G3XAR

9 exploits Active since Sep 2025
CVE-2026-31874 GITHUB CRITICAL python WRITEUP
Taskosaur 1.0.0 - Privilege Escalation
Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request payload and assign themselves elevated privileges. Because the backend does not enforce role assignment restrictions or ignore client-supplied role parameters, the server accepts the manipulated value and creates the account with SUPER_ADMIN privileges. This allows any unauthenticated attacker to register a fully privileged administrative account.
CVSS 9.8
CVE-2026-26272 GITHUB MEDIUM python WORKING POC
HomeBox < 0.23.1 - Authenticated Stored Cross-Site Scripting via Item Attachment Upload
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1.
CVSS 4.6
CVE-2026-27600 GITHUB MEDIUM python WORKING POC
HomeBox < 0.23.1 - Authenticated Server-Side Request Forgery via Notifier URL Parameter
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.
CVSS 5.0
CVE-2026-27198 GITHUB HIGH WRITEUP
Formwork 2.0.0-2.3.3 - Privilege Escalation
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.
CVSS 8.8
CVE-2026-28275 GITHUB HIGH WRITEUP
Initiative < 0.32.4 - Insufficient Session Expiration via JWT Token Invalidation
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.
CVSS 8.1
CVE-2026-28274 GITHUB HIGH WORKING POC
Initiative < 0.32.4 - Stored Cross-Site Scripting via HTML Document Upload
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the "Initiatives" section can upload a malicious `.html` or `.htm` file as a document. Because the uploaded HTML file is served under the application's origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application's domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue.
CVSS 8.7
CVE-2025-55944 GITHUB MEDIUM WRITEUP
Slink v1.4.9 - Stored Cross-Site Scripting via SVG Upload
Slink v1.4.9 allows stored cross-site scripting (XSS) via crafted SVG uploads. When a user views the shared image in a new browser tab, the embedded JavaScript executes. The issue affects both authenticated and unauthenticated users.
CVSS 6.1
CVE-2026-26993 GITHUB MEDIUM WORKING POC
Flare < 1.7.1 - Stored Cross-Site Scripting via SVG/HTML/XML File Upload
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG (or other active content formats such as HTML or XML), an attacker can achieve script execution in the context of the application's origin when a victim views the file in “raw” mode. This results in a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to exfiltrate user data. This issue has been fixed in version 1.7.1.
CVSS 4.6
CVE-2025-55944 WRITEUP MEDIUM WRITEUP
Slink v1.4.9 - Stored Cross-Site Scripting via SVG Upload
Slink v1.4.9 allows stored cross-site scripting (XSS) via crafted SVG uploads. When a user views the shared image in a new browser tab, the embedded JavaScript executes. The issue affects both authenticated and unauthenticated users.
CVSS 6.1