H4zaz

3 exploits Active since Oct 2025
CVE-2026-42141 GITHUB HIGH WRITEUP
Xibo: Authenticated Server-Side Request Forgery (SSRF) in Library Upload via URL functionality
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability in the Xibo CMS allows users with Library upload permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. This vulnerability is fixed in 4.4.1.
CVSS 7.7
CVE-2025-60500 GITHUB HIGH WRITEUP
QDocs Smart School Management System 7.1 - Auth Bypass
QDocs Smart School Management System 7.1 allows authenticated users with roles such as "accountant" or "admin" to bypass file type restrictions in the media upload feature by abusing the alternate YouTube URL option. This logic flaw permits uploading of arbitrary PHP files, which are stored in a web-accessible directory.
CVSS 7.2
CVE-2025-60503 NOMISEC HIGH WRITEUP
UltimatePOS 4.8 - Authenticated Stored Cross-Site Scripting via Purchase Reference No. Field
A cross-site scripting (XSS) vulnerability exists in the administrative interface of ultimatefosters UltimatePOS 4.8 where input submitted in the purchase functionality is reflected without proper escaping in the admin log panel page in the 'reference No.' field. This flaw allows an authenticated attacker to execute arbitrary JavaScript in the context of an administrator's browser session, which could lead to session hijacking or other malicious actions.
CVSS 8.7