millhouse-project - SQL Injection
Millhouse-Project v1.414 was discovered to contain a remote code execution (RCE) vulnerability via the component /add_post_sql.php.
CVSS 9.8
CVE-2022-50891 EXPLOITDB MEDIUM text WORKING POC
Owlfiles File Manager 12.0.1 - XSS
Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to execute arbitrary JavaScript in users' browsers.
CVSS 5.0
CVE-2022-50890 EXPLOITDB HIGH text WORKING POC
Owlfiles File Manager 12.0.1 - Path Traversal
Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system directories on the device.
CVSS 7.5
CVE-2023-54340 EXPLOITDB HIGH text WORKING POC
WorkOrder CMS 0.1.0 - SQL Injection
WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. Attackers can inject malicious SQL queries using techniques like OR '1'='1' and stacked queries to access database information or execute administrative commands.
CVSS 8.2
CVE-2023-31902 METASPLOIT CRITICAL ruby WORKING POC
RPA Technology Mobile Mouse 3.6.0.4 - RCE
RPA Technology Mobile Mouse 3.6.0.4 is vulnerable to Remote Code Execution (RCE).
CVSS 9.8
CVE-2025-34089 METASPLOIT CRITICAL ruby WORKING POC
Remote for Mac <2025.7 - RCE
An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to and including 2025.7. When the application is configured with authentication disabled (i.e., the "Allow unknown devices" option is enabled), the /api/executeScript endpoint is exposed without access control. This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads via the X-Script HTTP header, resulting in code execution using do shell script. Successful exploitation grants attackers the ability to run arbitrary commands on the macOS host with the privileges of the Remote for Mac background process.
EIP-2026-119282 EXPLOITDB python WORKING POC
Windows 2024.15 - Unauthenticated Desktop Screenshot Capture
EIP-2026-107159 EXPLOITDB text WORKING POC
FluxBB 1.5.11 - Stored Cross-Site Scripting (XSS)
CVE-2025-8573 EXPLOITDB MEDIUM text WRITEUP
Concretecms Concrete Cms < 9.4.3 - XSS
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page.  Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks sealldev  (Noah Cooper) for reporting via HackerOne.
CVSS 4.8