Chokri Hammedi

EIP-2026-120688 EXPLOITDB text WORKING POC

Remote Sunrise Helper for Windows 2026.14 - Unauthenticated File/Directory Listing

View Code

EIP-2026-120687 EXPLOITDB text WORKING POC

Remote Sunrise Helper for Windows 2026.14 - Remote Code Execution

View Code

EIP-2026-120683 EXPLOITDB text WORKING POC

WBCE CMS 1.6.4 - Remote Code Execution

View Code

EIP-2026-120682 EXPLOITDB text WORKING POC

RiteCMS 3.1.0 - Authenticated Remote Code Execution

View Code

CVE-2024-58344 EXPLOITDB MEDIUM text WRITEUP

Carbon Forum 5.9.0 Persistent XSS via Forum Name Field

Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft.

CVSS 6.4

View Code

CVE-2025-66576 EXPLOITDB CRITICAL python WORKING POC

Remote Keyboard Desktop 1.0.1 - Code Injection

Remote Keyboard Desktop 1.0.1 enables remote attackers to execute system commands via the rundll32.exe exported function export, allowing unauthenticated code execution.

CVSS 9.8

View Code

CVE-2024-58292 EXPLOITDB MEDIUM text WRITEUP

XMB Forum 1.9.12.06 - Authenticated Stored Cross-Site Scripting via Admin Templates

XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for all forum users when pages are rendered.

View Code

CVE-2023-31904 EXPLOITDB HIGH text WORKING POC

savysoda Wifi HD Wireless Disk Drive 11 - Local File Inclusion

savysoda Wifi HD Wireless Disk Drive 11 is vulnerable to Local File Inclusion.

CVSS 7.5

View Code

CVE-2023-31903 EXPLOITDB CRITICAL text WORKING POC

GuppY CMS 6.00.10 - Unrestricted File Upload and Remote Code Execution via PHP File Upload

GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file.

CVSS 9.8

View Code

CVE-2023-31902 EXPLOITDB CRITICAL python WORKING POC

RPA Technology Mobile Mouse 3.6.0.4 - RCE

RPA Technology Mobile Mouse 3.6.0.4 is vulnerable to Remote Code Execution (RCE).

CVSS 9.8

View Code

CVE-2025-66555 EXPLOITDB HIGH python WORKING POC

AirKeyboard iOS App 1.0.5 - Unauthenticated Remote Input Injection

AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type arbitrary keystrokes directly into the victim's iOS device in real-time without user interaction, resulting in full remote input control.

View Code

CVE-2024-58303 EXPLOITDB HIGH text WORKING POC

FoF Pretty Mail 1.1.2 - Code Injection

FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.

View Code

CVE-2024-58302 EXPLOITDB MEDIUM text WRITEUP

FoF Pretty Mail 1.1.2 - Local File Inclusion

FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like /etc/passwd during email generation.

View Code

CVE-2023-37165 EXPLOITDB CRITICAL php WORKING POC

Millhouse-Project 1.414 - Remote Code Execution via /add_post_sql.php

Millhouse-Project v1.414 was discovered to contain a remote code execution (RCE) vulnerability via the component /add_post_sql.php.

CVSS 9.8

View Code

CVE-2022-50891 EXPLOITDB MEDIUM text WORKING POC

Owlfiles File Manager 12.0.1 - Cross-Site Scripting via HTTP Server Path Parameter

Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to execute arbitrary JavaScript in users' browsers.

CVSS 5.0

View Code

CVE-2022-50890 EXPLOITDB HIGH text WORKING POC

Owlfiles File Manager 12.0.1 - Path Traversal

Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system directories on the device.

CVSS 7.5

View Code

CVE-2023-54340 EXPLOITDB HIGH text WORKING POC

WorkOrder CMS 0.1.0 - SQL Injection

WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. Attackers can inject malicious SQL queries using techniques like OR '1'='1' and stacked queries to access database information or execute administrative commands.

CVSS 8.2

View Code

CVE-2023-31902 METASPLOIT CRITICAL ruby WORKING POC

RPA Technology Mobile Mouse 3.6.0.4 - RCE

RPA Technology Mobile Mouse 3.6.0.4 is vulnerable to Remote Code Execution (RCE).

CVSS 9.8

View Code

CVE-2025-34089 METASPLOIT CRITICAL ruby WORKING POC

Remote for Mac <= 2025.7 - Unauthenticated Remote Code Execution via X-Script Header

An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to and including 2025.7. When the application is configured with authentication disabled (i.e., the "Allow unknown devices" option is enabled), the /api/executeScript endpoint is exposed without access control. This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads via the X-Script HTTP header, resulting in code execution using do shell script. Successful exploitation grants attackers the ability to run arbitrary commands on the macOS host with the privileges of the Remote for Mac background process.

View Code

EIP-2026-119282 EXPLOITDB python WORKING POC

Windows 2024.15 - Unauthenticated Desktop Screenshot Capture

View Code

EIP-2026-107159 EXPLOITDB text WORKING POC

FluxBB 1.5.11 - Stored Cross-Site Scripting (XSS)

View Code

CVE-2025-8573 EXPLOITDB MEDIUM text WRITEUP

Concrete CMS 9.0-9.4.2 - Stored Cross-Site Scripting via Home Folder on Members Dashboard

Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page.  Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks sealldev  (Noah Cooper) for reporting via HackerOne.

CVSS 4.8

View Code