Ihsan Sencan

970 exploits Active since Sep 2017
CVE-2025-55182 NOMISEC CRITICAL WORKING POC
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
1 stars
CVSS 10.0
CVE-2025-55182 NOMISEC CRITICAL WORKING POC
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
CVSS 10.0
CVE-2018-25200 EXPLOITDB MEDIUM text WORKING POC
OOP CMS BLOG 1.0 - CSRF
OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can submit forms to the addUser.php endpoint with parameters including userName, password, email, and role set to administrative privileges to gain unauthorized access.
CVSS 5.3
CVE-2018-25199 EXPLOITDB HIGH text WORKING POC
OOP CMS BLOG 1.0 - SQL Injection
OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through multiple parameters. Attackers can inject SQL commands via the search parameter in search.php, pageid parameter in page.php, and id parameter in posts.php to extract database information including table names, schema names, and database credentials.
CVSS 8.2
CVE-2018-25198 EXPLOITDB MEDIUM python WORKING POC
eToolz 3.4.8.0 - Buffer Overflow
eToolz 3.4.8.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying oversized input buffers. Attackers can create a payload file containing 255 bytes of data that triggers a buffer overflow condition when processed by the application.
CVSS 6.2
CVE-2018-25197 EXPLOITDB HIGH text WORKING POC
PlayJoom 0.10.1 - SQL Injection
PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with option=com_playjoom&view=genre&catid=[SQL] to extract sensitive database information including usernames, databases, and version details.
CVSS 8.2
CVE-2018-25196 EXPLOITDB HIGH text WORKING POC
ServerZilla 1.0 - SQL Injection
ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to reset.php with malicious email values containing SQL operators to bypass authentication and extract sensitive database information.
CVSS 8.2
CVE-2018-25194 EXPLOITDB HIGH text WORKING POC
Nominas 0.27 - SQL Injection
Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. Attackers can send POST requests to the login/checklogin.php endpoint with crafted UNION-based SQL injection payloads to extract database information including usernames, database names, and version details.
CVSS 8.2
CVE-2018-25193 EXPLOITDB HIGH python WORKING POC
Mongoose Web Server 6.9 - DoS
Mongoose Web Server 6.9 contains a denial of service vulnerability that allows remote attackers to crash the service by establishing multiple socket connections. Attackers can repeatedly create connections to the default port and send malformed data to exhaust server resources and cause service unavailability.
CVSS 7.5
CVE-2018-25192 EXPLOITDB HIGH text WORKING POC
GPS Tracking System 2.12 - SQL Injection
GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit crafted POST requests to the login.php endpoint with SQL injection payloads in the username field to gain unauthorized access without valid credentials.
CVSS 8.2
CVE-2018-25191 EXPLOITDB HIGH text WORKING POC
Facturation System 1.0 - SQL Injection
Facturation System 1.0 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'mod_id' parameter. Attackers can send POST requests to the editar_producto.php endpoint with crafted SQL payloads in the mod_id parameter to extract sensitive database information including usernames, database names, and version details.
CVSS 7.1
CVE-2018-25190 EXPLOITDB MEDIUM text WORKING POC
Easyndexer 1.0 - CSRF
Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. Attackers can craft malicious web pages that submit POST requests to createuser.php with parameters including username, password, name, surname, and privileges set to 1 for administrator access.
CVSS 5.3
CVE-2018-25189 EXPLOITDB HIGH text WORKING POC
Data Center Audit 2.6.2 - SQL Injection
Data Center Audit 2.6.2 contains an SQL injection vulnerability in the username parameter of dca_login.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted SQL payloads through POST requests to extract sensitive database information including usernames, database names, and version details.
CVSS 8.2
CVE-2018-25188 EXPLOITDB HIGH text WORKING POC
Webiness Inventory 2.3 - SQL Injection
Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. Attackers can send POST requests to the WsModelGrid.php endpoint with crafted SQL payloads to extract sensitive database information including usernames, databases, and version details.
CVSS 8.2
CVE-2018-25187 EXPLOITDB HIGH text WORKING POC
Tina4 Stack 1.0.3 - SQL Injection
Tina4 Stack 1.0.3 contains multiple vulnerabilities allowing unauthenticated attackers to access sensitive database files and execute SQL injection attacks. Attackers can directly request the kim.db database file to retrieve user credentials and password hashes, or inject SQL code through the menu endpoint to manipulate database queries.
CVSS 8.2
CVE-2018-25186 EXPLOITDB MEDIUM text WORKING POC
Tina4 Stack 1.0.3 - CSRF
Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modify admin user credentials by submitting forged POST requests to the profile endpoint. Attackers can craft HTML forms targeting the /kim/profile endpoint with hidden fields containing malicious user data like passwords and email addresses to update administrator accounts without authentication.
CVSS 5.3
CVE-2018-25184 EXPLOITDB MEDIUM text WORKING POC
Surreal ToDo 0.6.1.2 - Path Traversal
Surreal ToDo 0.6.1.2 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the content parameter. Attackers can supply directory traversal sequences through the content parameter in index.php to access sensitive system files like configuration and initialization files.
CVSS 6.2
CVE-2018-25182 EXPLOITDB HIGH text WORKING POC
Silurus Classifieds Script 2.0 - SQL Injection
Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. Attackers can send GET requests to wcategory.php with crafted SQL payloads in the ID parameter to extract database table names and sensitive information from the database.
CVSS 8.2
CVE-2018-25181 EXPLOITDB HIGH text WORKING POC
Musicco 2.0.0 - Path Traversal
Musicco 2.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary directories by manipulating the parent parameter. Attackers can supply directory traversal sequences in the parent parameter of the getAlbum endpoint to access sensitive system directories and download them as ZIP files.
CVSS 7.5
CVE-2018-25180 EXPLOITDB HIGH text WORKING POC
Maitra 1.7.2 - SQL Injection
Maitra 1.7.2 contains an sql injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the mailid parameter in outmail and inmail modules. Attackers can also download the SQLite database file directly from the application directory to extract sensitive mail tracking data and credentials.
CVSS 7.1
CVE-2018-25179 EXPLOITDB HIGH text WORKING POC
Gumbo CMS 0.99 - SQL Injection
Gumbo CMS 0.99 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the language parameter. Attackers can send POST requests to the settings endpoint with crafted SQL payloads in the language parameter to extract sensitive database information including usernames, databases, and version details.
CVSS 8.2
CVE-2018-25178 EXPLOITDB HIGH text WORKING POC
Easyndexer 1.0 - Path Traversal
Easyndexer 1.0 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the file parameter. Attackers can send POST requests to showtif.php with arbitrary file paths in the file parameter to retrieve system files like configuration and initialization files.
CVSS 7.5
CVE-2018-25177 EXPLOITDB MEDIUM text WORKING POC
Data Center Audit 2.6.2 - CSRF
Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to reset administrator passwords without authentication by submitting crafted POST requests. Attackers can send requests to dca_resetpw.php with parameters updateuser, pass, pass2, and submit_reset to change the admin account password and gain administrative access.
CVSS 5.3
CVE-2018-25176 EXPLOITDB HIGH text WORKING POC
Alive Parish 2.0.4 - SQL Injection
Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to the images/uploaded directory for remote code execution.
CVSS 8.2
CVE-2018-25175 EXPLOITDB HIGH text WORKING POC
Alienor Web Libre 2.0 - SQL Injection
Alienor Web Libre 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the identifiant parameter. Attackers can submit crafted POST requests to index.php with SQL injection payloads in the identifiant field to extract sensitive database information including usernames, databases, and version details.
CVSS 8.2